Hack The Box - Poison User Walkthrough


HackTheBox Poison Scope



Let’s do a port scan to find if there are any services running.

nmap -sC -sV -oA nmap/initial -vvv 
HackTheBox Poison nmap scan

We found Apache 2.4.29 with http is running on port 80, so let’s check what is being served at

HackTheBox Poison - Landing web page

If we put listfiles.php into the form and hit submit, we are greeted with some lovely information.

HackTheBox Poison - Landing web page

pwdbackup.txt look like it might hold some credentials for us to use later. Since it appears the server is outputting the contents of whatever file we pass through file parameter to browse.php, let’s try setting the file parameter to pwdbackup.txt.

HackTheBox Poison - pwdbackup.txt

The encoding contains an equal sign (=), which might indicate base64. Let’s try putting the string through a base64 until we get something that makes sense.

After decoding the string and feeding the output back into the decoder 13 times, we get a string what might look like a password. I also made script that takes in a base64 string and number of times to recursively decode it and outputs the result after decoding.

HackTheBox Poison - decoded base64 pwdbackup

Now we just need to look for an account the password may belong to. Let’s see if we can use browse.php to output the /etc/passwd file.

HackTheBox Poison - /etc/passwd

Sure enough, browse.php outputs the contains of /etc/passwd. Since the password we found earlier is Charix!2#4%6&8(0, a natural guess would be that it belongs to the account Charix. We also see that the Charix has access to csh shell and since we found that had ssh open on port 22 during recon, let’s try to ssh in with the credentials we found.

ssh charix@ -p 22
HackTheBox Poison - User SSH success HackTheBox Poison - Owned user charix

The credentials worked! Now if we cat user.txt, we get the flag for the user account on HTB.



Here is a list of resources I used at some point while working on Poison: