Hackthebox - Poison

From nmap, there are ssh and http service opened.

This is the web page.

This is /listfile.php, seems like it executed ls and print out the output.

In pwnbackup.txt, there is an encoded string.

I got the password by decoding it 13 times with base64.

For /browse.php, there is LFI. In /etc/passwd, I got the username charix.

Now, I can ssh to the server as charix. There is secret.zip, it can be unzipped with charix’s password. And there is Xvnc running at port 5901.

I redirect it to local and execute vncviewer with the extracted file as password file.

Now, I am root.