Base
Initial Scan
Task 1
Which two TCP ports are open on the remote host?
Answer: 22,80
Task 2
What is the relative path on the webserver for the login page?
Answer: /login/login.php
Task 3
How many files are present in the '/login' directory?
Answer: 3
Task 4
What is the file extension of a swap file?
Answer: .swp
Task 5
Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?
Answer: strcmp()
Task 6
In which directory are the uploaded files stored?
Modify the request to
Send it and open it in the browser
Answer: _uploaded
Task 7
Which user exists on the remote host with a home directory?
Upload a webshell
Encode the command
Answer: john
Task 8
What is the password for the user present on the system?
Looking at the "empty" config.php file
Answer: thisisagoodpassword
Task 9
What is the full path to the command that the user john can run as user root on the remote host?
Login as John with the new password we found
Answer: /usr/bin/find
Task 10
What action can the find command use to execute commands?
Looking on GTFOBins we can see
Answer: exec
Task 11
User Flag
Answer:f54846c258f3b4612f78a819573d158e
Task 12
Root Flag
Answer: 51709519ea18ab37dd6fc58096bea949
Last updated
