# Base

## Initial Scan

```nmap
sudo nmap -T4 -Pn -sV -sC -v 10.129.246.67 -oA Base
```

<figure><img src="/files/q5dMnxB7aLrvlVXhMZOD" alt=""><figcaption></figcaption></figure>

## Task 1

Which two TCP ports are open on the remote host?

Answer: 22,80

## Task 2

What is the relative path on the webserver for the login page?

<figure><img src="/files/23xMUhTs8vpS3GPMymLV" alt=""><figcaption></figcaption></figure>

Answer: /login/login.php

## Task 3

How many files are present in the '/login' directory?

<figure><img src="/files/CPJj6LKDO29nvyxXRcSc" alt=""><figcaption></figcaption></figure>

Answer: 3

## Task 4

What is the file extension of a swap file?

<figure><img src="/files/L4wz3d2g4Faj0rtwNnlC" alt=""><figcaption></figcaption></figure>

Answer: .swp

## Task 5

Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?

<figure><img src="/files/jtbK2fu16KpzDI6riGX7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cDvOIsVaHo1BjYWbp2VI" alt=""><figcaption></figcaption></figure>

Answer: `strcmp()`

## Task 6

In which directory are the uploaded files stored?

<figure><img src="/files/gL0YpCzEIeX6tDAYMKHm" alt=""><figcaption></figcaption></figure>

Modify the request to

<figure><img src="/files/1Yv9AVCWUWsSmqGB5ojc" alt=""><figcaption></figcaption></figure>

Send it and open it in the browser

<figure><img src="/files/jGHCgV23V4DVeIc6GUL7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/BfbnE1Qx45p0V9f0WWr8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lNMs1vWry1E2xUGZ6Seb" alt=""><figcaption></figcaption></figure>

Answer: \_uploaded

## Task 7

Which user exists on the remote host with a home directory?

Upload a webshell

<figure><img src="/files/A6ImX13J2MHjhvKljeIh" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vRbrXtvKSHo95mytznEp" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NnL18hdprM1zBb3hFNpJ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/bbXC8lMflpXMusquvXEP" alt=""><figcaption></figcaption></figure>

Encode the command

<figure><img src="/files/N4yjQZep5zyRj4LZCvKr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/KeEF7S3CPpbgseuxc5Q7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2cTImSyKtSHFiijKjWZP" alt=""><figcaption></figcaption></figure>

Answer: john

## Task 8

What is the password for the user present on the system?

Looking at the "empty" config.php file

<figure><img src="/files/i6T6gt4UdYxzNNvIXPky" alt=""><figcaption></figcaption></figure>

Answer: thisisagoodpassword

## Task 9

What is the full path to the command that the user john can run as user root on the remote host?

Login as John with the new password we found

<figure><img src="/files/3X4eEvAli4EXjBLbxf1s" alt=""><figcaption></figcaption></figure>

Answer: /usr/bin/find

## Task 10

What action can the find command use to execute commands?

Looking on [GTFOBins](https://gtfobins.github.io/gtfobins/find/) we can see

<figure><img src="/files/bfjyqrvHyhI8pLQoyEWb" alt=""><figcaption></figcaption></figure>

```bash
sudo find . -exec /bin/sh \; -quit
```

Answer: exec

## Task 11

User Flag

<figure><img src="/files/FRFQP5MkfHm52nK4YXc4" alt=""><figcaption></figcaption></figure>

Answer:f54846c258f3b4612f78a819573d158e

## Task 12

Root Flag

<figure><img src="/files/oCOElZ36YnMGtZnOCKBp" alt=""><figcaption></figcaption></figure>

Answer: 51709519ea18ab37dd6fc58096bea949


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/hackthebox/starting-point/tier-2/base.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.