# Base ## Initial Scan ```nmap sudo nmap -T4 -Pn -sV -sC -v 10.129.246.67 -oA Base ```

## Task 1 Which two TCP ports are open on the remote host? Answer: 22,80 ## Task 2 What is the relative path on the webserver for the login page?

Answer: /login/login.php ## Task 3 How many files are present in the '/login' directory?

Answer: 3 ## Task 4 What is the file extension of a swap file?

Answer: .swp ## Task 5 Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?

Answer: `strcmp()` ## Task 6 In which directory are the uploaded files stored?

Modify the request to

Send it and open it in the browser

Answer: \_uploaded ## Task 7 Which user exists on the remote host with a home directory? Upload a webshell

Encode the command

Answer: john ## Task 8 What is the password for the user present on the system? Looking at the "empty" config.php file

Answer: thisisagoodpassword ## Task 9 What is the full path to the command that the user john can run as user root on the remote host? Login as John with the new password we found

Answer: /usr/bin/find ## Task 10 What action can the find command use to execute commands? Looking on [GTFOBins](https://gtfobins.github.io/gtfobins/find/) we can see

```bash sudo find . -exec /bin/sh \; -quit ``` Answer: exec ## Task 11 User Flag

Answer:f54846c258f3b4612f78a819573d158e ## Task 12 Root Flag

Answer: 51709519ea18ab37dd6fc58096bea949