Base

Initial Scan

sudo nmap -T4 -Pn -sV -sC -v 10.129.246.67 -oA Base

Task 1

Which two TCP ports are open on the remote host?

Answer: 22,80

Task 2

What is the relative path on the webserver for the login page?

Answer: /login/login.php

Task 3

How many files are present in the '/login' directory?

Answer: 3

Task 4

What is the file extension of a swap file?

Answer: .swp

Task 5

Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?

Answer: strcmp()

Task 6

In which directory are the uploaded files stored?

Modify the request to

Send it and open it in the browser

Answer: _uploaded

Task 7

Which user exists on the remote host with a home directory?

Upload a webshell

Encode the command

Answer: john

Task 8

What is the password for the user present on the system?

Looking at the "empty" config.php file

Answer: thisisagoodpassword

Task 9

What is the full path to the command that the user john can run as user root on the remote host?

Login as John with the new password we found

Answer: /usr/bin/find

Task 10

What action can the find command use to execute commands?

Looking on GTFOBins we can see

sudo find . -exec /bin/sh \; -quit

Answer: exec

Task 11

User Flag

Answer:f54846c258f3b4612f78a819573d158e

Task 12

Root Flag

Answer: 51709519ea18ab37dd6fc58096bea949