Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objective

In this machine, the goal is to "Climb the filesystem to find the flag."


Reconnaissance

As usual, we start by scanning for open ports using nmap:

sudo nmap -sCV -F -T5 <ip_target>

The scan reveals two open ports:

  • 22 for SSH

  • 80 for HTTP

We decide to investigate the HTTP service by visiting the website:

http://<ip_target>

The page looks normal, with a feature to listen to music. After reviewing the source code (Ctrl+U) and the robots.txt file with no useful results, we start navigating through the "Discography" section. Here, we notice that the URL changes to:

/?page=relax.php

Exploitation

We start experimenting by changing the page parameter to test for Local File Inclusion (LFI) and Path Traversal. We first try:

../../../../etc/shadow

The result is empty, indicating that the server is processing the request, and it might be vulnerable to LFI. We then try:

../../../../etc/passwd

This successfully returns the contents of the passwd file. Looking through the file, we identify a user of interest: games. However, we still don't have the public key required to log in via SSH.


Escalation

Our next step is to try to access the games user's directory. After several attempts and directory searches, we finally find something interesting. By simply typing:

../../../../flag.txt

We are able to view the flag.txt file, thus completing the challenge.

Last updated