Write-up
Step-by-step guide on the approach taken to pwn the machine.
Objective
In this machine, the goal is to "Climb the filesystem to find the flag."
Reconnaissance
As usual, we start by scanning for open ports using nmap:
sudo nmap -sCV -F -T5 <ip_target>
The scan reveals two open ports:
22 for SSH
80 for HTTP
We decide to investigate the HTTP service by visiting the website:
http://<ip_target>
The page looks normal, with a feature to listen to music. After reviewing the source code (Ctrl+U) and the robots.txt file with no useful results, we start navigating through the "Discography" section. Here, we notice that the URL changes to:
/?page=relax.php
Exploitation
We start experimenting by changing the page parameter to test for Local File Inclusion (LFI) and Path Traversal. We first try:
../../../../etc/shadow
The result is empty, indicating that the server is processing the request, and it might be vulnerable to LFI. We then try:
../../../../etc/passwd
This successfully returns the contents of the passwd file. Looking through the file, we identify a user of interest: games. However, we still don't have the public key required to log in via SSH.
Escalation
Our next step is to try to access the games user's directory. After several attempts and directory searches, we finally find something interesting. By simply typing:
../../../../flag.txt
We are able to view the flag.txt file, thus completing the challenge.
Last updated