# Write-up

### <mark style="color:purple;">Objective</mark>

In this machine, the goal is to "Climb the filesystem to find the flag."

***

### <mark style="color:purple;">Reconnaissance</mark>

As usual, we start by scanning for open ports using **nmap**:

```bash
sudo nmap -sCV -F -T5 <ip_target>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc8ACn4rm-mPhnEzPb9xMkpdE_WuRigNUBv-LGlZfuMsx4EQ68ZysMFr02PeQD2hvnZGsuRriT1RsSwvEy1akidgsE1AzqdUhWOkEkFs_ZMaV0GgkhS78mKIK3rz17nA-pGWy-kPw?key=JUXX0UUDnYpH8lSgj1qGJQol" alt="" width="563"><figcaption></figcaption></figure>

The scan reveals two open ports:

* **22** for SSH
* **80** for HTTP

We decide to investigate the HTTP service by visiting the website:

```bash
http://<ip_target>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfbmbh7QRnrRIgjTkPEEvkimTzV8tXZOUkCPhIRFH3uLKXSr5m8yAN9jL7ZH7Jam-f_nqH_as6zkpGmq6PS_oDpmDtjsXqjmdLLtzgjdgk_TDRUbZIsqmKQtVScFwzCO4utkEFo?key=JUXX0UUDnYpH8lSgj1qGJQol" alt=""><figcaption></figcaption></figure>

The page looks normal, with a feature to listen to music. After reviewing the source code (Ctrl+U) and the **robots.txt** file with no useful results, we start navigating through the "Discography" section. Here, we notice that the URL changes to:

```bash
/?page=relax.php
```

***

### <mark style="color:purple;">Exploitation</mark>

We start experimenting by changing the **page** parameter to test for **Local File Inclusion (LFI)** and **Path Traversal**. We first try:

```
../../../../etc/shadow
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeE6exLFktYfhHNqOTTZ_JdbLD8-9Vmqobo5wEWg5aPy3mVBOiJpoFK1PUxy6kcYEFhdtBFyNZpvIomla4WvRFYUQiuovB97eYWLwe2quvKhxyV16Gp3zRQaKg3wN5UVDhTeokvNQ?key=JUXX0UUDnYpH8lSgj1qGJQol" alt="" width="563"><figcaption></figcaption></figure>

The result is empty, indicating that the server is processing the request, and it might be vulnerable to LFI. We then try:

<pre><code><strong>../../../../etc/passwd
</strong></code></pre>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcJ6LWUJTbe6SJ1AnnpQQSpz1_YYlyjS30OMjPyaHEts2XlM6Dxvs2Cvr0YrQwwgOBIve3y_esCn_l7NEXcH-hdmlKn4P8rjrd58fNTWmZ19egYEOuhJceJGuBDkyPnfJpiurit?key=JUXX0UUDnYpH8lSgj1qGJQol" alt="" width="563"><figcaption></figcaption></figure>

This successfully returns the contents of the **passwd** file. Looking through the file, we identify a user of interest: **games**. However, we still don't have the public key required to log in via SSH.

***

### <mark style="color:purple;">Escalation</mark>

Our next step is to try to access the **games** user's directory. After several attempts and directory searches, we finally find something interesting. By simply typing:

<pre><code><strong>../../../../flag.txt
</strong></code></pre>

We are able to view the **flag.txt** file, thus completing the challenge.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfjhwsycQ6lx3QBwY3VVnRf7duM3B29jETjN6K8AbUJDqh9jQ-cgC0zqHgUjmxxK12XN_AsX_lbHxDb3nDwAOMaxuttSai7f3Ajy5hcogZc1OSAzVwrxkReT4xoUUVkwUgLp4vZ?key=JUXX0UUDnYpH8lSgj1qGJQol" alt=""><figcaption></figcaption></figure>