1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

What strange text file is in the website root directory?

cmd: ls

drpepper.txt


How many non-root/non-service/non-daemon users are there?





What user is this app running as?

cmd: whoami


www-data



What is the user's shell set as?



What version of Ubuntu is running?

cmd: lsb_release -a

18.04.4


Print out the MOTD.  What favorite beverage is shown?

cmd: cat /etc/update-motd.d/00-header

DR PEPPER

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

What is the flag that you found in darren's account?

fe86079416a21a3c99937fea8874b667




What is the flag that you found in arthur's account?

d9ac0f7db4fda460ac3edeb75d75e16e

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

What is the name of the mentioned directory?

/assets


Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db


Use the supporting material to access the sensitive data. What is the password hash of the admin user?

6eea9b7ef19179a06954edd0f6c05ceb


Crack the hash.
What is the admin's plaintext password?

qwertyuiop


Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

What is the name of the user in /etc/passwd


falcon


Where is falcon's SSH key located?

/home/falcon/.ssh/id_rsa



What are the first 18 characters for falcon's private key

MIIEogIBAAKCAQEA7b

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

Look at other users notes. What is the flag?



payload :  http://10.10.145.127/note.php?note=0


flag{fivefourthree}

1
2
3
4
5
6
7
8

Hack into the webapp, and find the flag!


creds:   pensive:PensiveNotes

thm{4b9513968fd564a87b28aa1f9d672e17}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

Navigate to http://10.10.98.36/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

ThereIsMoreToXSSThanYouThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

ReflectiveXss4TheWin


Then add a comment and see if you can insert some of your own HTML.

HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.

W3LL_D0N3_LVL2

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.


websites_can_be_easily_defaced_with_xss

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

Who developed the Tomcat application?

The Apache Software Foundation


What type of attack that crashes services can be performed with insecure deserialization?


denial of service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

1st flag (cookie value)


THM{good_old_base64_huh}



2nd flag (admin dashboard)

THM{heres_the_admin_flag}

1
2
3
4
5
6

flag.txt


4a69a7ff9fd68

1
2
3
4
5
6
7

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

exploit : https://www.exploit-db.com/exploits/47887

1611

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

What IP address is the attacker using?

49.99.13.16


What kind of attack is being carried out?


brute force