Starting off with our nmap scan, we find that SSH, an Apache server and vsftpd are running.


In the pricing directory is a hidden note. It hints that there are other notes lying around the web sever. Let’s look!

After fuzzing for directories using gobuster, we find the following note in the static directory.

It links us to this login page.

But the source code contains the login details…

After logging in, it leads us to this note. Maybe if we try logging into the ftp server with these creds, we might get in.

It worked! Inside are some pcap files. Let’s take a look

The first two have nothing notable in them, but the third contains a POST request with a user and password in them. Let’s try using them for SSH.

We’re in! Plus we got the user flag.

In the /home/ directory, we find a file called “valleyAuthenticator”.

Using the strings command on it we find a pair of hashed user and password creds: “e6722920bab2326f8217e4bf6b1b58ac” and “dd2921cc76ee3abfd2beb60709056cfb”. Running the creds through hashcat, we get the user and password!

Let’s escalate to the valley user.

In the /etc/crontab file, we find that a python script is ran every minute as root.

Luckily for us it uses a base64 file which we can write to.

Replacing the contents with a simple reverse shell and setting up a netcat listener, we get root and the flag!

No responses yet

    Leave a Reply

    Your email address will not be published. Required fields are marked *