Inclusiveness : 1,422/


  • Driectory enumeration indicates robots.txt can be seen with a regular user-agent
  • Use curl to bypass the user-agent with Googlebot to find a clue
  • Hidden directory can be exploited by LFI
  • Test out the LFI exploit by uploading a PHP webshell
  • Create a PHP reverse shell and upload to get a shell
  • Explore system to find a rootshell program
  • Edit configuration to gain root access


Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Most of the robots pages shows this.


Unable to find anything

Lets’ bypass the useragent with google bot in curl


Tried to do some DNS enumeration but there wasn’t much. However upon noticing the URL of the secret information, I decided to try a directory reversal.

Seems that it can be exploited.

Since we know the FTP runs vsftpd, let’s search for a config file.

We are able to write into the ftp directory

Create a PHP webshell.

Upload it into the FTP server.

Let’s test the webshell

It works.

Now let’s enter a PHP reverse shell payload.

Encode the one liner PHP reverse shell.

Paste the encoded script into the webshell, start a netcat listener and a shell is gained.


Checking Tom directory we find a rootshell.c

The file will execute a root shell if the current user is Tom

Privilege escalation

Head to the tmp directory and create a whoami file with tom. Then export the path.

Run the rootshell again and root access is gained.

Final flag found.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s