Back to Write-ups

Code

MachineEasy

Initial Access

Starting with a standard nmap scan, I discovered port 5000 was open. Upon accessing 10.129.49.93:5000, I found a Python editor interface that could be used for command injection.

Python Command Injection

I used the following payload to enumerate the system:

print(''.__class__.__bases__[0].__subclasses__()[80].__init__.__globals__['__buil'+'tins__']['ev'+'al']('__imp'+'ort__("o'+'s").po'+'pen("ls /").re'+'ad()'))

This revealed the root directory contents:

bin boot dev etc home lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var

Credential Discovery

Through further command execution in the Python editor, I discovered credentials stored in the database. There were two accounts:

  • A test account
  • An administrator account

The administrator account's password was stored as an MD5 hash. Using Crackstation, I successfully decrypted the hash and obtained the password.

Gaining Access

To verify the credentials, I first logged into the website successfully. Then, I used SSH to gain system access:

ssh martin@ip

This gave me access to Martin's administrator account, which contained:

  • The backup of the web application
  • The user flag

User Flag

After making some modifications to the task.json file, I successfully accessed the user flag.

Root Access

While the specific steps weren't documented, obtaining root access was relatively straightforward after gaining the user flag.

References

Write-ups that provided guidance throughout this CTF: