In the machine section we have this medium level box to root. Diving right in!

Performed some nmap port scanning to get an overview of running ports and services

ssh and apache are running. So we can move on to view the web server. We get a default apache page, enumerating further we can reveal more interesting pages.

Bruteforcing directories using dirsearch we get some info .

Viewing the pages listed

Well, not much at first glance till we interact with the site. Tried viewing the source of the main page, about us and contact us. Contact us gives us an interesting file.

Ended up with this huuuuuuge chunk of nested base64 encoding

So, using python we can recursively decode that.

Okay, so this seems to be credentials. Judging from the open ports-ssh login credentials.

But we need a user for that. From the challenge name ‘Shadower’ I deduced that this hinted at the /etc/shadow file and possibly some LFI could be involved.

Back to the contact us page. We can fuzz the URL for some LFI and see if we get lucky.

Sweet! if you look closely, you can see our target user - john. Logging in with those credentials…

we’re in! Now for the sweet part of the challenge. Getting root access to the box.

Tried viewing what commands john could run as sudo

A bit unlucky.

Well, to quicken our priv esc , you can run linpeas on the box to enumerate on potential vectors. You can clone it from github https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

Make the script executable by running chmod +x . Then run the script

From linpeas results, the /etc/passwd file is writable. Sweet! We can add our own root user and use that to get the flag.

Tried editing the /etc/passwd file directly. Worked, but I couldn’t assign a password to the user

So instead, opted to use OpenSSL. This article came in handy.

Following the article, create your own salt for the password using openssl. Paste into /etc/passwd following this format

Nice! We get root. You can stabilize the shell using python3 -c “import pty; pty.spawn(‘/bin/bash’)”

cd into /root, get your flag in the “-” directory.

Happy hacking :)

Just a hacker looking for fun