# Avengers Blog ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-VoYJ_fvIs89MMZvd%2F-Md-Vrkmma_MpxpporGe%2Fimage.png?alt=media\&token=24ab6a3b-7c80-411a-a53b-6b526a91de06) ## Cookies ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-VoYJ_fvIs89MMZvd%2F-Md-WZDm2C38QA8nNY2H%2Fimage.png?alt=media\&token=2d4a3b44-650f-4dc2-83c2-f4121323d72b) Lets visit the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-VoYJ_fvIs89MMZvd%2F-Md-WkS_MW9A9PY6bmTr%2Fimage.png?alt=media\&token=54c0e517-c010-4190-992c-0c77c749bb1e) Lets look at the Cookies (Ctrl + Shift + i) in the Storage tab' ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-VoYJ_fvIs89MMZvd%2F-Md-WwkiAQqP10SmAmYz%2Fimage.png?alt=media\&token=180b294d-48dc-4ebb-8a76-627947990634) We have the flag ## HTTP Headers ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-VoYJ_fvIs89MMZvd%2F-Md-X2pe-wPaiYbWq9Um%2Fimage.png?alt=media\&token=6df6e655-88eb-4157-a6c9-33c91407e2c6) Lets go to the Network tab and hit reload and select the option to only look at HTTP requests ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-VoYJ_fvIs89MMZvd%2F-Md-XVzEANJQpl6yyk-T%2Fimage.png?alt=media\&token=54619af0-c182-425f-aec8-c0249216208f) We have the second flag ## Enumeration and FTP ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-XmgRbMxn9wMUcU4r%2Fimage.png?alt=media\&token=038149bd-4220-4081-83a4-d08c746566f7) Lets run a nmap scan to find open ports and then login into FTP with the given credentials. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-Y7aChe0Df7KNHBP4%2Fimage.png?alt=media\&token=ec984e70-392c-4ac9-93ce-debfa6f788f7) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-Y9ULczcChahrsGOO%2Fimage.png?alt=media\&token=836de06b-d42d-447c-982a-610a90110cd1) Lets look at the files on the FTP server, ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-YKiQ4hzigS6wsRbG%2Fimage.png?alt=media\&token=27b70056-b4fd-4cae-bc9c-be2fa37f1568) We have a directory and the flag in the directory, so transfer the file onto our machine and read the file to get the third flag. ## Gobuster ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-YYcHBDhxEOlCTyUq%2Fimage.png?alt=media\&token=cdf3662f-8294-4d5f-b277-477b245b7663) Lets run gobuster to find hidden files and directories ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-Z-BRDwYruQjz-II5%2Fimage.png?alt=media\&token=edcd5735-7db1-4b50-b1ab-466ae53f902c) The /portal has a login page, so that the answer for this task ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-Z9KSnYAh3s6c2pTG%2Fimage.png?alt=media\&token=9f2c575a-55e2-41a1-a573-3b567a69cab1) ## SQL Injection ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-ZGXx--k3oxWGFIdj%2Fimage.png?alt=media\&token=c12851fe-d4f9-432b-8161-ef07794dacf8) Lets capture the request using Burp and send it to repeater ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-_Qv6-7DY_LHDnGMy%2Fimage.png?alt=media\&token=9e490c44-3f29-4e89-85e4-e2573a38d980) Now lets use SQL Injection to login as admin ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-_lP3fi6jyYH_8pW9%2Fimage.png?alt=media\&token=755488ff-3939-4ab0-ab05-cf0f0ee48f66) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-_vM5JQmzsLaE0Ilm%2Fimage.png?alt=media\&token=6d59306f-9ac4-4b93-a36d-b524f06cf073) Its says found, now lets send it as a real request in the proxy tab. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-XYdswiGU-WIWpOCb%2F-Md-a0EKLMdFcZTmnjSn%2Fimage.png?alt=media\&token=3a737367-b882-427a-926d-0634a33d23e0) We are logged in. Looking at the source code, there are 223 lines being used, so that is the answer to the question in this task. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-a2doS97XlLieG3SI%2F-Md-aRg9nf9aT1WPLO71%2Fimage.png?alt=media\&token=b970e692-f308-41a6-beaa-7e27ed80e64b) ## Remote Code Execution and Linux ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-a2doS97XlLieG3SI%2F-Md-a_J8nhOSRdqjUbTC%2Fimage.png?alt=media\&token=8fa2964c-a478-44c4-b99a-7a9b60f591f0) We cannot read the file with the **cat** command, so lets use the **tac** command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-a2doS97XlLieG3SI%2F-Md-b111jn38sRMW6yYB%2Fimage.png?alt=media\&token=48bc95d5-adc3-426d-b846-27202783a80c)