Base
Public-source handoff exists in research.md. Live evidence has not been recorded yet in this support folder. 1. Enumerate services. 2. Enumerate web paths and confirm /login/ listing. 3. Recover login.php.swp and inspect PHP login
Scenario
Base attack path
Public-source handoff exists in research.md. Live evidence has not been recorded yet in this support folder. 1. Enumerate services. 2. Enumerate web paths and confirm /login/ listing. 3. Recover login.php.swp and inspect PHP login
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- Base/walkthrough.md
- HTB/Base/notes.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Base__notes.md.8acefe2603.md
Technical Walkthrough
Base Walkthrough
Current State
Public-source handoff exists in research.md. Live evidence has not been recorded yet in this support folder.
Expected Path To Validate
- Enumerate services.
- Enumerate web paths and confirm
/login/listing. - Recover
login.php.swpand inspect PHP login logic. - Validate array-parameter authentication bypass.
- Upload and trigger a PHP reverse shell.
- Read live config credentials.
- Access user
john. - Capture user flag.
- Validate
sudo -l. - Abuse sudo
findto become root. - Capture root flag.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: Base
- Difficulty: Easy / Very Easy
- OS: Linux
- Current known IP: Pending
- Local support folder:
<local workspace>
Evidence Rule
Public research in research.md is advisory only. Record only live target evidence in this file after validation.
Evidence Ledger
| Timestamp | Command | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|
| Pending | Pending | Pending | Public research handoff created. Live target IP not yet recorded here. | High | Add target IP, run live enumeration, and save outputs under nmap/ and enum/. |
Notes
Scope
- Target: <TARGET> (Base)
- OS: Linux (Ubuntu)
- Difficulty: Easy (Starting Point)
- Pwnbox: <TARGET> (<<secret redacted>>)
- VPN IP: <TARGET>
Evidence Ledger
| Timestamp | Command | Finding | Next Action |
|---|---|---|---|
| 2026-05-05 16:00 | nmap initial | SSH 22, HTTP 80 (Apache 2.4.29 Ubuntu) | Enumerate web |
| 2026-05-05 16:00 | curl /login/ | Directory listing: config.php, login.php, login.php.swp | Download .swp |
| 2026-05-05 16:01 | strings login.php.swp | strcmp() type juggling vuln in login | Auth bypass |
| 2026-05-05 16: <REDACTED> | |||
| 2026-05-05 16:01 | Upload shell.php (field: image) | Success - shell at /_uploaded/shell.php | RCE |
| 2026-05-05 16:01 | RCE as www-data | uid=33(www-data) | Read config |
| 2026-05-05 16:01 | cat config.php | admin / thisisagoodpassword | SSH as john |
| 2026-05-05 16:02 | SSH john@target | user.txt: <<secret redacted>> | Privesc |
| 2026-05-05 16:02 | sudo -l | (root) /usr/bin/find | GTFOBins |
| 2026-05-05 16:02 | sudo find -exec cat root.txt | root.txt: <<secret redacted>> | Done |
Credentials
- admin / thisisagoodpassword (web app + john SSH reuse)
Flags
- User: <<secret redacted>>
- Root: <<secret redacted>>