Base
Directory listing leak -> .swp source code exposure -> PHP strcmp type juggling auth bypass -> File upload to webshell -> Credential reuse for SSH -> sudo find privesc 1. Directory listing + swap files = source code disclosure 2. PHP strcmp() with loose ==...
Scenario
Base attack path
Directory listing leak to .swp source code exposure to PHP strcmp type juggling auth bypass to File upload to webshell to Credential reuse for SSH to sudo find privesc 1. Directory listing + swap files = source code disclosure 2. PHP strcmp() with loose ==...
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- <TARGET>-Base/walkthrough.md
- HTB/<TARGET>-Base/notes.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Base__notes.md.8acefe2603.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__Base__notes.md.2e2df60ddf.md
Technical Walkthrough
Base - Walkthrough
Target: <TARGET> | OS: Ubuntu Linux | Difficulty: Easy
Attack Chain Summary
Directory listing leak -> .swp source code exposure -> PHP strcmp type juggling auth bypass -> File upload to webshell -> Credential reuse for SSH -> sudo find privesc
Lessons Learned
- Directory listing + swap files = source code disclosure
- PHP
strcmp()with loose==comparison is vulnerable to type juggling via array injection - File upload bypassed with content-type spoofing (no server-side extension check)
- Credential reuse from web config to SSH
sudo findis trivially exploitable via-exec
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: <TARGET> (Base)
- OS: Linux (Ubuntu)
- Difficulty: Easy (Starting Point)
- Pwnbox: <TARGET> (profex0r)
- VPN IP: <TARGET>
Evidence Ledger
| Timestamp | Command | Finding | Next Action |
|---|---|---|---|
| 2026-05-05 16:00 | nmap initial | SSH 22, HTTP 80 (Apache 2.4.29 Ubuntu) | Enumerate web |
| 2026-05-05 16:00 | curl /login/ | Directory listing: config.php, login.php, login.php.swp | Download .swp |
| 2026-05-05 16:01 | strings login.php.swp | strcmp() type juggling vuln in login | Auth bypass |
| 2026-05-05 16:01 | POST username[]=&password[]= | 302 redirect to /upload.php - auth bypassed | Upload shell |
| 2026-05-05 16:01 | Upload shell.php (field: image) | Success - shell at /_uploaded/shell.php | RCE |
| 2026-05-05 16:01 | RCE as www-data | uid=33(www-data) | Read config |
| 2026-05-05 16:01 | cat config.php | admin / thisisagoodpassword | SSH as john |
| 2026-05-05 16:02 | SSH john@target | user.txt: <hash redacted> | Privesc |
| 2026-05-05 16:02 | sudo -l | (root) /usr/bin/find | GTFOBins |
| 2026-05-05 16:02 | sudo find -exec cat root.txt | root.txt: <hash redacted> | Done |
Credentials
- admin / thisisagoodpassword (web app + john SSH reuse)
Flags
- User: <hash redacted>
- Root: <hash redacted>
Notes
Scope
- Target: <TARGET> (Base)
- OS: Linux (Ubuntu)
- Difficulty: Easy (Starting Point)
- Pwnbox: <TARGET> (<<secret redacted>>)
- VPN IP: <TARGET>
Evidence Ledger
| Timestamp | Command | Finding | Next Action |
|---|---|---|---|
| 2026-05-05 16:00 | nmap initial | SSH 22, HTTP 80 (Apache 2.4.29 Ubuntu) | Enumerate web |
| 2026-05-05 16:00 | curl /login/ | Directory listing: config.php, login.php, login.php.swp | Download .swp |
| 2026-05-05 16:01 | strings login.php.swp | strcmp() type juggling vuln in login | Auth bypass |
| 2026-05-05 16: <REDACTED> | |||
| 2026-05-05 16:01 | Upload shell.php (field: image) | Success - shell at /_uploaded/shell.php | RCE |
| 2026-05-05 16:01 | RCE as www-data | uid=33(www-data) | Read config |
| 2026-05-05 16:01 | cat config.php | admin / thisisagoodpassword | SSH as john |
| 2026-05-05 16:02 | SSH john@target | user.txt: <<secret redacted>> | Privesc |
| 2026-05-05 16:02 | sudo -l | (root) /usr/bin/find | GTFOBins |
| 2026-05-05 16:02 | sudo find -exec cat root.txt | root.txt: <<secret redacted>> | Done |
Credentials
- admin / thisisagoodpassword (web app + john SSH reuse)
Flags
- User: <<secret redacted>>
- Root: <<secret redacted>>
Notes
Scope
- Target: Base
- Difficulty: Easy / Very Easy
- OS: Linux
- Current known IP: Pending
- Local support folder:
<local workspace>
Evidence Rule
Public research in research.md is advisory only. Record only live target evidence in this file after validation.
Evidence Ledger
| Timestamp | Command | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|
| Pending | Pending | Pending | Public research handoff created. Live target IP not yet recorded here. | High | Add target IP, run live enumeration, and save outputs under nmap/ and enum/. |