Machine is here.
Nmap scan ports.
Port 80 only has one file.
Get domain name from index.html.
Add it to /etc/hosts, then brute force vhost.
gobuster vhost -u http://bassam.ctf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Get another vhost name, add to hosts too.
Open index.php, looks like we can download file. So enter config.php.
Check config.php, get a user pass pair.
Ssh in as user test. Find two elf at /root/PassProgram.
We enum a file named MySecretPassword, but all it bas is unprintable data.
Decode the file with the elf. We get pass for kira.
Kira can run sudo, and there is a test.sh in home folder.
Then we can escalate to bassam.
Create script.sh on attacker machine, with reverse code in, and run http server.
Modify hosts, add attacker machine's IP.
Run down.sh, and we get root!