We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!

First thing we are looking for is a secret spicy soup recipe

Step 1, lets enumerate with nmap

We have a few fun ports to work with (21, 22 and 80)

the nmap scan came across 3 files that looks like we can access using FTP

using the get command lets pull these to our local machine

The note indicates that we have a user or username “Maya”

attempting to open the jpg file and it appears to start with an incorrect hex code

Installing Hexedit to the VM. While installing lets navigate to the webpage and see what we can get

Big ol nothing

Going to use gobuster and try and find some hidden directories

Navigating to /files and we seem to get the same files that we retrieved using ftp

This would indicate that whatever we upload using ftp will be stored in this directory. So lets go build us a shell and upload!

For this I am going to use a php shell from pentest monkey since it seems to work for alot of these boxes.

going to update our shell to point to our local machine

and then setting up our listener just to have that ready

using FTP we transfer our shell.php file into the server

checking the webpage we are able to verify our shell was uploaded

lets go ahead and run and see if netcat can catch it!

and we got it!

using ls we find a recipe.txt

and our first answer is love

We are now looking for the contents of user.txt

Decided to upgrade the shell to something more stable

Doing some research, we come across the folder called “incidents” which stands out as not default in a linux file system

within this folder is a file called suspicious.pcapng

after a few tries and spelling mistakes, we are able to transfer that pcapng file to our local machine using netcat

From here on our local machine we are going to open the file with Wireshark and do some digging