Note: You should really do RED5 before attempting this lab.

The goal for this lab is to get to the flag which is on the Domain Administrator’s Desktop. Filename: Flag.txt.txt

There are two machines:

• Workstation.insync.local (172.25.0.72)
• insync-dc.insync.local (172.25.0.73)

An nmap will turn up a web server on the workstation listening on port 80. The about page will give you the application name and version number which is fairly recent as of the writing of this lab.

Google will tell you that there a CVE that allows for remote code execution.

In this case, running wfuzz of ffuf against the website with a standard discovery list will turn up robots.txt, which contains the credentials for the admin user on this web application.

Any time you find a new vulnerability disclosure like this, the process should go like this:

• See if any exploit code exists
• Read it
• Adapt it.

There are several writeups available at this point describe how to get remote code execution via this particular version. This pdf does a good job of demonstrating where the vulnerability exists and how to pop a reverse shell given the condition here.

Important: As a student you have been given the ability to reboot the workstation machine in this environment. Once you obtain command line access, it’s possible to lock up the application under certain fairly common conditions. If you obtain a shell and it stops working, Find the ‘Red7’ machine on vc.icsi.cyber and hit reset.

You can use the Lua program in the PDF file above.