IP Address: 192.168.228.133

This is a bit of a longer run. In order to get this flag you will have to:

• Recon the heck out of the machine
• Enumerate and brute force credentials
• Once a low-privileged user is found, we’ll utilize those credentials to identify an administrator and find our flag in the administrator’s description field

We are hit with a 301 redirect to web.phpbrute.beck.

• If you aren’t sure how to handle this, do FLAG_D first

The front page shows us that this website has PDF files archived with two links. The first example we see is this:

Any time you are doing recon, consistent file formatting like this gives an attacker quite a bit to work with. In this case, we can assume that there are probably other pdf files on the site with filenames of 2021-01-01.pdf - 2021-12-31.pdf. We just need to write a script that checks for every possible file named like this for the year 2021 and downloads anything found.

There are probably 1000 ways to skin this cat (Python for sure!), but I’ll use the bash shell. Step one is to generate a wordlist containing all possible filenames we want to check for.

The date command is going to be able to provide us with YYYY-MM-DD formatting. For example, if I type the command below I can see yesterday’s date with .pdf appended:

date --date "1 day ago" +%Y-%m-%d.pdf

So I here I am in 2023 and I want to roll back the clock to approximately Jan 1, 2021. A little math tells me I need to drop back 753 days to print 2021-01-01.pdf.

date --date "753 day ago" +%Y-%m-%d.pdf
#Greetings future student. Is this lab still relevant?

December 31, 2021 for me as I sit here today would be 389 days ago.

date --date "389 day ago" +%Y-%m-%d.pdf