pentestmedium
Atkomst Nekad (Access Denied)
undutmaning
Task: Multi-step pentest chain with Roundcube SQL backup containing bcrypt hash, psychological report revealing username (Vaporeon) and password pattern (Pokemon+Year). Solution: Targeted wordlist cracking (Bulbasaur1997), SSH access, internal network enumeration, phpMyAdmin 4.8.1 LFI (CVE-2018-12613) to read flag.
$ ls tags/ techniques/
lfiosintdirectory_traversalpassword_crackingsshroundcubebusyboxpokemon_wordlistphpmyadmincve-2018-12613internal_networksql_backuppsychological_profilecredential_reusebcrypt
bcrypt_hash_crackingpsychological_profile_analysistargeted_wordlist_generationcredential_reuse_exploitationssh_accessinternal_network_enumerationphpmyadmin_lficve_2018_12613_exploitation
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Create a free account with GitHub, then upgrade to Pro.
$ssh [email protected]