# Portal Page Enumeration

Once signed in --> u:**R1ckRul3s** p**Wubbalubbadubdub**

<figure><img src="https://3952040429-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF29RnxijYeB8jxlysIRF%2Fuploads%2FqIedLcZ8lRwiJ3f04MHd%2Fimage.png?alt=media&#x26;token=5aac36e1-7f2b-4665-8a62-ba11e9316616" alt=""><figcaption></figcaption></figure>

* The page source:
  \*

  ```
  <figure><img src="https://3952040429-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF29RnxijYeB8jxlysIRF%2Fuploads%2FArFDlyhhiUsuZUB4RVdp%2Fimage.png?alt=media&#x26;token=ea6da6bf-dca6-4152-b5ed-8ebf5cbd47f2" alt=""><figcaption></figcaption></figure>
  ```

  * I checked the value at the end as it looks like base64 encryption.
    * `Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==`
      * Decrypting it doesn't give me anything of value. That I know of.
      * It is `rabbit hole` base64 encrypted a bunch of times.
      * I'm fairly confident it's a waste of time but leave no stone unturned. I'll toss it into the command console for s\*\*\*\* and giggles.
        * Surprise! It does nothing.
* Tried Basic Commands:
  * `whoami`
    * www-data
  * `ls`
    \*

    ```
    <figure><img src="https://3952040429-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF29RnxijYeB8jxlysIRF%2Fuploads%2Fp2Bf4B3orIlBvEkYCFN0%2Fimage.png?alt=media&#x26;token=2ec1adf6-66de-4433-a199-04274627d0e8" alt=""><figcaption></figcaption></figure>
    ```

    * I immediately tried `cat` on first file:

      * Of course
      *

      ```
      <figure><img src="https://3952040429-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF29RnxijYeB8jxlysIRF%2Fuploads%2F3ZB8w9eTDY6alMSzi2Zi%2Fimage.png?alt=media&#x26;token=2df83ac3-313f-4ef7-9abc-b5e7e73599a7" alt=""><figcaption></figcaption></figure>
      ```

      * Checking further shows that the `cat, head, tail, cd` commands don't work at all.
    * BUT, it looks like less still works.
      * `less Sup3rS3cretPickl3Ingred.txt`
      * <mark style="color:green;">**mr. meeseek hair**</mark> <mark style="color:green;"></mark><mark style="color:green;">is the first ingredient.</mark>
    * Another option would be to use a ' or " or  \ in between characters to bypass blacklisted commands:
      * `c'a't clue.txt`
      * <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection>
      *
  * I checked the `clue.txt` file next with less: `less clue.txt`
    * ```
      Look around the file system for the other ingredient.
      ```