Portal Page Enumeration

Once signed in --> u:R1ckRul3s pWubbalubbadubdub

• The page source:

  • 
  • I checked the value at the end as it looks like base64 encryption.

    • Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==

      • Decrypting it doesn't give me anything of value. That I know of.

      • It is rabbit hole base64 encrypted a bunch of times.

      • I'm fairly confident it's a waste of time but leave no stone unturned. I'll toss it into the command console for s**** and giggles.

        • Surprise! It does nothing.

• Tried Basic Commands:

  • whoami

    • www-data

  • ls

    • 
    • I immediately tried cat on first file:

      • Of course

      • 
      • Checking further shows that the cat, head, tail, cd commands don't work at all.

    • BUT, it looks like less still works.

      • less Sup3rS3cretPickl3Ingred.txt

      • mr. meeseek hair is the first ingredient.

    • Another option would be to use a ' or " or \ in between characters to bypass blacklisted commands:

      • c'a't clue.txt

      • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

  • I checked the clue.txt file next with less: less clue.txt

    • Look around the file system for the other ingredient.