Advent of Cyber 2021 — [Day 6] Patch Management Is Hard

“During a routine security audit before the Incident, McSkidy discovered some recovery passwords on an old server. She created a ticket to decommission this server to reduce this security vulnerability. The Elf assigned to fix this vulnerability kept pushing off the task, and this never got done. Luckily, some of those recovery keys can be used to save some systems.

Unfortunately, the only way to access the server is through an old web application. See if you can pull out those recovery keys to help McSkidy with her pursuit to save Christmas.”

Link to Room:

Question #1: Deploy the attached VM and look around. What is the entry point for our web application?

Up at the top, check the URL. You will see this:

Our entry point is the err parameter.


Question #2: Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

For this question, you simply need to change the URL like so:

…and the flag will be shown on the screen:


Question #3: Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

Here, change the URL to the following:

The website will spit out a long string of Base64, which you can decode for the flag:

I just used CyberChef:


Question #4: Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?

This one might seem complicated if you are reading over the material, but basically you just have to look at the decoded output from the last question:

This section right here shows the file path for some login credentials:

Change your URL like this:

You will see more Base64 load onto your screen:

Decode that for McSkidy’s login credentials:


Question #5: Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?

Head back home and login using those credentials. You will see this:

Click the link for Password Recovery and you will see the flag:


Question #6: The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

The other link McSkidy has access to is the user request logs:

I used my TryHackMe Attack Box to send a request via curl:

Next, reload the page to ensure that the request was logged successfully (mine was near the bottom).

Next, I used curl again to inject some PHP code:

If you view the page source for the log page, you can now see the code in there:

The next step is to log out and then use the same LFI method as earlier to get to the log file:

Scroll down and you will see a bunch of php info:

The hostname of the webserver is right at the top:


Happy Holidays! ❤



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.