This is a relatively easy machine that tries to teach you a lesson, but perhaps you’ve already learned the lesson? Let’s find out.
Treat this box as if it were a real target and not a CTF.
Get past the login screen and you will find the flag. There are no rabbit holes, no hidden files, just a login page and a flag. Good luck!
Once the machine starts we can see the website by entering the IP given
Looking into the source code we see nothing of interest nor are there any cookies saved when a login is attempted
Running Nikto seems to give us a possible vulnerability along with some directories
root@ip-10-10-34-249:~# nikto -host <http://10.10.88.83/>
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 10.10.88.83
+ Target Hostname: ip-10-10-88-83.eu-west-1.compute.internal
+ Target Port: 80
+ Start Time: 2024-01-15 14:01:09 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ DEBUG HTTP verb may show server debugging information. See <http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx> for details.
+ Server leaks inodes via ETags, header found with file /manual/, fields: 0x2a4 0x5e0fc3a9866c0
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ 6544 items checked: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2024-01-15 14:01:20 (GMT0) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Also running Gobuster to further enumerate directories we found a few but nothing interesting