Let me answer to this post, as this was most disturbing comment that provided no help in whatsoever finding the flags.
@laszlo said:
It’s my 2nd favourite box !
Quick tips:
- Read the source code (leakage).
Actually, it’s not a data leakage. It is a well-known function that can be exploited and can give you a reverse shell.
- Use python3 (requests) to automate 2 things. Strange responses ? Take into account the boolean logic
What? Never mind…
- Inside: enumerate with python3 (8 lines of code).
In fact, more than enumeration is needed: find the line and update the code in order to retrieve more information you need. Credentials.
- Use the data from 3. Don’t overthink!
Useless comment. Of course you will need the data you have found in the previous step to carry on.
- Grab user.txt
Again, useless to say. Actually, you will have to SSH to the box after you have found the private key of the right user. The obtain the private key, it will require you to properly authenticate to the Git repo (d***** user won’t have it).
- Enumerate, use the documentation, login as root, grab root.txt !
Naturally as always, but too little said. From user shell, you’ll have to find a secure technology used on the server in a container - utilising OTP - and successfully extract data from it. That helps you to gain root access. You have to know how to use it, if not, you 'd better look it up. After that log on as root and get the flag.