Akerva (Fortress)

Author: x4cc3

Landing page

SNMP enumeration reveals backup script paths containing flags:

snmpbulkwalk -v 2c -c public -t 3 10.13.37.11

HTTP port 5000 has a Flask app with LFI and a Werkzeug debug console. The console PIN is generated via machine-id + MAC address, and a Python script generates the correct PIN.

Flask console

LFI exploit

Once in the console, RCE is achieved, leading to user aas. Sudo version 1.8.21p2 is vulnerable to CVE-2021-3156 (Baron Samedit), providing root access with the final flag.

Flags:

1. Source code flag
2. SNMP backup script flag
3. Verb tampering flag
4. LFI flag
5. Werkzeug PIN bypass flag
6. Sudo CVE flag
7. Vigenère decoded flag