Tax First Labz (TFL) is a rising name in the world of FinTech startups. Started in 2017 by two college friends, their customer base has grown at a rapid scale in the last two years. Recently, they noticed some unusual activity on their webserver and suspect that their might be something fishy going on with their website. In order to speed up their investigation, they decided to crowd-source the issue to the cybersecurity community.
Here’s a replica of their webserver, your aim is to find as many vulnerabilities as you can and ultimately pwn the root user.
- Download the VM from the above link and extract the Zip file.
- Import / Open OVF with VMWare Player or VMWare Workstation or VirtualBox
- Run the VM
- The VM is configured to run over a host-only network and obtains the IP address automatically via DHCP. You will need to discover the IP address of the machine by using a network scanning tool, such as nmap.
- Once you have discovered the IP address, note it down for the next step.
- To access the Tax Firt Labz website (http://taxfirstlabz.xyz) create the following entry in the /etc/hosts file on your attacking machine (Kali Linux, Parrot OS etc.):
<IP address discovered in step 4> taxfirstlabz.xyz
Tax First Labs has hidden a few surprise gifts within this machine as a reward for your efforts. First 10 users to pwn root will earn a special reward (don’t forget to check flag.txt).
Just tweet us at @yaksas443 once you have pwned either the user or root.
- User blood: Mickhat
- System blood: Mickhat
- User owns: 7
- Root owns: 7
- ARINJOY MANNA
- Lucas José Rodriguês da Silva
- Mattia Campagnano
- Aman Kumar Maurya
Tweet us at @yaksas443 or join our discord channel.