Some tips and hints for Curling VM https://www.hackthebox.eu/home/machines/profile/160
Quite easy and interesting machine. I’ll publish full walkthrough, once VM is retired.
So, some tips:
- Enumerate not only HTTP folders, but also files with zip,txt,pdf extensions.
- Many modern CMSes allow to edit themes/files through admin interface. Dirbusting/wfuzzing can help to find appropriate credentials.
- Take a look at backups. They are often stored in zip,bzip,tar archives. In some cases they use some combination of compression algos, for example tar+gzip. In some cases file utility can help, in other cases googling for file header may give a clue.
- Curl, admin folder and cron-like activity are the key for root flag.
Try harder, enumerate more and good luck.