# Armaxis --- ## OVERVIEW ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758116891332/f3f59a0a-1572-4234-be5f-6b1b3816c9ce.png align="center") So Let’s Open the instances and checkout the web pages and Downloaded files Lets see website with port no 55423 first: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758116970516/abb0ecfc-d675-4e37-986b-e3dc6caeb92e.png align="center") It have Register, Login and Forgot Password Functionality so now let’s checkout second port no 39739 ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117036640/4f48fa65-8bd2-45ec-8848-15740f15c5c2.png align="center") In here we can see an email **test@email.htb** so let’s use this email and register in first web page as we have this email we will get the email of this user ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117175164/d099c8b2-3026-47a6-99bc-320591745cf4.png align="center") So It got successfully registered Now Let’s try changing its password through forgot password functionality and see if the code arrives or not in the email. But Before that Let’s Check Downloaded Files To Find Something Useful ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117326335/10092e39-a6bb-4296-bc08-30b00565d0f3.png align="center") Here we can see in **database.js** we get an admin email **admin@armaxis.htb** so now let’s try to register or login through it. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117388992/7fc09935-534a-438e-ad36-d6b61f9e2811.png align="center") It showed it is already registered . Hmm Let’s move on further and will come back later Now Lets try to forget password of **test@email.htb** account ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117482084/0de335e7-b95c-4590-ab15-64caad5a597c.png align="center") Let’s Request the code and see whether we will receive the code or not ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117554239/bbd13956-b5fd-4e7e-bf20-3a6684400d84.png align="center") And Yeah !! we got the token for resetting the password for **test@email.htb** user. But Wait a minute We should try using this token to reset the admin account password , It might work so …. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117659826/03a9e535-555c-4918-8600-cc7350282135.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117711194/99876f59-50d8-4a89-b822-bf4842d3894d.png align="center") So Now Enter The test user code/token and try resetting admin password ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117805523/03b5e9b8-ec97-439b-be50-bfd2a510c37e.png align="center") BOOM!! It worked and the password got resetted and now let’s login with the above new password we had setted ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117857542/cbd6dd07-dfd9-4563-8372-5a6f3999236e.png align="center") And Here we are in the /weapons directory now lets checkout Dispatch Weapons Function ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117897364/be6f058b-24ff-4790-9bb1-bad8b2636293.png align="center") Hmm There is a word Markdown here in Note section which reminds me of **marksdow.js** in Downloaded files so lets check it out ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758117985303/3c982881-5bb0-4797-a47c-122edd8d466a.png align="center") Let’s Send this portion of code to ChatGpt and see what does it say: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118030745/22b04ee8-860b-4481-8cb0-1e6bca0fac24.png align="center") Ooh We got to know that it is a command injection vulnerability and leads to RCE (Remote Code Execution) Let’s try to get **/etc/passwd** from the above dispatch weapon tab ```apache "![url](file:///etc/passwd)" ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118159196/de78d682-1e05-484b-9c3a-f17ae86c5cfb.png align="center") Now Let’s Dispatch Weapon and check on Home Tab ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118369355/bbf140b8-4636-4e9b-8e47-53788da00a7a.png align="center") Here as you can see we got and Embedded Image Now Let’s Download this image from source code of this website ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118410403/841379e4-53ac-4dc4-bc09-c5c218324f58.png align="center") Now Let’s See the file contents what we got: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118432692/54fac315-c4dd-4746-87a3-a9def4b0427f.png align="center") Here we go we got /etc/passwd content now let’s create same payload to get the flag. ```apache "![url](file:///flag.txt)" ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118535607/77f1fb57-ad6f-487f-8aa0-461f163668eb.png align="center") Now Let’s Dispatch it also the same way and check the Home tab : ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118566688/ea3c58f7-fa5c-44a5-9a7e-94a347240fa9.png align="center") Again we got the embedded image now lets download it also from the source code of this page ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118596478/8d946104-e118-469c-8c00-5dc212fb049c.png align="center") After Downloading Let’s See The File Contents ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118624663/1a770e00-be10-41c0-a0d4-1e7f931885e6.png align="center") Here We Go !! We got the flag for this challenge ## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758118692458/9ef46b35-c61d-41dc-8dec-e04860ce0575.png align="center") For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/) **THANKS FOR READING !!!**