From Sales Pitch we discover the server has some internal bound services, most notably telnet (port 23) - These are listed on the internal management page. It is only accessible from inside the network however.
Fortunately, telnet is a text based protocol, so we can easily just do a
HTTP CONNECT to it via the proxy.
We need to authenticate (token is found on the backend management page)
We are now connected to the home baked shell implementation. We need to break out. Get root.
We realise it has a ping command, which uses system ping and takes arguments. We tell ping to only execute once, and chain another command to it -> bash.
We now have a shell. From here we can:
And thus revealing the flag.
After we found the flag, a hint was revealed:
Maybe try ping “and”