Web Application Penetration Testing CTF 1 (EJPT INE)

Hello everyone,

We’ve finally reached the last lab of this course! It’s been a great journey.

So let’s get started!

Q.1 Sometimes, important files are hidden in plain sight. Check the root (‘/’) directory for a file named ‘flag.txt’ that might hold the key to the first flag.

Let’s begin by accessing the website in our browser. Since this is entirely web-based, running an Nmap scan is not necessary.

There is a “Select a File” functionality available. Let’s choose a file and view its contents.

Take a closer look at the URL: "http://target.ine.local/view_file?file=file1.txt". To locate the flag.txt file, modify file1.txt in the URL to flag.txt.

Unfortunately, that didn’t work. Since the question indicates that the file is located in the root directory, let’s attempt a Local File Inclusion (LFI) attack by modifying the parameter to ../../flag.txt. This successfully retrieves our first flag:

Q.2 Explore the structure of the server’s directories. Enumeration might reveal hidden treasures.

To explore the server’s directory structure, let’s begin with fuzzing using the command: dirb http://target.ine.local/

We discovered the endpoint /secured/. Let’s navigate to this endpoint in our browser to explore its contents.

The /secured/ directory provides a direct location, so appending flag.txt to the URL http://target.ine.local/secured/flag.txt reveals our second flag which is:

Q.3 The login form seems a bit weak. Trying out different combinations might just reveal the next flag.

Navigate to the login functionality by visiting http://target.ine.local/login.

As the question suggests that the login functionality is weak, attempt brute-forcing using Hydra:
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /root/Desktop/wordlists/100-common-passwords.txt target.ine.local http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid username or password"

And we have successfully obtained the credentials. Log in using them, and the third flag is revealed:

Q.4 The login form behaves oddly with unexpected inputs. Think of injection techniques to access the ‘admin’ account and find the flag.

Let’s log out and attempt to log in again, but this time using SQL injection to gain access to the admin account. In the username field, enter admin'--, and in the password field, enter any random value. Since the SQL injection bypasses authentication, the password input will be ignored.

Click on “Login” and notice that we have successfully logged in as an admin. Here, we have obtained our final flag, which is:

So, this marks the final walkthrough of the course. Wishing you all success in your exam.

Happy hacking!