VulnBox CTF Writeup

Objective

Gain root access and capture the flag on a vulnerable Linux machine.

The initial reconnaissance phase is critical for understanding the target environment:

Identified the target IP and performed a comprehensive port scan using nmap.
Discovered port 22 (SSH) running OpenSSH and port 80 (HTTP) running Apache web server.
Chose to enumerate the web service running on port 80 as the initial attack vector.
Performed banner grabbing and service version detection for vulnerability research.

Detailed examination of the web application revealed several security weaknesses:

The website displayed a basic landing page with an unauthenticated login form.
Performed directory brute-forcing using gobuster and found /admin, /uploads, and /api endpoints.
The /admin directory contained a login authentication panel with no apparent protection mechanisms.
Identified potential SQL injection points in the login form through manual testing.
The application appeared to have minimal client-side validation and no Web Application Firewall (WAF).

The login form was vulnerable to SQL injection attacks, allowing authentication bypass:

Tested the login form for SQL injection vulnerabilities by injecting common payloads like ' OR '1'='1.
Successfully bypassed authentication using a basic authentication bypass payload: admin' --.
The vulnerable query was likely: SELECT * FROM users WHERE username='admin' --' AND password='...'
Gained administrative access to the dashboard without requiring valid credentials.
Extracted user credentials and sensitive data from the exposed database.

The admin dashboard contained an insecurely configured file upload feature:

The admin dashboard contained an unrestricted file upload feature for "profile pictures".
Uploaded a malicious PHP shell disguised as an image file (shell.php.jpg).
Bypassed weak file type validation by manipulating MIME types and file extensions.
Located the uploaded file at /uploads/shell.php.jpg and triggered execution.
Obtained a reverse shell connection as the www-data user with web server privileges.
Established an interactive shell environment for further exploitation.

After obtaining initial shell access, I took steps to stabilize and improve the shell environment:

Upgraded the shell from a basic reverse shell to a pseudo-terminal using Python: python -c 'import pty; pty.spawn("/bin/bash")'
Adjusted terminal settings using stty to enable proper terminal features (autocomplete, history, etc.).
Set appropriate environment variables for a fully functional shell experience.
Configured shell aliases and improved command history for better usability.

The system had a critical misconfiguration that allowed privilege escalation to root:

Checked sudo permissions for the current user using sudo -l.
Discovered that the www-data user could execute /bin/bash as root without a password.
Exploited this misconfiguration using sudo /bin/bash to spawn a root shell.
Gained complete system access with root privileges (UID 0).
Verified privilege escalation by executing id and whoami commands.

Successfully located and captured the objective:

Located the flag inside the root directory at /root/flag.txt.
Successfully captured the flag: FLAG{SQL1nj3ct10n_RCE_Pr1v_Esc_Pwn3d}
Documented the complete exploitation chain and vulnerability chain for post-exploitation analysis.

Input Validation: Never trust user input. Always use parameterized queries and prepared statements.
File Upload Security: Implement strict file type validation on both client and server side. Store uploads outside the web root.
Principle of Least Privilege: Web servers should not run as root. Misconfigured sudo permissions are critical vulnerabilities.
Defense in Depth: Single security mechanisms fail. Implement multiple layers of security controls.
Regular Audits: Conduct regular security assessments and penetration tests to identify vulnerabilities before attackers do.