Introduction After basic enumeration, we use LFI to read a Python Flask app. We exploit the Werkzeug remote debugger by reading system information from the file system used to derive a PIN granting console access. After executing arbitrary Python code in the browser REPL to get a reverse shell, we connect to a database with credentials from a connection string found earlier, which reveals user credentials granting us SSH access.

Introduction A fun machine that begins by exploiting a Python Flask app via Local File Inclusion, and using this to further enumerate the machine. From here, we take an unexpected change in direction to exploit a web socket running on .NET core. Using a JSON deserialization attack, we are able to take advantage of LFI once again to find a private SSH key and gain a foothold. We are able to access another account using previously discovered hard-coded database credentials.

Introduction After some tricky enumeration where I initially miss the obvious, we find and fuzz an API endpoint which converts HTML input to PDF. Looking at the resulting PDF with exiftool, we find dompdf 1.2.0 is used. This is vulnerable to injecting arbitrary PHP into a font file, which the server will execute once included in a stylesheet. Knowing this, we serve up a style sheet, TTF font containing malicious PHP and pass a reference to our stylesheet to the vulnerable API point.

Introduction For this machine, we identify a web app using ExifTool to show metadata for images uploaded via a form. Knowing the version of ExifTool used contains a CVE, we are able to command inject into the form and base64 encode/decode an obfuscated reverse shell to gain a foothold. From here, we find an email containing an event viewer log we must search through. We uncover a credential leak where a failed logon attempt shows the user accidentally entered their username in the password field, giving us credentials to SSH into the machine as a real user.

Introduction Another exploitable PHP web app that focuses on character conversions. We leverage Local File Inclusion (LFI) to further enumerate the system by looking at Apache config files and PHP source. With some sleuthing, we find work-in-progress code in a git repository – finding the path to a vulnerable looking PHP script. Knowing this path is only accessible to localhost, we trace back through an existing LFI and use domain confusion in order to perform Server Side Request Forgery.

Introduction A moderately challenging machine (for me at least) where we use a basic filter bypass to perform Local File Inclusion, allowing us to read a PHP web app’s source code and uncover any insecure code. With this knowledge, we attack a poor attempt at randomness which was a new thing for me in a CTF environment, allowing us to register and activate an account. With login access, we exploit a theme via PHP object injection to get RCE.