This challenge was created by me for the CTF held by https://boitatech.com/.
It explores a realistic web application vulnerability chain, from weak session handling to command injection, privilege escalation through PATH hijacking, and finally a local SUID binary exploit.
The goal is to escalate privileges from a basic user to full root access by chaining multiple weaknesses together.
On the login page, there’s an option to either log in or create an account.
We can register a new user and log into the application.
However, we’re then redirected to a page asking for a 4-digit code to activate the account.
Once authenticated, we can use the session cookie received to perform directory brute-forcing and discover several hidden paths:
gobuster dir -u <http://127.0.0.1:5000/> \\\\
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt \\\\
-c session=eyJ1c2VyIjoiJyBvciAxPTEgLS0ifQ.YsxvlA.A2bgwsMeuAN9j7G3qkjg3rfcbxM \\\\
--exclude-length 16