eJPT - 4.1 CTF Introduction to the Web & HTTP Protocol

---

Question 1

Sometimes, important files are hidden in plain sight. Check the root ('/') directory for a file named 'flag.txt' that might hold the key to the first flag.

For this task, we have been told that a website is running (on port 80) so we don't need to run an Nmap scan. We can see that there is a button called select file. Originally, I tried modifying the URL from file1.txt to flag.txt but that didn't work.

To get the flag, we can run an LFI (Local File Inclusion) attack by changing the parameter after file= to ../../flag.txt which will give us the flag.

Question 2

Explore the structure of the server's directories. Enumeration might reveal hidden treasures.

We can use dirb on the target URL to find some directories. This will reveal a directory called /secured which we can then navigate to http://target.ine.local/secured/flag.txt to get the flag.

Question 3

The login form seems a bit weak. Trying out different combinations might just reveal the next flag.

Firstly, navigate to the login page and then we can use Hydra to brute-force some credentials.

hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /root/Desktop/wordlists/100-common-passwords.txt target.ine.local http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid username or password"

Then login using the credentials you obtained and you should get the third flag.

Question 4

The login form behaves oddly with unexpected inputs. Think of injection techniques to access the 'admin' account and find the flag.

We have been given a hint to use SQL injection to gain access via the user admin. In the username field enter admin'-- and whatever you want in the password field as this will bypass authentication and ignore the password. Now should have the last flag.

---

This is the last CTF of the eJPT course. If you’ve gotten this far, you should attempt the eJPT exam to get certified as a Junior Penetration Tester. Best of luck!

— Hmad