Skip to main content
HashnodeHmadSecHmadSec

Command Palette

Search for a command to run...

eJPT - 4.1 CTF Introduction to the Web & HTTP Protocol

Published
2 min read
H
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.

Part of serieseJPT

Question 1

Sometimes, important files are hidden in plain sight. Check the root ('/') directory for a file named 'flag.txt' that might hold the key to the first flag.

For this task, we have been told that a website is running (on port 80) so we don't need to run an Nmap scan. We can see that there is a button called select file. Originally, I tried modifying the URL from file1.txt to flag.txt but that didn't work.

To get the flag, we can run an LFI (Local File Inclusion) attack by changing the parameter after file= to ../../flag.txt which will give us the flag.

Question 2

Explore the structure of the server's directories. Enumeration might reveal hidden treasures.

We can use dirb on the target URL to find some directories. This will reveal a directory called /secured which we can then navigate to http://target.ine.local/secured/flag.txt to get the flag.

Question 3

The login form seems a bit weak. Trying out different combinations might just reveal the next flag.

Firstly, navigate to the login page and then we can use Hydra to brute-force some credentials.

hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /root/Desktop/wordlists/100-common-passwords.txt target.ine.local http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid username or password"

Then login using the credentials you obtained and you should get the third flag.

Question 4

The login form behaves oddly with unexpected inputs. Think of injection techniques to access the 'admin' account and find the flag.

We have been given a hint to use SQL injection to gain access via the user admin. In the username field enter admin'-- and whatever you want in the password field as this will bypass authentication and ignore the password. Now should have the last flag.

This is the last CTF of the eJPT course. If you’ve gotten this far, you should attempt the eJPT exam to get certified as a Junior Penetration Tester. Best of luck!

— Hmad

#ejpt#ctf#ctf-writeup#http

Comments

Join the discussion

No comments yet. Be the first to comment.

eJPT

Part 1 of 24

In this series, I'll be documenting the notes I take while studying for the eJPT (Junior Penetration Tester) certification by iNE Security. I'll include write-ups to the CTF's or Skill Checks as iNE calls them.

Up next

eJPT - 4.1 Introduction to the Web & HTTP Protocol

Introduction Web applications are software programs that run on web servers and are accessible over the internet through web browsers. They are designed to provide interactive and dynamic functionality to users allowing them to perform various tasks,...

More from this blog

H

HmadSec

44 posts

Hmad here. This blog is my personal space to document everything cybersecurity - from certification notes to lab writeups, CTF solutions, and more.