Embarked on a Capture The Flag (CTF) challenge to exploit multiple vulnerabilities in the 'Rekall' web application to capture 15 flags. Each flag represented a common vulnerability found in insecure web applications.
After logging into Kali and navigating to the correct directory, started the Docker container that held the 'Rekall' web application. Accessed the application at http://192.168.14.35
and clicked "Get Started".
On the 'Welcome' page, a reflected Cross-Site Scripting (XSS) vulnerability was identified by inputting <script>alert('XSS');</script>
in the 'Put Your Name Here' field, which triggered an alert pop-up. This vulnerability is a type of XSS, where malicious scripts are injected into otherwise benign and trusted websites.
On the 'Memory-Planner' page, a Cross-Site Scripting vulnerability was identified. By bypassing input validation with the payload <SCRscriptIPT>alert(“Hello”);</SCRscriptIPT>
, the second flag was revealed.
The 'Comments' page had a stored XSS vulnerability. By using the payload <dummy<dummy<script>alert('Hello');</dummy</script></dummy>
, the third flag was revealed.
Sensitive information was found in the HTTP response headers of the 'About Rekall' page, leading to the discovery of the fourth flag.
The 'Memory-Planner' page contained a Local File Inclusion (LFI) vulnerability. By uploading a .php file, the fifth flag was obtained.
Exploiting the LFI vulnerability on the 'Memory-Planner' page, the sixth flag was discovered by renaming a .jpg file to .php and uploading it.
A SQL Injection (SQLi) vulnerability was found on the 'Login' page. Exploiting this vulnerability using the username obtained from a directory traversal attack revealed the seventh flag.
The eighth flag was discovered within the HTML source code of the 'Login' page, where the login credentials were mistakenly exposed.
By accessing the 'robots.txt' file, sensitive data was uncovered, leading to the capture of the ninth flag.
Exploiting a command injection vulnerability on the 'Networking' page using the payload www.example.com; cat vendors.txt
, the tenth flag was revealed.
Using an advanced command injection payload www.example.com | cat vendors.txt
on the 'Networking' page, the eleventh flag was secured.
A brute force attack was performed on the 'Login' page using simple password payloads in burp intruder and found the password for melina:melina ,uncovering the twelfth flag.
Exploiting a PHP injection vulnerability on the 'Souvenirs' page using the payload ;system(‘cat/etc/passwd’)
revealed the thirteenth flag.
Exploiting a session management vulnerability on the 'admin_legal_data.php' page using the Burp Intruder tool to brute force session IDs, the fourteenth flag was captured.
The fifteenth flag was achieved by exploiting a directory traversal vulnerability on the 'disclaimer.php' page. Navigating the contents of the directory due to a common injection exploit led to the exposure of the fifteenth and final flag.
This challenge has reinforced my understanding of various web application vulnerabilities and how they can be exploited in a real-world scenario. Through persistence, I was able to successfully capture all 15 flags and complete the CTF challenge. I'm eager to apply my expanded knowledge to future cybersecurity endeavors.