Exploit for hangover-ctf-wolfpack-deals CVE-2021-3493

Name: Exploit for hangover-ctf-wolfpack-deals CVE-2021-3493
Rating: 5 (81 reviews)
2026-04-23 | CVSS 8.8
## https://sploitus.com/exploit?id=D7DD047F-ED35-5DB4-9C8F-F5842B1F930C
# 🎰 The Hangover CTF — Machine 1: Wolfpack Deals

> *"What happens in Vegas, stays in Vegas... except for the receipts on this server."*

## Overview

A custom-built Capture The Flag (CTF) machine themed around **The Hangover Part 1**. This is Machine 1 of a 4-machine CTF environment built as a class project. Players must hack into "Wolfpack Deals" — a shady Las Vegas underground shop — to retrace the Wolfpack's wild night and find their missing friend Doug.

**Difficulty:** Easy-Medium | **OS:** Ubuntu 18.04 LTS | **Flags:** 2

## Storyline

Phil, Stu, and Alan wake up in their trashed Caesars Palace hotel suite with no memory of last night. Doug is missing. On the desk, they find a laptop running a shady online shop called "Wolfpack Deals." They must hack into it to find clues about what happened.

- **FLAG 1 — "The Receipt":** Alan bought a $500 Tiger Rental from Mr. Chow using Stu's credit card
- **FLAG 2 — "The Chapel Photo":** Stu married a stripper named Jade at 3 AM. The next clue leads to Mercury General Hospital (Machine 2)

## Attack Chain

```
Reconnaissance (nmap)
    → Directory Enumeration (gobuster)
    → Source Code Discovery (backup zip file)
    → Code Review (PHP vulnerability analysis)
    → Boolean-based Blind SQL Injection (viewItem.php)
    → Admin Token Extraction via SQLi
    → Password Reset & Admin Login → FLAG 1
    → File Upload Bypass (.phar extension) 
    → Remote Code Execution (PHP webshell) → FLAG 2
    → Reverse Shell
    → Privilege Escalation (sudo misconfiguration + kernel exploit)
    → Root Access
```

## Vulnerabilities

| # | Vulnerability | Severity |
|---|--------------|----------|
| 1 | Source Code Exposure (backup zip publicly accessible) | High |
| 2 | Boolean-based Blind SQL Injection (unquoted parameter) | Critical |
| 3 | Missing Authentication on viewItem.php | High |
| 4 | Insecure Password Reset Token (extractable via SQLi) | High |
| 5 | Incomplete File Extension Blacklist (.phar missing) | Critical |
| 6 | No MIME Type Validation on updateItem.php | Medium |
| 7 | Sudo Misconfiguration (find with NOPASSWD) | Critical |
| 8 | Outdated Kernel — CVE-2021-3493 OverlayFS | Critical |

## Skills & Topics Covered

- Network Reconnaissance & Enumeration
- Web Application Source Code Review
- Boolean-based Blind SQL Injection
- Python Exploit Scripting & Automation
- File Upload Filter Bypass Techniques
- Reverse Shell Techniques
- Linux Privilege Escalation (Sudo abuse + Kernel exploits)
- CTF Design & Theming

## Tools Used

| Tool | Purpose |
|------|---------|
| nmap | Network discovery & port scanning |
| gobuster | Directory brute-forcing |
| curl | HTTP testing |
| Python 3 + requests | Custom exploit development |
| netcat (nc) | Reverse shell listener |
| CVE-2021-3493 | Kernel privilege escalation |
| GTFOBins | Sudo misconfiguration exploitation |

## Setup

### Download VM

**[⬇️ Download WolfpackDeals.zip (1.6 GB)](https://drive.google.com/file/d/1GJ_BeWlGBRGSqCpvzHeguBO9xcfKZtgg/view?usp=sharing)**

### For VMware Users
1. Download and extract `WolfpackDeals.zip` → get `WolfpackDeals.vmdk`
2. Create New VM → Linux → Ubuntu 64-bit
3. Remove default hard disk → Add existing disk → Select `WolfpackDeals.vmdk`
4. Memory: 2GB, CPU: 2 cores
5. Start VM — IP assigned via DHCP
6. Use `nmap -sn ` to find the target IP

### For UTM Users (Apple Silicon Mac)
1. Download `WolfpackDeals.qcow2`
2. Create New VM → Emulate → Linux → Import existing drive
3. Architecture: x86_64, Memory: 2GB, CPU: 2 cores
4. Start VM — IP assigned via DHCP

## Repository Structure

```
├── README.md                  — This file
├── walkthrough/
│   ├── walkthrough.md         — Complete step-by-step walkthrough
│   └── screenshots/           — Walkthrough screenshots
│       ├── 01_nmap_discovery.png
│       ├── 02_nmap_portscan.png
│       ├── 03_robots_txt.png
│       ├── 04_login_page.png
│       ├── 05_gobuster.png
│       ├── 06_source_code_check.png
│       ├── 07_source_code_extract.png
│       ├── 08_viewItem_code.png
│       ├── 09_updateItem_code.png
│       ├── 10_sqli_confirm.png
│       ├── 11_password_reset.png
│       ├── 12_exploit_flag1.png
│       ├── 13_upload_shell.png
│       ├── 14_rce_verify.png
│       ├── 15_flag2.png
│       ├── 16_reverse_shell.png
│       └── 17_root_access.png
├── exploits/
│   ├── exploit.py             — Blind SQLi token extractor + auto login
│   ├── upload.py              — Webshell upload script
│   └── revshell.py            — Reverse shell trigger
├── storyline/
│   └── hangover_ctf_story.md  — Full 4-machine storyline
└── vm/
    └── README.md              — VM download links & setup instructions
```

## Exploit Scripts

### exploit.py — Automated Authentication Bypass
Automates the entire FLAG 1 attack chain:
1. Triggers admin password reset
2. Extracts 15-char token via Blind SQLi (character by character)
3. Resets admin password
4. Logs in and captures FLAG 1

### upload.py — Webshell Upload
Uploads a PHP webshell disguised as a GIF image using the `.phar` extension bypass.

### revshell.py — Reverse Shell
Triggers a Python reverse shell from the target back to the attacker.

## The Hangover CTF — Full Series

| Machine | Name | OS | Theme |
|---------|------|----|-------|
| **1** | **Wolfpack Deals** | **Linux** | **Hotel Room Laptop (this machine)** |
| 2 | Mercury General Hospital | TBD | Stu's Dental Records |
| 3 | Chow's Palace | TBD | Mr. Chow's Personal Server |
| 4 | Caesars Palace Security | TBD | Final Rescue — Find Doug |

## Author

**Ronit Grover**

Built as part of a Cybersecurity class CTF project.

## Disclaimer

This CTF machine is designed for educational purposes only. The vulnerabilities are intentionally placed for learning. Do not use these techniques against systems you don't own or have permission to test.