Skip to content

MoriartyPuth-Labs/N7-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

5 Commits
README.md
README.md
ย 
ย 

Repository files navigation

๐Ÿซง Lab N7: Web Exploitation & Database Siphon

image

๐Ÿšฉ Project Overview

This repository documents the successful penetration test and data exfiltration of the Web Machine: (N7), a vulnerable VM created by Duty Mastr and released on November 3, 2021. The mission utilized a custom exploitation framework, bubble_siphon , to profile the host, identify hidden entry points, and "siphon" sensitive data and flags.

๐Ÿ–ฅ๏ธ Machine Specifications

  • Name: Web Machine: (N7)
  • Difficulty: Medium
  • Format: Virtual Machine (VirtualBox - OVA)
  • Operating System: Linux
  • Network: DHCP enabled (IP automatically assigned)
  • Primary Vector: Web-based vulnerabilities

๐Ÿ› ๏ธ Detailed Methodology

1. Network Enumeration & Target Validation

  • Infrastructure Check: The lab was configured using bridged networking to ensure direct communication between the Kali Linux attacker machine and the target VM.
  • Host Discovery: (sudo arp-scan -l) identified the target IP within the local subnet.

IMG_0001

  • Service Profiling: A comprehensive service scan (nmap -sCV -T4) confirmed that Port 80 (HTTP) was the only open port, identifying the primary attack surface.

2. Advanced Directory & Parameter Fuzzing (bubble_scan)

  • Aggressive Fuzzing: Initial scans with standard wordlists yielded minimal results.
IMG_0002
  • Endpoint Discovery: Use of DirBuster with a customized dictionary eventually revealed the hidden entry point /exploit.html.

IMG_0003

  • Hidden Portal Discovery: Manual reconnaissance and intelligence siphoning identified the /enter_network directory, which served as an administrative gateway.

3. Exploitation & Lateral Movement

  • Upload Form Bypass: The /exploit.html form was misconfigured to point to localhost.
  • Manual Request Crafting: This was bypassed using a crafted curl -X POST request targeting the backend handler, profile.php.
IMG_0006
  • Information Disclosure: Interacting with the backend directly triggered a partial flag disclosure: FLAG{N7.
  • Blind SQL Injection: The login form at /enter_network was found to be vulnerable to SQL injection.
  • Database Targeting: Using sqlmap with --level 3 --risk 3, a time-based blind injection was confirmed on the user parameter.

IMG_0007

4. Post-Exploitation & Data Siphoning (bubble_siphon)

  • Database Exfiltration: sqlmap was used to dump the Machine database and its corresponding login table.
  • Loot Extraction: The final flag and administrator credentials were recovered from the password field of the database.
IMG_0008
  • Siphon Script Deployment: The bubble_siphon.sh framework was prepared to profile the www-data identity and scavenge the /var/www/ directory for configuration secrets such as .env and config.php files.

๐Ÿ“‚ Featured Tools

  • bubble_siphon.sh: Custom post-exploitation framework for scavenging system secrets and SSH keys.
  • SQLmap: Utilized for automated database siphoning and credential recovery.
  • FFUF/DirBuster: Deployed for endpoint discovery and parameter fuzzing.

๐Ÿ† Final Flag

FLAG{N7:KSA_01}

About

Lab N7: Web Exploitation & Database Siphon

Topics

vulnerabilities pentest exploitation web-based

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors