Context

Can you extract the secrets from the library?

The librarian rushed some final changes to the web application before heading off on holiday. In the process, they accidentally left sensitive information behind! Your challenge is to find and exploit the vulnerabilities in the application to extract these secrets.

Starting hypothesis

The goal will be to chain the vulnerabilities to get 2 flags, for that I will start with a classic recon of the target, and based of this recon I will try to enumerate different vulnerabilities I can use for my goal

Method / Used Tools

First flag

nmap

An initial full port scan was performed against the target host.

root@ip-10-67-100-14:~# nmap -p- 10.67.179.0

The scan revealed a very common attack surface:

• 22/tcp → SSH
• 80/tcp → HTTP

With only a web service and SSH exposed, the logical next step was to investigate the HTTP application.

Site recon

The web application presents itself as an online document library containing two PDFs: dummy and Lorem.

The interface is split into two main components:

• A list of available documents
• An iframe used to display the selected file