Prison Break CTF Structure

Quick Summary

Linux-based CTF involving a vulnerable prison management system. Initial access through SQL injection, followed by a series of privilege escalations using:

Writable cron job for prisoner→guard
RADIUS server misconfiguration for guard→warden
Sudo privileges for warden→root

%%{init: {'theme': 'base', 'themeVariables': { 'fontSize': '16px' }}}%% graph TD subgraph Internet["Internet (Public Access)"] A[Prison Management System
Public Web Interface
Linux/Apache] -->|Port 80/443| B[SQL Injection
Auth Bypass
EDB-52017] B -->|Upload| C[PHP Reverse Shell
via File Upload Feature] end subgraph Internal_Network["Internal Network (Restricted Access)"] direction TB D[Prisoner Shell
/home/prisoner
Limited Access] E[Guard Account
/home/guard
- Cron Access
- Network Tools
- LinPEAS Access] F[Warden Account
/home/warden
- Already Root Access
- release_list.txt Easter Egg] G[Root Flag
/root/flag.txt] H[FreeRADIUS Server
- Local Port 1812
- Plaintext Config Access
- Readable MD5 Hashes] end subgraph Attack_Chain["Privilege Escalation Chain"] C -->|Shell Access| D D -->|Modify Meal Schedule Script| E E -->|Run Enumeration & Access Files| H H -->|Extract Stored Hashes| F F -->|Already Has Root
Find Flag| G end style A fill:#f9d71c,stroke:#000 style B fill:#f9d71c,stroke:#000 style C fill:#f9d71c,stroke:#000 style D fill:#f97c1c,stroke:#000 style E fill:#f97c1c,stroke:#000 style F fill:#f97c1c,stroke:#000 style G fill:#1cf928,stroke:#000 style H fill:#f97c1c,stroke:#000 classDef public fill:#f9d71c,stroke:#000; classDef internal fill:#f97c1c,stroke:#000; classDef root fill:#1cf928,stroke:#000;

Detailed Attack Chain

1. Initial Access

The entry point is a PHP-based Prison Management System, vulnerable to SQL injection. The attack begins by:

Exploiting SQL injection vulnerability in login form (EDB-52017)
- Target: Authentication bypass in login.php
- Payload modifies SQL query to bypass password check
After authentication bypass:
- Access to admin dashboard reveals file upload feature
- Upload PHP reverse shell disguised as image
- Trigger shell to gain initial system access

2. Prisoner to Guard Escalation

The prisoner account has limited access but can exploit a misconfigured cron job:

Locate vulnerable cron job:
- File: /etc/cron.d/prisoner_lunch
- Purpose: Automated meal schedule management
- Runs as: guard user
- Vulnerability: Writable by prisoner user
Exploit process:
- Modify script to add reverse shell payload
- Wait for cron execution
- Gain guard user access

3. Guard to Warden/Root Escalation

The guard account has enhanced privileges and access to system tools:

Initial Enumeration:
- Download and run LinPEAS for system enumeration
- Discover RADIUS configuration access
- Network scanning capabilities with nmap
RADIUS Exploitation:
- Location: /etc/freeradius/3.0/
- Access to plaintext configuration files
- MD5 hashes stored in users file
- Extract warden's hash for authentication
Final Access:
- Use extracted hash to authenticate as warden
- Warden user already has root privileges
- Easter Egg: /home/warden/release_list.txt contains list of prisoners to be released
- Capture the flag in /root/flag.txt

4. Capture The Flag

Final objectives after gaining warden access:

Easter Egg Discovery:
- Location: /home/warden/release_list.txt
- Content: List of prisoners scheduled for release
- Thematic addition to the prison break scenario
Flag Capture:
- Location: /root/flag.txt
- Accessible via warden's root privileges
- Final objective of the CTF

🔒 Prison Break CTF Challenge 🔑

🎯 Objective

⚡ Quick Stats

🛠️ Prerequisites

Prison Break CTF Structure

Quick Summary

Detailed Attack Chain

1. Initial Access

2. Prisoner to Guard Escalation

3. Guard to Warden/Root Escalation

4. Capture The Flag

References:

🏗️ Local Build Instructions

📦 Repository Structure

📝 Requirements

🚀 Setup Steps

📜 Build Script