Skip to main content
Projects Lab

Forgotten Portal

Complete offensive pentesting exercise on a virtual machine in DockerLabs, documented with PTES methodology and TTPs mapped to MITRE ATT&CK.

By Valentina Ramírez · Updated: June 19, 2026

View writeup View repo

Summary

Complete offensive pentesting exercise on a virtual machine in DockerLabs, documented with PTES methodology and TTPs mapped to MITRE ATT&CK.

Stack
NmapGobusterNetcatPythonMITRE ATT&CKPTESLinuxDockerLabs
01

The problem

How vulnerable is a misconfigured system to an attacker with minimal initial access?

Credentials in the HTML

The username and hidden portal path were visible in the page source code comments.

Upload without real validation

The server accepted PHP files without verifying the real type: any web shell passed disguised as a legitimate document.

Shared SSH key

The same id_rsa was distributed across multiple system accounts, turning one access into an immediate lateral pivot.

02

What I built

  1. 01

    Reconnaissance with Nmap (ports, services, versions) and Gobuster (exposed directories).

  2. 02

    Exploitation of PHP upload without validation (CWE-434) to execute remote code.

  3. 03

    Reverse shell with Netcat and privilege escalation to root.

  4. 04

    Vulnerabilities classified: CWE-615, CWE-434, CWE-312, CWE-321, CWE-269.

  5. 05

    Complete writeup published with PTES methodology and MITRE ATT&CK TTPs.

Attack chain: 7 phases, none depend on a zero-day.

  1. Reconnaissance: Nmap detects Apache 2.4.58 on port 80
  2. Discovery: HTML comment exposes user 'Bob' and path /m4ch1n3_upload.html
  3. Initial access: PHP web shell uploaded to /uploads via form with no validation
  4. Remote shell: Bash payload over Netcat establishes interactive reverse shell
  5. Horizontal escalation: Base64 credential in access_log decoded (alice:s3cr3tp@ssw0rd^487)
  6. Lateral pivot: shared id_rsa allows moving to bob's account
  7. Root: sudo tar without password exploited via GTFOBins, full system access
03

Results

  • Full machine compromise in 7 phases without using zero-day exploits: all vectors are configuration errors and human mistakes reproducible in real environments.

  • Five vulnerabilities identified and classified with CWE: information exposed in comments (CWE-615), unrestricted upload (CWE-434), credentials in logs (CWE-312), reused SSH key (CWE-321), and excessive sudo (CWE-269).

  • User flag captured and root access confirmed. Complete writeup documented with PTES methodology and TTPs mapped to MITRE ATT&CK.

04

Learnings

  • Security does not end at server code: an HTML comment with a username and a hidden path is enough to launch a full attack. Everything the server sends to the browser is an attack surface.

  • Validating a file extension is not the same as validating its real type: a PHP web shell with an allowed extension executes arbitrary code on the server. Validation happens at the server-verified MIME type and by preventing the upload directory from executing code.

One click away

Your next idea deserves
code that can carry it.

I design and build complete products: from the backend to the interface your users love. With integrated AI and security by design.

Projects from COP 2,000,000 / USD 500 depending on scope (MVP from 3-6 weeks).

Limited availability, I respond within 24h.

Start my project See services