Machine Synopsis

`Guardian` is a hard difficulty Linux machine that starts with a web service redirecting to a university-themed site containing multiple subdomains, including a Gitea instance. Using default student credentials, accessing the student portal reveals an IDOR vulnerability in the chat feature, exposing admin messages and Jamil’s Gitea password. After accessing Jamil’s Gitea, the source code discloses a vulnerable PHPSpreadsheet version exploitable via XSS. A crafted Excel file is used to hijack a lecturer’s (Sammy Treat) session, leading to the discovery of a CSRF vulnerability in the admin panel that allows the creation of a new admin account. With admin access, a restricted PHP filter-based LFI is exploited via a modified filter-chain technique to achieve remote code execution. Post-exploitation shows that Jamil can run a Python script as the user Mark. That script can be modified to inject and execute a reverse shell payload, granting access as Mark. Mark can run `safeapache2ctl` as `root`, a restricted wrapper for `apache2ctl` that only permits configuration files from `/home/mark/confs`. Although symlinks are blocked via a realpath check, this restriction is bypassed by using Apache’s Include directive to reference a symlink within the allowed directory pointing to sensitive files. When executed, this leak protected data such as the root hash or root flag, ultimately enabling full root privilege escalation.