SecureCode1: an OSWE-like Machine

Source code review?

Source code review, also known as Security Code Review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment.

This box has been built to enrich the training resources for the Offensive Security Web Expert (OSWE) certificate, it also helps you to learn how to discover hidden vulnerabilities that can be missed during the regular penetration test (or black-box testing).
- Box Name: SecureCode1
- Programing Language: Native PHP
- Difficulty: EASY
it’s not solvable by pure black-box testing, you need to do a lot of source code review.

You’ve three objectives:
1. Bypass Authentication → flag1
2. Obtain Remote Command Execution → flag2
3. Write your PoC code that chains the exploitation of the discovered vulnerabilities, you can also send your PoC code to ahmed [at] sud0root.com if you wish to be added to the leaderboard👇

🏆 leaderboard:
A Contest leaderboard shows the points received by the participating players. Players need to meet the Contest rules criteria to participate and be shown in the Contest Leaderboard.

The Target VM on Vulnhub.com:
https://www.vulnhub.com/entry/securecode-1,651/

Alternatively, you can download the OVA from Mega.nz on link below: (Size: 2.0 GB)
https://mega.nz/file/b4xAVRAQ#IK8ujpYsGbwxoyA4aaNERMF80EPLkPX3fv7hksXF-M8

- MD5: 287f7979fdb3060bde224182a752ed18
- SHA1: 2b946f52d915ca74d1c7c84251435f8c8d92f2cb

- for setup see the below video:

it's going to be series of OSWE-like boxes.
The next boxes will be in java, nodejs, and some PHP frameworks.

if you have feedback or you need a hint, DM me @ahmed_eltijani

Best Luck