Lab-Based Web Application Security Assessment

Target: Injectics (TryHackMe Lab)
Assessment Type: Black-Box Web Application Testing
Environment: Controlled Lab Environment

1. Executive Summary

This lab-based security assessment identified a critical vulnerability chain leading to full compromise of the web application and underlying server.

The application was vulnerable to SQL Injection within its authentication mechanism, allowing unauthorized access and database manipulation. Sensitive information was exposed through accessible log files, enabling credential discovery. Additionally, insecure server-side template rendering (Twig) resulted in Server-Side Template Injection (SSTI), which was escalated to Remote Code Execution (RCE).

The combined exploitation of these vulnerabilities allowed administrative access and full system-level control.

Overall Risk Rating: Critical

2. Scope

The assessment was conducted from a black-box perspective in a controlled lab environment. The tester was provided only with the target IP address and no internal application knowledge.

The scope included:

• Web application functionality accessible via HTTP

• Authentication mechanisms

• Input handling

• Template rendering functionality

3. Methodology

Testing followed a structured web application penetration testing approach:

• Network reconnaissance and service enumeration

• Web application mapping and directory discovery

• Source code and file exposure analysis

• Authentication testing

• Input validation testing

• Template engine behavior testing

• Exploitation validation and impact verification

4. Findings

4.1 SQL Injection in Authentication Mechanism

Risk Level: Critical

Description

The login functionality was vulnerable to SQL Injection due to improper handling of user-controlled input and the use of dynamic SQL queries. User input was directly incorporated into database queries without parameterization.

Impact

An attacker could manipulate authentication logic to bypass login controls. Successful exploitation enabled unauthorized access to application functionality and database manipulation, including modification or deletion of user records.

This vulnerability directly compromised confidentiality and integrity of application data.

Recommendation

• Implement parameterized queries or prepared statements.

• Enforce strict server-side input validation.

• Apply the principle of least privilege to database accounts.

• Implement centralized error handling to prevent information leakage.

4.2 Sensitive Information Disclosure via Log File

Risk Level: High

Description

A log file (mail.log) was accessible through path traversal techniques. The file contained plaintext credentials and internal system information.

Impact

Exposure of administrative credentials significantly lowered the attack complexity and enabled privilege escalation. Disclosure of internal application data increases the likelihood of further exploitation.

Recommendation

• Restrict access to log files.

• Store logs outside the web root directory.

• Avoid storing plaintext credentials.

• Implement proper file permission management.

4.3 Insecure Password Reset Logic

Risk Level: High

Description

The application reset default credentials when the users table was dropped. This behavior created a logic flaw that could be abused following database manipulation.

Impact

Combined with SQL Injection, this flaw allowed predictable credential restoration and administrative access.

Recommendation

• Remove automated credential reset mechanisms tied to database state.

• Enforce secure password storage using strong hashing algorithms.

• Implement monitoring for abnormal database behavior.

4.4 Server-Side Template Injection (Twig) Leading to Remote Code Execution

Risk Level: Critical

Description

User input within the profile update functionality was rendered using the Twig template engine without proper sanitization. This allowed execution of arbitrary template expressions.

Successful exploitation enabled command execution on the underlying server.

Impact

The vulnerability resulted in Remote Code Execution (RCE), allowing full system compromise. An attacker could execute arbitrary commands, establish persistence, and exfiltrate sensitive data.

Recommendation

• Disable dynamic template rendering of user-controlled input.

• Use strict input sanitization.

• Apply sandboxing features of the template engine.

• Implement security code review practices.

5. Overall Risk Assessment

While individual vulnerabilities varied in severity, their combination resulted in full application and system compromise.

The presence of both authentication bypass and Remote Code Execution significantly increases organizational risk. In a production environment, exploitation could lead to data breach, service disruption, and reputational damage.

6. Conclusion

This assessment demonstrates how multiple moderate and high-risk vulnerabilities can be chained into a critical impact scenario.

Proper input validation, secure coding practices, access control mechanisms, and secure log handling are essential to prevent similar exploitation paths in production environments.