The Door is a fun, CTF-style medium difficulty machine. It helps you think outside the box. The Door is available on VulNyx.

Enumeration

Network Enumeration

The first step is the enumeration of the box, to try and find vectors of attacks. As usual, we start with an nmap scan, to see what ports are open on the machine :

There is an ftp server which seems to have anonymous login enabled, an ssh access, and two websites : one on port 80, and another one on the unusual port 789.

FTP Enumeration

We start with the ftp server enumeration, and we find an email.txt file as well as an empty quarantine directory :

The email mentions a non-standard port for the web server, and that the numbers always matter — this might be a hint.

Web Enumeration

We then enumerate the website on port 80 :

Using dirsearch, we find a suspicious /secret endpoint

dirsearch -u http:

This seems to lead nowhere …

It feels like there is nothing useful in port 80, so we move to port 789 ; the endpoint we get in is /door01.

We start by doing a web directory search :

The only endpoint found is /uploads, which we don’t have authorization to access.

Door Discovery

Accessing the web service on port 789 reveals an initial endpoint: `/door01`.
The page displays the following hint:

“The doors are many, but only one opens.”

This suggests the presence of multiple numbered endpoints.
Manual testing confirms that `/door05` exists, returning a valid HTTP 200 response.

To efficiently enumerate all possible doors, we use a simple Bash script to identify endpoints returning HTTP 200 responses.

#!/bin/bashBASE_URL="http://192.168.1.13:789"
for i in $(seq 1 1000); do
  URL="$BASE_URL/door$i/"
  CODE=$(curl -s -o /dev/null -w "%{http_code}" "$URL")
  if [ "$CODE" = "200" ]; then
    echo "[+] 200 OK -> $URL"
  fi
done

This script identifies three valid endpoints.

Two of them return the same decoy page as `/door05`.
The third endpoint, however, exposes an authentication form, indicating a potential attack surface.

SQL Injection

We access the authentication form, play around a bit, and find out that it is vulnerable to SQL injection :

After authenticating, we then get to the /door7890opened/ endpoint, where we find a part of the flag !

IDOR & Filter Bypass

When clicking on the button, we get to the endpoint /door7890opened/homes/ :

Clicking on any of the pictures will change the parameter id on top, e.g door7890opened/homes/?id=1 for the Beach Paradise picture :

This leads us to think that there may be in IDOR vuln ; we manually test some parameters. For any id other than 1 to 5 and apart from 10, we get this page :

However, for id=10, it says that we’re not authorized to access ; that’s quite interesting !

We try different bypasses, and the one that works is with URL double encoding :

door7890opened/homes/?id=%2531%2530

We then get to a secret door, where another fragment of the flag is given !

File Upload → RCE

Following the upload button, we get to a page where we can upload our favourite door. The upload only works for files with an image extension :

We then upload a reverse shell with the extension php.jpg, and the upload works ;

We set up a netcat listener on our machine :

nc -nlvp 1234

And we try to access our script from the /uploads endpoint we found earlier, but to no avail ; we then remember that the ftp server contained a folder called quarantine, so we check it again :

And we found a file, most likely our php reverse shell with a hashed name ! we try to access it in the /uploads endpoint, and we get a reverse shell as apache user !!

Privilege escalation

apache → dooruser

Our objective is to escalate privileges from the apache user to dooruser.
During filesystem enumeration, we discover the script /opt/move_uploads.sh, which is executed every two minutes by a cron job. This can be confirmed either by monitoring processes with pspy64 or by observing that files uploaded through the web application are automatically copied to the FTP server.

#!/bin/sh
UPLOAD_DIR="/var/www/thedoor/uploads"
FTP_DIR="/var/ftp/quarantine"
for file in "$UPLOAD_DIR"/*; do
    if [ -f "$file" ]; then
        filename=$(basename "$file")
        cp "$file" "$FTP_DIR/$filename"
        chmod 644 "$FTP_DIR/$filename"
    fi
done

A critical issue in this script is that it blindly copies files from a user-controlled directory and assigns them world-readable permissions on the FTP server. This behavior can be abused.

Get Soraya Djerrab’s stories in your inbox

Join Medium for free to get updates from this writer.

Referring back to the hint found in the FTP email mentioning SSH keys, we attempt a symlink attack by creating a symbolic link to dooruser’s private SSH key inside the uploads directory:

ln -s /home/dooruser/.ssh/id_rsa /var/www/thedoor/uploads/evil

After waiting for the cron job to execute, the evil file appears in the FTP quarantine directory. Inspecting its contents confirms that it contains dooruser’s private SSH key.

Using this key, we are able to authenticate via SSH as dooruser, successfully escalating our privileges.

And we get the final part of the user flag !

dooruser → root

Becoming root and grabbing the root flag is then really easy :

Conclusion

This machine demonstrates how small misconfigurations can be chained together: weak input validation, insecure file handling, and unsafe cron jobs.
The challenge encourages thinking outside the box while reinforcing
real‑world web exploitation and privilege escalation techniques.

The Door official writeup