ScanPortal
ScanPortal runs nmap safely — but every target you submit gets written raw to a log file, and the Scan Logs search feature is a different story.
The Scenario
ScanPortal is an attack surface management platform for SMBs. The developer recently hardened the nmap call after a code review flagged it. What they missed is that every submitted target is also appended verbatim to a shared scan log, and the customer-facing log search runs grep on that file with the user's pattern dropped straight into a shell command.
Challenge Intel
Synopsis
A scanner that fixed its nmap call but left the log search wide open — the obvious injection point is a dead end.
What It Is
ScanPortal's nmap call was hardened to use a subprocess argument list, so injecting into the target field does nothing. However, every submitted target is appended raw to a shared scan log, and the Scan Logs feature runs grep with the user's search pattern interpolated directly into a shell command via shell=True. The path to the flag runs through the log search, not the scan form.
Who It's For
Players who are comfortable with basic command injection and want to practise recognising that a partial fix leaves other surfaces exposed. You should know how to test for injection before starting.
Skills You'll Practice
- Reconnaissance — mapping all features of an app before exploiting
- Recognising a hardened injection point vs an unprotected one
- grep pattern injection via shell=True
- Reading command output reflected in a web UI
What You'll Gain
- Experience testing multiple injection surfaces rather than stopping at the first dead end
- Understanding that fixing one code path doesn't make an app safe
- A grep-pattern injection technique applicable to log viewers, search tools, and audit UIs
Ready to hack ScanPortal?
Upgrade to Pro to unlock this challenge and the full library.