WEBVERSE

Loading...

Nolic
easyPro

Nolic

Nolic is a self-hosted writing blog by Wren Aldis — a Lisbon-based writer covering systems design, typography, and the slow web.

recon-robots-txtdirectory-listinginfo-disclosuresha256-crackingweak-password-hashingssti-smartyphp-rce
phpapachesmartysqlite
Unlock with Pro

The Scenario

Nolic is the long-form writing home of Wren Aldis, a Lisbon-based writer covering systems design, typography, and the slow web. The site runs on Wren's own self-hosted PHP stack — no analytics, no comments, no growth-hacking widgets. Just essays.

Last week a draft post that Wren had not yet published appeared edited and live overnight under their own admin account. They have no idea how someone reached the admin panel. You've been brought in to find out — start at the public site as an anonymous reader and trace the path an attacker would have taken.

Lab Intel

Synopsis

Nolic have asked you to investigate a draft post that appeared published overnight under the admin account. The blog is single-admin (no public sign-up) and the only path in is through the login form — your job is to determine how an attacker could have authenticated.

Architecture

An easy-rated single-service lab simulating a self-hosted writing blog built on PHP, Apache, Smarty 3.1, and SQLite. The five-step chain teaches the bug-bounty staple of robots.txt → directory-listing → DB backup, then escalates through SHA-256 password cracking into a Smarty template-engine SSTI for RCE. It's the only lab in the catalog that features a Smarty-specific server-side template injection.

Who It's For

Beginners who have completed a recon-style lab or two and want to chain offline password cracking into a server-side template injection. You should have hashcat (or john) available and be comfortable inspecting HTTP responses.

Skills You'll Practice

  • HTTP request inspection (browser dev tools or Burp Suite)
  • Reading and querying SQL dump files in a text editor
  • Running hashcat or john with rockyou.txt against a SHA-256 hash
  • Understanding the difference between client-side and server-side template engines

What You'll Gain

  • robots.txt-driven recon and path discovery
  • Directory-listing exploitation
  • Offline password hash cracking against weakly hashed credentials
  • Smarty SSTI payload crafting (eval + php blocks)
  • Multi-stage chain: recon → cred recovery → authenticated → RCE

Ready to hack Nolic?

Upgrade to Pro to unlock this lab and the full library.

View Pro Plans