Abusing http misconfigurations

I am trying to solve the first modules about Abusing HTTP-misconfigurations But the first one is very difficult and I solved it, I think luckily because I use the same payload, even I have changed a bit but it can’t get the flag for the second time.

I DM’d you. I am working on this module as well.

I’ve everything except “Bypassing Flawed Validation” which I am stuck on.

have a look at your /etc/hosts file and maybe you can find another solution for localhost…

1 Like

Likely the only single one I didn’t try. Thx :slight_smile:

When i find the first flag for the fat get, the other one for cloacks is it in the same server ?

has anyone done the easy skills assessment? i’ve been trying to solve it for about a week with no luck. I even made a python script which tried every configuration of reset, registration, login etc. no luck

Yeah, it will be the same IP and specify in the hosts file.

You will need to attempt to access the Admin area with the provided credentials . You will need to have two tabs open. Then you can test the forms found at login (in the second tab) to determine which will get you admin area access.

Don’t overthink it and it can be done with two browser tabs open.

oh man were you ever right. I overthought that so hard. Thank you!

1 Like

I am trying this module as well, and I am stuck with two exercises left: Advanced Cache Poisoning Techniques and Skill Assessment - Hard.

In both cases, there seem to be something I don’t control. In the former, I think I have the correct poisoining payload, but the website is escaping all the XSS characters, so I am able to poison the cache, but the XSS payload is escaped.

In the latter, I am able to inject the XSS in cache, but none of my tries to have the admin exfiltrate data to interactsh.local work. The override headers don’t seem to work in this case.

it will be the same IP and specify in the hosts file.

On the hard assessment you might want to create a list of every page/unique url (including logged in) as you might need to skip a step somewhere to get further access. Two browser tabs is all you need as well.