Can anyone share some hints on the skills assessment for the Server-Side attacks module? I know the attack surface is pretty small, but I can’t for the life of me find an injection point based on the module content.
So I did that common thing where you post a question after hours of frustration and then 20 min later find the answer. In my defense, the solution is very silly and, in my opinion, doesn’t really test you on the module’s content. It feels more like a low grade CTF problem. For anyone else stuck, I would point you to the .js file with the nondescript name. Poke around in that and the flag is a dead giveaway from there.
Haha! If I remember correctly, I had a similar experience.
Thanks, really. I had a feeling this module’s skills assessment would be off and went here after just 20 mins.
Wow… this box is tricky. ‘’-.-‘’
I use common SSTI payloads when I register and login. I post a message and fuzz both tittle and content with payloads but doesn’t inject nothing. Anyone could help? thx
Always analyze HTML for some strange things…
Fuzz the website directories. Check the .js file. Answer is in there.
I agree I felt that challenge didn’t really test any of the learned skills. Strange.
i’m ashamed to admit this but it took me a bit to figure this one out.
I found the js file pretty quickly.
Noticed it was a path with a parameter.
but then nothing i did would work.
So i just started trying random things using some of the steps in the module and finally got it,
But honestly HTB…how were we supposed to know to do that there considering what was in he module!!!
hi, i got the js file, its decode base 64 and gives me an inverted url, but i dont know where and how put this, could you give me a hint, thanks a lot firiends
SSRF Exploitation Example chapter might help you.
I mean. This was technically one of the things covered, but they kind of just give you the answer…
thanks a lot!
Haha yeah got it. Well more a CTF style challenge with thinking out of the box and the apply what you went through in the beginning of module. Must admit I all crazy in the app - UNTIL I read the question again then it all made more sense
So read the question carefully it will get you in the right direction. And remember it is always good to do basic inspection of the web application in burp or web developer tools.
Ok, I’ve read through all the comments, and I’m either still over-thinking this or maybe the Skills Assessment has been updated. Can someone give me a hint or DM please?
(I’ve inspected the web app using the web dev tools. It almost looks like there’s something in the directory, /static/jquery.js. I’ve tried deobfuscating the three different variables listed (x,y, and z). I also viewed the page source (Ctrl + U).
Update: I feel like I’m getting somewhere with those variables. I base64 decoded everything and reversed it, but I’m still not getting the flag. I’ve tried putting those decoded messages in the url. Can someone help?