Academy Server-Side Attacks - Skills Assessment

Can anyone share some hints on the skills assessment for the Server-Side attacks module? I know the attack surface is pretty small, but I can’t for the life of me find an injection point based on the module content.

1 Like

So I did that common thing where you post a question after hours of frustration and then 20 min later find the answer. In my defense, the solution is very silly and, in my opinion, doesn’t really test you on the module’s content. It feels more like a low grade CTF problem. For anyone else stuck, I would point you to the .js file with the nondescript name. Poke around in that and the flag is a dead giveaway from there.

4 Likes

Haha! If I remember correctly, I had a similar experience.

Thanks, really. I had a feeling this module’s skills assessment would be off and went here after just 20 mins.

I really wish HTB spent some more time on the academy module questions. There are too many questions that are unrelated or poorly framed. Javascript obfuscation isn’t even part of this module and was too simplistic to have any purpose.

Wow… this box is tricky. ‘’-.-‘’

I use common SSTI payloads when I register and login. I post a message and fuzz both tittle and content with payloads but doesn’t inject nothing. Anyone could help? thx

Always analyze HTML for some strange things…

Gotta say this was kind of a lame skills assessment. As ribit said, Javascript deobfuscation isn’t part of the module, and it’s supremely simple deobfuscation at that. And once you crack it, the answer is right there. Feels like more like an entry level javascript box than a Server-Side Attacks box.

Fuzz the website directories. Check the .js file. Answer is in there.

I agree I felt that challenge didn’t really test any of the learned skills. Strange.