Can anyone share some hints on the skills assessment for the Server-Side attacks module? I know the attack surface is pretty small, but I can’t for the life of me find an injection point based on the module content.
1 Like
So I did that common thing where you post a question after hours of frustration and then 20 min later find the answer. In my defense, the solution is very silly and, in my opinion, doesn’t really test you on the module’s content. It feels more like a low grade CTF problem. For anyone else stuck, I would point you to the .js file with the nondescript name. Poke around in that and the flag is a dead giveaway from there.
8 Likes
Haha! If I remember correctly, I had a similar experience.
Wow… this box is tricky. ‘’-.-‘’
1 Like
I use common SSTI payloads when I register and login. I post a message and fuzz both tittle and content with payloads but doesn’t inject nothing. Anyone could help? thx
Always analyze HTML for some strange things…
Gotta say this was kind of a lame skills assessment. As ribit said, Javascript deobfuscation isn’t part of the module, and it’s supremely simple deobfuscation at that. And once you crack it, the answer is right there. Feels like more like an entry level javascript box than a Server-Side Attacks box.
Fuzz the website directories. Check the .js file. Answer is in there.
I agree I felt that challenge didn’t really test any of the learned skills. Strange.
i’m ashamed to admit this but it took me a bit to figure this one out.
I found the js file pretty quickly.
Noticed it was a path with a parameter.
but then nothing i did would work.
So i just started trying random things using some of the steps in the module and finally got it,
But honestly HTB…how were we supposed to know to do that there considering what was in he module!!!
2 Likes
hi, i got the js file, its decode base 64 and gives me an inverted url, but i dont know where and how put this, could you give me a hint, thanks a lot firiends
The SSRF Exploitation Example chapter might help you.
I mean. This was technically one of the things covered, but they kind of just give you the answer…
1 Like
thanks a lot!
Haha yeah got it. Well more a CTF style challenge with thinking out of the box and the apply what you went through in the beginning of module. Must admit I all crazy in the app - UNTIL I read the question again then it all made more sense 
So read the question carefully it will get you in the right direction. And remember it is always good to do basic inspection of the web application in burp or web developer tools.
Ok, I’ve read through all the comments, and I’m either still over-thinking this or maybe the Skills Assessment has been updated. Can someone give me a hint or DM please?
(I’ve inspected the web app using the web dev tools. It almost looks like there’s something in the directory, /static/jquery.js. I’ve tried deobfuscating the three different variables listed (x,y, and z). I also viewed the page source (Ctrl + U).
Update: I feel like I’m getting somewhere with those variables. I base64 decoded everything and reversed it, but I’m still not getting the flag. I’ve tried putting those decoded messages in the url. Can someone help?
If you have decoded and reversed the variables inside /static/jquery.js, you should be able to see the string “Are You Sure?” Right?! Now just try to change the file name 
5 Likes
Thank you. I ended up getting it when I went back the next day; I forgot to update it here. Appreciate you following up!
1 Like
will you plz give some hints. I am unable to find the flag. I got the JS file at /static/jquery.js.
I finally got the flag! I’ve seen comments that you can get the flag from the JS file and that we did not apply what we learned in this module. I look at it a different way: you can take the encoded and reversed strings from the JS file as hints and apply what you have learned in the SSRF Exploitation Example to get the flag.
1 Like