Academy Server-Side Attacks - Skills Assessment

I didn’t expect it either.

BTW ‘window.location.host’ needs to be replaced by the target’s IP, took me too long to figure that out

2 Likes

Yes, this is the first skill assessment of all time, which seemed to me a little strange and stands out from the rest of the assessments.

Guys, who passed this module, I still have a question from the section - “SSTI Exploitation Example 3”
I passed it through - tplmap, but couldn’t beat it through a self-contained payload.
I’ve tried a bunch of different options, tried encoding and decoding, and using all sorts of tricks.
But not one did not work.
Please tell me how to modify the script correctly so that it works.
I will be very grateful for your help.

Did you managed to do it ? Can you share how your payload looks like ?

Nop, alas, I couldn’t beat it.
I can send my attempts at manual payload to the pm.

DM if you are still interested in the example 3 script.

That was funny. Took me a while to figure out the SSTI wasn’t involved in it. :sweat_smile:

This whole challenge doesn’t make sense at all, not related to the module

This was a silly skill assessment - very ctf-like and not realistic.

Here are some hints for future people stuck on this:

  1. Check the source code for a .js file.
  2. Execute one of the functions in developer options and look at the network tab
  3. Use one of the server-side attacks taught in the module to exploit it (don’t overthink it)