Academy Web Attacks Skills Assesment

Hi All, could someone please give me a nudge on this please, starting
to not see the wood for the trees. I’ve found the 100 users and also found a user that I think I need to escalate privs to.

I log in as htb-student, then go to the “Change your Password” page where
I get GET request followed by a POST request. I’m pretty sure this is
where some tweakery needs to be done but I just can’t figure it out. I note
that in the POST request there is a token and when I browse to a certain
URL i can get a token for the user I need to change the password for.

Any help much appreciated

As usual, please ignore, now solved this

1 Like

im stuck at the first painel, after the loggin.
I dont know what to do


your usual here lol

Ok i so i can enumerate, i can change every users password, but can’t seem to figure out who is admin.

Run through Burp Intruder to login and inspect packet/page size to see if that may tell me based on size difference. All looks the same.(mind you enabled intruder to follow redirections, not sure if it has anything to do with that).

I think you mentioned calendar functionality, do i need to log into each of the other 99 fellows manually and inspect?

need a nuge here

gosh, i swear i think finding the answers is me reaching out to @onthesauce . It was staring right at me. what the heck lol

i searched all the data for that elevated keyword, not sure what i was missing it. weird.

As long as it helps you get the flag haha! That one is like finding a needle in a haystack.

Although a trick to finding the admin might be running the burp intruder attack and using the grep-match option to search for ‘admin’ or ‘administrator’. Then it will flag whatever response contains that word. You would be guessing at the username, but it might save some headache.

Could someone help me? I’ve already get the IDOR, i changed the request to put, head and patch to reset.php and to api.php/user/**, sending it in the default format and in json and i get a “0” or a “1” in the answer, respectively, as well as “acess denied” and “missing parameters”. I would assume that the answer “1” would made the necessary changes to the admin user password, but no, the “1” is just the api answer. Any hint would be much appreciated. Thanks in advance

1 Like

This was a tough nut, but I finally cracked it! Reach out if you’re stuck!


i did PE to the admin and got the vulnerable poin
but tried almost every XXE but none of them prints out

Please some help over here

Try simple XXE RCE with php://filter, you should see the flag.

Thanks mate, i have already done it. Thanks anyway, Cheers

1 Like