Academy Web Attacks Skills Assesment

hello

you almost solved it!

the reset password is in “/reset.php”

after that
all that you got is correct but try cheng the method you use :
POST
HEAD

1 Like

company : Administrator

i also am facing the same issue as the OP.
When i try to do the LFI XXE, i stop getting the name element returned in the response so I end up with this as the response:
Event ‘’ has been created.

I also get the same “empty” response if there is a “&” character anywhere in the XML.

Could someone give me a nudge on the access to the admin account. Im pretty sure im 90% there I just cant figure out how to get it to work.

EDIT: I figured out this bit, please feel free to DM if you are stuck.

I stuck!!! Pls help me

For those who need help, you may want to read this reddit comment, but only when you are absolutely running out of idea: https://www.reddit.com/r/hackthebox/comments/q5bnvs/comment/hodr7kk/. It basically outlined the whole process to crack this assessment.

For the XXE part, I encounter the same problem as OP and the guy who wrote the reddit comment. I used the idea described in this note: https://github.com/Ambrotd/XXE-Notes and successfully get the flag, but I’m not sure this is the supposed way to do it. I would like to know if anyone can get the flag without encountering the same problem…

If you receive this response:

“Event ’ ’ has been created.”

Try to remove the line

<?xml version="1.0" encoding="UTF-8"?>

■■■■… i took me a day for a dumb overlooking.
If you’re having trouble like me finding who the Administrator is… try to grep with -i flag … once i got that the rest is quite easy. :sweat_smile: