Attacking Enterprise Networks - Web Enumeration & Exploitation

In the section “dev.inlanefreight.local” / image upload it says to change the Content-Type: header to image/png. If I do there’s no longer the error message but the file still doesn’t appear in the /uploads/ dir.

I tried for an hour different methods, like changing the Content-Disposition from multipart/form-data to attachment, actually uploading a png, adding the headers from previous sections etc. Just didn’t work.

Got it working finally using another file type

In the section Dealing with The Unexpected where we are going to http://tracking.inlanefreight.local/
I can follow the example and read files fine. But I am struggling with trying to figure out how to actually find the flag. Is there a way to get a reverse shell or run commands here? Thank you!

Hi there!

I am stuck in the exercise: “Use the SSRF to Local File Read vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{}).”.

I cannot find a flag. Not in the generated PDF document, nor in its properties / metadata, nor in the code, nor can I guess a file name for a flag or its location.

Did anyone find the solution?

I hope by now you found the answer, still for future reference just use /flag.txt

2 Likes

Try to check the roo* folder :wink:

Is there a way you can list the contents of a directory to see what’s there? Rather than just poking around in the dark

How did you even get to the upload part, i keep getting a request timed out to the server

i have tired my tun0 and the ip of the machine but keep getting the same error