Skill Assestment - Injection Attacks

Hello,

Since I can’t find a thread I will open a new one.
Wondering if anyone succeded with the Injection Attacks Skill assestment(the newest module from Senion Web Pentester) to get the hidden flag?
Any hint would be apreciated.

Cheers!

How far have you reached in the exploitation phase?
Would like to know this to know where I can nudge you.
Make sure you don’t reveal any spoilers.

1 Like

Anyone solve this yet? Is it just a matter of reading a file or is there more to it (RCE for example)?

I can interact with the internal API but am having issues with injecting anything further. Any guidance would be appreciated.

Yes same here. I can get the internal site and know the structure of things (I think I can even dump the whole content, which probably contains the flag), but the item that is output is too small to show all the information and I’m struggling to selectively exfiltrate stuff.

DM if you need a nudge

From what I gather, the vuln is: SSRF in the Description field of the POST via an iframe. Is that correct?
I tried a bunch of the 127.0.0.1/api/whatevers but at this point I’m just guessing. A nudge would be quite helpful!

Edit: It appears I was way off. It looks like JavaScript is being run in the Description field. If so I still can’t find where the flag resides.

You might need to use some of the X***H commands to filter out the data you need…

DM if you need a hint

Same here, did you figure it out?

I need help as well, I am able to read /etc/passwd but not able to list or read any other files. Can someone help?

It’s already said that JavaScript is being run in the Description field, with the help of that you need to find an internal page, and then you will need to use XPath injection.

1 Like

Found the internal directory. how do you fuzz for the .php file?

For me, it was a little difficult to find the internal endpoint. That’s actually where I spent probably 90% of my time on this challenge.

Once you’ve identified the LFI, I would suggest using it to figure out what virtual hosts are available on the machine, and where their root directories are. From there, you can find the source code for the homepage of the internal application and figure out the next step.

Can anyone provide a hint for this?

I’ve been able to read files and tried requesting a few internal pages but not able to get anything. tried ports 80, 8000, 8080 some of which exist, some don’t.

Stuck on this and not sure how to progress to find the internal portal.

you cannot access directory as it is disabled but can access files
try to access /etc/apache2/sites-available/000-default.conf using script
it shows you internal web as well as its root directory
then access i***x.html file (which is common in every websites) under given root directory
read it carefully and go on for XPath injection.

Thank you, I solved it with your hint but your hint also led me down a rabbit hole haha.

For future readers - don’t look at .html file but maybe some other extensions might be helpful…

Aah!
Typing mistake.
Thanks for informing :+1: