Read my writeup for Spider machine machine on:
User: Playing with the registration of the website and examining the cookie, Use STTI Attack on username field, Get
SECRET_KEY and use it to sign a
session cookie, Using
Flask-Unsign to create malicious cookies and discover SQL Injection Using
sqlmap, Getting Chiv’s password from
sqlmap then logging into the web portal, On the portal, we found a message with a link to another portal with submitting ticket option, From that, we can use STTI-Server-Side-Template-Injection to get a reverse shell.
Root: Found local port
8080 with shopping portal, Using SSH tunnel to setup a port forward which allows us to hit 127.0.0.1:8080 on the remote host, Using XXE injection on
logout fields to read files, Grabbing the SSH key and logging in as root.