USING WEB PROXIES ZAP Scanner

Hi could anyone give me a hint on the vulnerability to find for the question “Using Web Proxies” in the "Zap Scanner " Chapter ? I ran both ZAP and Burp Scanner but the vulnerabilities which came up seem to require a bit too much effort for a 1point question.

I managed to find the flag. But I didn’t get a high alert indication. Even after running spider, ajax, and active scans.

2 Likes

I was able to run the HUD but found 6 High Alerts - one Remote OS Command Injection and 5 SQL Injections. Based on a solution I found elsewhere, I now know which one is “the high level vulnerability”, but how would I have known it wasn’t the other ones? I thought that was the most confusing.

1 Like

Could you please give a hint?
I’m for two weeks on this point now. All attempts to use Zap scanners (both from Parrot and different version from my machine) do not give High alert, nor I can spot any “interesting” URL reported by the scanners. Tried “wpscan” as well - nothing except Akismet plugin, which path does not look to be right way.

Fist thing I would suggest, let the active scan fully complete. It took about 5-10 minutes on my run. Check the “High Alert” section. Look for anything the would allow you to inject a command. From there you can manipulate a GET request to send a command to the target, thus getting the flag as a response. That is the closest thing I can think to type out without giving the answer. In the module focus closely on the part where it gives an example High alert. Carefully look at what the alert is describing, take that info and go earn your flag! :slight_smile:

1 Like

Finally, I was able to manage to find the flag.

I did not get any high alerts (flag). Thus, I decided to explore a different option. I ran Ajax Spider. Then I sorted the urls by Highest alerts a medium one had something that called my attention, It was evidently something that can be execute at the CLI :wink:.

Hopefully, this can help you out! If you need some help, message me.

Hey guys, I’ve seen some of you got a Remote OS command injection alert running hud/active scan/spider/. I ran all of those and didn’t get the command injection alert (got the flag following a different thread). My question is, in an exam situation, how are we supposed to handle this? feels very arbitrary

I think, that is the point. There is not only one way.
In the real pentest, you have to learn to identify the clues that can help you to get in.
Some things or some times it is not straightforward, the labs are preparing you for facing a real scenario, don’t you think?

1 Like

I took a lot of time for me to find it. The most important tip is: Don’t confuse active Scan and the Spiders. You have to find the right location to scan in order to find it.

The recurse option allows to use active scan on all sites you visited previously. It is pretty easy to find the vulnerability if you use the spider to scan the page and do a recursive scan on the page folder in sites. (That’s probably what the HUD does if it works properly.)
Sidenote: trying this method I got 5"high alerts"

For the ones who have to wait for hours for the scan to complete like me.
We can find the Vuln by outself.
main page >> the post >> the comment >> the link
;;

hey Joe95, I am still desparately seeking a work through for this particular flag task…any other direction you could point me in.

Appreciate any kindness and advice

Dano

1 Like

@danob8621
It’s OK to stuck on this if you never know how to command injection before.

If I put the plain text as spoiler, the authority will delete it. So…

Y3VybCAiaHR0cDovLzk0LjIzNy40OS4yMTI6NTAyNzkvZGV2dG9vbHMvcGluZy5waHA/aXA9O2NhdCUyMC9mbGFnLnR4dDsi

Hey Joe thanks alot! I am brand new to the field I only have a 9 month bootcamp under my belt and I am trying to expand knowledge and ability to get a job asap

much appreciated!

@danob8621
Good luck.
I got my OSCP 3 months ago, and I still can’t get a job.
I’m doing the bug bounty road map, and planning to apply some college in the US after I the exam.

ZGlzY29yZDogam9lOTU1ODU5

Wow thats wild man I am working on my ISC2 - CC cert along with the Comptia+Security that my bootcamp is paying for us to take on them fro free one time. OSCP is pretty far above those thats crazy you are having a tough time getting work. Good luck friend!

You should see a remove OS Command Injection in the result. ZAP also provides you a sample payload to prove it. And you will just need to replace that payload by yours to read flag.txt