Hi could anyone give me a hint on the vulnerability to find for the question “Using Web Proxies” in the "Zap Scanner " Chapter ? I ran both ZAP and Burp Scanner but the vulnerabilities which came up seem to require a bit too much effort for a 1point question.

I managed to find the flag. But I didn’t get a high alert indication. Even after running spider, ajax, and active scans.


I was able to run the HUD but found 6 High Alerts - one Remote OS Command Injection and 5 SQL Injections. Based on a solution I found elsewhere, I now know which one is “the high level vulnerability”, but how would I have known it wasn’t the other ones? I thought that was the most confusing.

1 Like

Could you please give a hint?
I’m for two weeks on this point now. All attempts to use Zap scanners (both from Parrot and different version from my machine) do not give High alert, nor I can spot any “interesting” URL reported by the scanners. Tried “wpscan” as well - nothing except Akismet plugin, which path does not look to be right way.

Fist thing I would suggest, let the active scan fully complete. It took about 5-10 minutes on my run. Check the “High Alert” section. Look for anything the would allow you to inject a command. From there you can manipulate a GET request to send a command to the target, thus getting the flag as a response. That is the closest thing I can think to type out without giving the answer. In the module focus closely on the part where it gives an example High alert. Carefully look at what the alert is describing, take that info and go earn your flag! :slight_smile:

Finally, I was able to manage to find the flag.

I did not get any high alerts (flag). Thus, I decided to explore a different option. I ran Ajax Spider. Then I sorted the urls by Highest alerts a medium one had something that called my attention, It was evidently something that can be execute at the CLI :wink:.

Hopefully, this can help you out! If you need some help, message me.

Hey guys, I’ve seen some of you got a Remote OS command injection alert running hud/active scan/spider/. I ran all of those and didn’t get the command injection alert (got the flag following a different thread). My question is, in an exam situation, how are we supposed to handle this? feels very arbitrary

I think, that is the point. There is not only one way.
In the real pentest, you have to learn to identify the clues that can help you to get in.
Some things or some times it is not straightforward, the labs are preparing you for facing a real scenario, don’t you think?

1 Like

I took a lot of time for me to find it. The most important tip is: Don’t confuse active Scan and the Spiders. You have to find the right location to scan in order to find it.

The recurse option allows to use active scan on all sites you visited previously. It is pretty easy to find the vulnerability if you use the spider to scan the page and do a recursive scan on the page folder in sites. (That’s probably what the HUD does if it works properly.)
Sidenote: trying this method I got 5"high alerts"