Web Attacks - Skills Assessment

Can any one help me with web Attacks?
I find all the users and tokens and also I found the way how to reset the users password, also I reset the password for htb-student. But when I try to reset the other users passwords I get “Access Denied”.
I try to change Cookie: udi but no succes. Can any one help me with this?

1 Like

Also I try to use Burp Intruder to test the tokens, iud and no success. Some one have any idea?

I found the way to finish this.

Hey, can you give me a hint on this? I’ve been struggling with it for 2 days and still didn’t find xxe vuln :frowning:

you need to find how to reset users passwords and after that you will find XXE

I could find out how to change password of any user but still cannot find out how to do XXE (I find there is POST request in resxx.php but I tried xml format is not accepted. It will prompt missing parameters) any further hint can be given? And from the question, it mention that we should escalate the privilege to get the flag… I cannot find a way to escalate the privilege. I found that all 100 users have not hint to have admin user.

Thanks a lot in advance!

I could do with a nudge on this too if anyone can help. I can enumerate the users and tokens. Found what I believe to be an admin user. Can’t change that user’s password whatever I try. Am I barking up the wrong tree with this?

It’s OK ignore me. I’ve found part of the way through. I shouldn’t be too much longer with the rest.

hey bro.i found that way and reset all user’s password.but how can i use that reset with xxe?can u help please?

Hello,

can someone provide me some help pon the XXE part because none of the one I try to exfiltrate the /flag.php is working.

Every attempt (CDATA, FILE, php filter) is ending with a timeout

And after several attempt of these the server is not reflecting anymore a simple only showing" Event ‘’ has been created."

Thx in advance

Just finished this box. Here are some hints:

  1. Find a way to enumerate all the users and find the admin.

  2. Reset the admin’s password. It’s actually really simple, try taking a look at what you learned in the beginning of the module.

  3. Log in as the admin and take another look around the /profile.php page. A new link will be available to you.

This will hopefully be enough to get you on the right track. If you’re still stumped, feel free to DM me.
Good Luck!

3 Likes

Hi! My congrats about finishing this :slight_smile:
Thanks for the hint!
I’m trying to break it for 2 days and can’t. The biggest thing - don’t know admin user’s name…there are 100 users with similar names…you’ve just iterated through all of them?

I used a bash script found earlier in the module to download the info for all the users. Modified it for use in the current scenario. Then I just read all the files at once and grepped for admin with cat * | grep -i admin

Feel free to message me if you need more help!

Thanks!!
I’ve done this very long time ago, but my Sublime text was searching for “admin” in case sensitive mode :))
Stupid error( Thank you one more time

1 Like

HINT
When you click on a link, does it go immediately to the destination page, or does it transit through another page? (use Burp Suite)

I’m lost here. I found all 100 users with Burp but how can I determine who of them is an admin user?

Hi @heimdall20
I was able to fetch the flag using a very simple XXE method …It looks like ur missing an important yet handy XXE exploitation method. Hint- DONT THINK TOO MUCH.
Take a look on the XXE modules completely, once u find that method, the flag is a dead straight giveaway from there. It almost took me an hr to figure this out to be brutally honest… IN my POV, this module assessment is a kickass way to play with IDOR and XXE attacks!! DM me if u are still stuck.

Just to add to this guys, If you’re stuck finding the extra functionality once you’ve managed to escalate privileges, login using Firefox. Chromium didn’t show anything new for me.

Oke I fill such a dumbass… I could have finished this solo if I would just have used grep or went through the info a bit slower… I looked over a very obvious value… the last part was easy :smiley: