Web Service & API Attacks - Skills Assessment

HTB Content Academy
57

Funny how flags are different for different solutions.

58

Hi, can you elaborate on the way you got it? I’ve been stuck on this, embarrassingly, for a bit now.

59

Man, thanks a lot

60

I just used automate.py and grep the flag from the code in machine :face_with_hand_over_mouth:

1 Like
61

real hacker

62

Agree. This module lacks of some information about building SOAPaction

63

Can anyone give a nudge for the sql injection command to bring the admin password. Tired different ways but not working…!

64

I got the flag by gaining a shell. But I can’t seem to figure out the intended way to find it.

65

Hey can you help me with this? Been stuck for a while with SQL injection thing

67

Here is a clean way to do it.

  1. Download automate.py script from SOAPAction Spoofing section.

  2. The above script tends to run as cmd. Here we need to make to do login. As per @onthesauce post above, in the python script, just change the <cmd>{cmd}</cmd> to username and password tags and "SOAPAction":'"ExecuteCommand"' to SOAPAction to accept ‘Login’ (I am not writing the entire commands due to restrictions). Also change the input field to accept username and password.
    Now to understand why this, read again @onthesauce post, it will help.

  3. Now run the script, try with admin admin, it will not work. So need to sql inject it. Here is a nice blog to understand how sql injection happens actually php - Why isn't this test SQL injection returning all rows in the table? - Stack Overflow.

  4. Use the concept explained in this post and inject command, you will get the flag.

Now how to reach to this understanding: I watched some youtube videos and @muskypirate writing to understand how things are arranged in wsdl.

2 Likes
68

hey man. If you have done this…can you please DM me your payload?

69

There is another way, but it’s like “cheating” in someway. You can use the Burp Suite community plugin “Wsdler” which parser automatically all the things you can do with the file, and it seems doesn’t quote the “Login” in the SOAPAction header so don’t forget that.

Of course, it is always good to know how to construct a SOAP request without using any additional tool cause “it may be not there when you need it”.

70

Does anyone know how to get the flag by doing rce

71

How to get the flag through the shell, I used sql to get the flag, I am interested in the shell

72

mind giving me a hint?

73
  1. Use wsdler from burp suite to make SOAP request automatically.
  2. The payload is very simple. You should login as admin without password in SQLi vulnerability.
74

Hey man,
I know it’s been a very long time since you wrote this, but I’m hoping you remember. What am I supposed to do if it just hangs? I run the script, it hangs, but I get no response whatsoever. How am I supposed to get the flag?

Thank you!

75

Hanging means that you have created the SOAP request correctly. Now just take @try’s advice:

Many people get caught up on how to inject the payload into the script. But you should be able to take my previous advice here:

Keep going! DM me if you are still stuck.
-onthesauce

76

This is the way I used it

f'''<?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
       <soapenv:Header/>
       <soapenv:Body>
          <tem:LoginRequest>
             <tem:username>{username_payload}</tem:username>
             <tem:password>password</tem:password>
          </tem:LoginRequest>
       </soapenv:Body>
    </soapenv:Envelope>'''
78

Hi All,

For me, I struggled for 1 day to get the flag, of course you can get it using other methods, but we should get it as the question said (SQLi Payload), non of the scripts worked but I solved it using (SOAP UI) application and I learned something new, please give the app a shot it’s really simple and useful for later hunting ^___^