I worked on this lab(Hard skill) and i did anything you think , parameter discovery with x8 and fuzz with ffuf but nothing i found many path but no one help me to find vulnerable parameter like xss or etc and i checked last posts about this but no helped to me
Hi, I just finished Skills Assessment Hard. I could not solve it by my self, someone helped me. So if you need help let me know.
Do remember any tips from when you completed the hard skill assessment of the modules?
I would definitely need some help here from @maxz or @blizco
I have the xss, I think I know something should happen to the page I cannot acces as a normal user but when I refresh it after delivering cache poisoning via xss nothing happens (cache poisoning delivered via Python specific method…)
And I do not get anything in interactsh either.
Am I misssing much?
Alright, solved with some little help. Feel free to ping me for the same.
Yo i got xss but im having the same problem as you, any help?
I’m a little lost on it. I got xss succesfully working for myself when I entered the website, but it seemed like the admin was sleeping and never ran the same xss. Nothing showed up in logs or elsewhere. I tried some different values for the Host header in case the admin was local, but to no avail.
Hi, unfortunately i am on vacation with no access to my notes. However, if i remember correctly the xss payload is so that the admin will promote yourself to admin as well
Oh no worries enjoy the vacation! I created several scripts and one of them does promote me to admin, but the admin never seems to visit the page. I’ll post here if I do figure it out.
I think the annoying part is to figure out the sort_by part if I am not wrong. It’s the python bottle vuln but not exactly identical to the payload that is found online. Unless i am just getting confused with something else
That’s correct. That was how I got the xss succesfully working for myself.
The Host field is what had me most worried, since that is also a keyed value. For me the Host field was automatically ip : port but it might be different for the admin. So I tried the given vhosts, as well as some of the localhost options. to no avail.
Ok I got a little help. It turns out that the page I was on had a link to another page (technically the same page with different parameters) that was the one the admin actually used.
Now I’m stuck just on the last part. I’m trying to change the Host value for a submit form, but have had no luck changing. I tried the 5 overwrite headers from the tutorial (I couldn’t find more override headers online), fat gets, even adding the host to url parameters, but none of these worked. I also tried changing the Host header to include the url I wanted, but then it would rekey the cache.
I know you’re still on vacation so if you happen to remember this last part off the top of your head let me know else enjoy!
I think you have to set the interact url where you want to receive the… dara (what is it? Reset password link for admin? I can’t remember exactly) in an “override” header , can’t remember if it was x-forwarded-host or which one (pretty sure i found it with param miner in burp ro)
I solved it finally. It was the same problem I ran into last time, ugh. The page I thought the admin was visiting had a link to another page (technically the same page with different keyed parameters), which was what the admin was actually using. Then I did have to use an override header as you mentioned in your comment.