Skills Assessment
Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.
To login in the panel, i can see a uid indentifier -->
I modify it for example uid=1 -->
Then login i can see another peticion with uid nad user url uid, change it by 1 for example -->
OKAY, i am another user, i will go to reload the profile web and intercept another this peticion for see mor info about others users -->
OKAY, i can enumerate user with this uid, go to intruder -->
okayy!!! user with uid==52 is Administrator,s e that -->
Okay, i can only see this, true. WHO I CAN BE ADMIN USER??
In my user, i have a section of change my password, go to intercept it -->
Allright, first it call a /api.php/tohen, and it send my uid too -->
OKAY, the sen mi token user and uid with the new password and send by POST to /reset.php. Now, modify it again -->
In the first peticon to /api.php/token, modify the uid to admin==52 -->
He give me his token user, nice: {"token":"e51a85fa-17ac-11ec-8e51-e78234eb7b0c"} COPY IT
After alterate all camps, give me an error "Acces Denied" .. F&CK U! So.. i will ty to Change request method -->
OKAY! F&cking http verb tampening ... Now log in to Administrador
Intercep the peticon and chang the uid by 52 -->
I can see a category with name, add event, so...
Now intercept it to see the body -->
I can see a XML struccture, and lohh0 reflected, so now i will try to read an internal file -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [
<!ENTITY company "Inlane Freight">
]>
<root>
<name>&company;</name>
<details>test2</details>
<date>2002-02-12</date>
</root>
So... with it i can read the flag -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">
]>
<root>
<name>&company;</name>
<details>test2</details>
<date>2002-02-12</date>
</root>
Last updated