# Skills Assessment

* Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.

To login in the panel, i can see a uid indentifier -->

<figure><img src="/files/yHlSGnUhlD9ppomn69WW" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/SMavEEjlS9CNUiqTAulF" alt=""><figcaption></figcaption></figure>

I modify it for example `uid=1` -->

<figure><img src="/files/buvif7TSdDLyp81yOsUq" alt=""><figcaption></figcaption></figure>

Then login i can see another peticion with uid nad user url uid, change it by 1 for example -->

<figure><img src="/files/0xdgn2OXPj6in3w4W8pr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/GPArD91zLwlU2Al60ByV" alt=""><figcaption></figcaption></figure>

OKAY, i am another user, i will go to reload the profile web and intercept another this peticion for see mor info about others users -->

<figure><img src="/files/bi66HxOkzNas0Rb0HOoM" alt=""><figcaption></figcaption></figure>

OKAY, i can enumerate user with this uid, go to intruder -->

<figure><img src="/files/KuO3UG20Q3XEMdKSXzv7" alt=""><figcaption></figcaption></figure>

okayy!!! user with uid==52 is Administrator,s e that -->

<figure><img src="/files/fHNh3QzwsfdLKKINhQbR" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AlWG7IdeuFIfdiDqxbJ9" alt=""><figcaption></figcaption></figure>

Okay, i can only see this, true. WHO I CAN BE ADMIN USER??

In my user, i have a section of change my password, go to intercept it -->

<figure><img src="/files/Gb8OoBzj0zumDBuH3uXU" alt=""><figcaption></figcaption></figure>

Allright, first it call a /api.php/tohen, and it send my uid too -->

<figure><img src="/files/yPiNuH3tODEUBjamSg9S" alt=""><figcaption></figcaption></figure>

OKAY, the sen mi token user and uid with the new password and send by POST to /reset.php. Now, modify it again -->

In the first peticon to /api.php/token, modify the uid to admin==52 -->

<figure><img src="/files/4wo30RRVJvxk2hA7COH1" alt=""><figcaption></figcaption></figure>

He give me his token user, nice: `{"token":"e51a85fa-17ac-11ec-8e51-e78234eb7b0c"}` COPY IT

<figure><img src="/files/WSmgU7RoJXEnI5E4ETCs" alt=""><figcaption></figcaption></figure>

After alterate all camps, give me an error "Acces Denied" .. F\&CK U! So.. i will ty to `Change request method` -->

<figure><img src="/files/OdCviiKGnzluvhLmcTqc" alt=""><figcaption></figcaption></figure>

OKAY! F\&cking http verb tampening ... Now log in to Administrador

<figure><img src="/files/hdA2TOGTFkTcJTMHyqCK" alt=""><figcaption></figcaption></figure>

Intercep the peticon and chang the uid by 52 -->

<figure><img src="/files/hkKDqpOZIkpgcTZdoiDZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cVZYUiXFHY3iBL0ptYWi" alt=""><figcaption></figcaption></figure>

I can see a category with name, add event, so...

<figure><img src="/files/pozNRdiAjTtOS8tLxrpR" alt=""><figcaption></figcaption></figure>

Now intercept it to see the body -->

<figure><img src="/files/5a92KQ75l0AoQu1jMwfy" alt=""><figcaption></figcaption></figure>

I can see a XML struccture, and lohh0 reflected, so now i will try to read an internal file -->

<figure><img src="/files/dml12VRaDRPaXi8Yf8Uv" alt=""><figcaption></figcaption></figure>

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [
  <!ENTITY company "Inlane Freight">
]>
            <root>
            <name>&company;</name>
            <details>test2</details>
            <date>2002-02-12</date>
            </root>
```

<figure><img src="/files/OBUGRAY3m5mfDpuZJ9ey" alt=""><figcaption></figcaption></figure>

So... with it i can read the flag -->

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
  <!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">
]>
            <root>
            <name>&company;</name>
            <details>test2</details>
            <date>2002-02-12</date>
            </root>
```

<figure><img src="/files/UUfWZyHjsYe7SQZY4rHp" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oSbSyDMSYdCRfwxUAm8G" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/web-attacks/skills-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.