Posts

Practitioner Lab 9: Web shell upload via extension blacklist bypass

Image
  This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file  /home/carlos/secret . Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials:  wiener:peter to start this lab I logged in as wiener This lab took me longer than I wanted. I didn’t understand how .htaccess worked very well but After doing some research I learned how it all worked and how it gives configurations for a particular directory. I knew it was an apache server because when I first did the post request it told me it was apache. I went and made an .htaccess file This file basically tells the server that if it sees any .php5 to then run that file as if it was a php file. When I initially uploaded this I

Practitioner Lab 8: Web shell upload via path traversal

Image
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file `/home/carlos/secret`. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: `wiener:peter` I start by going into the website with Burp Suite on. I checked all the requests My first though it to try to upload a file even if it fails because it might give me some source code information as to where I could upload the file. When I did this it only sent me the contents of the file back it didn’t execute the script While looking around I found a comment page where I can upload another image that might not be as secure. This did not work because it was not allowing me to upload. My plan was to upload on my account and th

Practitioner Lab 7: SSRF with filter bypass via open redirection vulnerability

Image
  This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. I went into the page and looked at the check stock which accesses the database Here I took a look at the request to see what was happening and how it was working here I first check how it would react if I just tried to use the Ip directly without using local. I will use their own URL and then &path=http://192.168.0.12:8080/admin to the end of the URL As can be seen the URL doesn’t allow for redirections. I need a URL that needs redirections. This URL allows for redirections I found this after clicking next item. /product/nextProduct?currentProductId=1&path=/product?productId=2 I can use this URL and feed it to the stock checker to then be able to go to the admin page I put the URL that I got before here to then be able to redirect to

Practitioner Lab 6: SSRF with blacklist-based input filter

Image
  Practitioner Lab 6: SSRF with blacklist-based input filter I start by looking at the website itself and try to find if its communicating with the backend In this case it does this inside of the items they are selling to check if there are any items in stock Now I will take a look at the request to see how it is working Here is the stock API which I can use to send request to the backend I tried to access the /admin page using the trust of the localhost but it is blocked. It tells me that External stock check blocked for security reasons. Now There are a few things I can do and I will try to do all the options I know I tried using 127.1 instead of 127.0.0.1 but it didn’t work. I also tried to URL encode it but it also didn’t work After trial and error, I found a solution to the problem If I used simply the loopback it would be blocked. But if I used 127.1 it would pass meaning that it wasn’t only blacklisting the localhost but it was also blacklisting the admin wor

Practitioner Lab 5:File path traversal, validation of file extension with null byte bypass

Image
 This lab contains a path traversal vulnerability in the display of product images. The application validates that the supplied filename ends with the expected file extension. To solve the lab, retrieve the contents of the  /etc/passwd  file. the first thing I do is check the website out and look for images. I will then click on the page with the image because this way I can see the request on Burp Suite In this case, the server is checking for a specific extension so i put it after the %00 null byte Now I am going to check how it works when I don’t put that. I want to see what type of answer it will give me. It will simply say no such file.

Practitioner Lab 4: File path traversal, validation of start of path

Image
 This lab contains a path traversal vulnerability in the display of product images. The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder. To solve the lab, retrieve the contents of the  /etc/passwd  file. I began by going into the page with an image and captured the request. I then opened Burp Suite and looked at the request and as the lab specified the request will not work unless it has the main path of /var/www/images I tried to check what answer it would give me when I didn't have the full path name just to learn. After putting a full path name it worked out including the starting point of /var/www/images. Now the lab is solved.

Practitioner Lab 3: File path traversal, traversal sequences stripped with superfluous URL-decode

Image
 This lab contains a path traversal vulnerability in the display of product images. The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it. To solve the lab, retrieve the contents of the  /etc/passwd  file. I started by looking around the page to see how it worked. I then opened one of the images to see the request. I looked at the request and then I changed it I had to encode it for it to work. and the lab is solved.

Practitioner Lab 2: File path traversal, traversal sequences stripped non-recursively

Image
 This lab contains a path traversal vulnerability in the display of product images. The application strips path traversal sequences from the user-supplied filename before using it. To solve the lab, retrieve the contents of the  /etc/passwd  file. The first thing I do is look at the website and how it is working I see a lot of images so I can use Burp Suite to look at where are all these images coming from Here I can see the request for all these images I will try to change it for another file name to see if I can get it I know it is stripped so I will probably have to use // of them to get it to work. When I try to use the absolute path it doesn’t work because it it stripped. Now I will use the double to see how it works It took me a while but I figured out how it worked. This way it works when it is filtered.

Practitioner Lab 1: File path traversal, traversal sequences blocked with absolute path bypass

Image
 This lab contains a path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. To solve the lab, retrieve the contents of the  /etc/passwd  file. I began by looking into one of these pages which have images I then went into the source code and took a look at where the image was being accessed I then went into it and changed the image for the absolute path of the file /etc/passwd This then resulted in the lab being finished. To solve this using Burp I went into the http history and this allowed me to see the request for images. Here I take a look at the request and then change it to the absolute path of /etc/passwd and then I get the contents of the file