Orlando Cyber Studies

  This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file  /home/carlos/secret . Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials:  wiener:peter to start this lab I logged in as wiener This lab took me longer than I wanted. I didn’t understand how .htaccess worked very well but After doing some research I learned how it all worked and how it gives configurations for a particular directory. I knew it was an apache server because when I first did the post request it told me it was apache. I went and made an .htaccess file This file basically tells the server that if it sees any .php5 to then run that file as if it was a php file. When I initially up...

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file `/home/carlos/secret`. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: `wiener:peter` I start by going into the website with Burp Suite on. I checked all the requests My first though it to try to upload a file even if it fails because it might give me some source code information as to where I could upload the file. When I did this it only sent me the contents of the file back it didn’t execute the script While looking around I found a comment page where I can upload another image that might not be as secure. This did not work because it was not allowing me to upload. My plan was to upload on my accou...

  This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. I went into the page and looked at the check stock which accesses the database Here I took a look at the request to see what was happening and how it was working here I first check how it would react if I just tried to use the Ip directly without using local. I will use their own URL and then &path=http://192.168.0.12:8080/admin to the end of the URL As can be seen the URL doesn’t allow for redirections. I need a URL that needs redirections. This URL allows for redirections I found this after clicking next item. /product/nextProduct?currentProductId=1&path=/product?productId=2 I can use this URL and feed it to the stock checker to then be able to go to the admin page I put the URL that I got before here to then be able to redirec...

I got the request and then I used intruder to brute-force the range of ip’s that could be. With this I was then able to get the ip to the admin page. Now i go to the page and delete the user I put this request to delete the user called Carlos and now I double-check that the user was deleted

 Here I have to exploit SSRF The first thing I will do is look at the requests  that the web page makes with Burpsuite The website has an option to check the stock of an item. This has to connect to the backend. If i am able to change this request with the loopback address which is often trusted then I can access a page that I don’t have normal access to. Here is the request and as can be seen it is accessing the backend. By changing the request to http://localhost/admin i was able to gain access to the admin page and delete a user. After looking at the request I saw that the path to delete Carlos was to go /admin/delete?username=carlos I then added this to my original path and sent it, I then followed the request and it worked. The user Carlos was deleted and the lab was done.

 I got two usernames and passwords. My credentials:  wiener:peter Victim's credentials  carlos:montoya I started by testing the first one to see how it worked and what pages I could access when logged in to then try to access those pages I am now gonna try to use IDOR to change the reference to Carlos to see if it would allow me but it didn’t. At this point, I still think that I might be able to change into Carlos. As I was logging into Carlos i used the reference to then change to Carlos.

I began by going to the login page and sending the request when I entered a username and password into Burpsuite After this then I sent it into intruder and gave it the word list of usernames that was provided and got the username announce. After doing this I sent the request again to Burpsuite and put a wordlist of the password and looked for a different length in the Intruder page. As can be seen, the hunter password has a different length which means there has been a change. Now when i look at the status it is a 300 which means it is a redirect. Now I plugged in the username and password and got in.

 I have to gain access to an admin account by using horizontal escalation I logged in I then saw my id and tried to transfer to admin but it failed. Lastly I tried to transfer to the other user carlos because he might have some extra privilege using Burpsuite I changed the id value to administrator and it worked. I looked at the password the administrator had and then signed in with it. After signing into the account I was able to delete Carlos.

I entered the site and logged in with the credentials given to me. The first thing that stood out to me was the API key. After getting this I decided that it was best to look at the request with Burpsuite after doing this I went to all the posts and checked that the blog ID had a reference to the user id and that I could change this ID to gain access to other users. After doing it with Admin I found a post by Carlos that had a reference to his account and used it . Here is Carlos Account and the API key.

 I need to access the admin site and delete Carlos but to do this I need to change the parameters to then gain access into the admin page. I went into my account and logged in using the credentials that were provided for me I then went into cookies and found the Admin cookie set to false, so I changed it to true and then I went into the admin panel After doing so I was able to delete Carlos. Another way I could of done this was by using Burp I could have sent the request to the proxy and taken a look at the cookies. Here I could have changed the cookie to true and then it would have worked the same way

 I opened the page and took a look at it. I again tried find the admin page again but now with another method. After looking at the HTML code i found that they had some javascript in there and they had the /admin-0p1j64 I put that in the URL and then i was able to get to the admin page and delete Carlos