Orlando Cyber Studies

  This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file  /home/carlos/secret . Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials:  wiener:peter to start this lab I logged in as wiener This lab took me longer than I wanted. I didn’t understand how .htaccess worked very well but After doing some research I learned how it all worked and how it gives configurations for a particular directory. I knew it was an apache server because when I first did the post request it told me it was apache. I went and made an .htaccess file This file basically tells the server that if it sees any .php5 to then run that file as if it was a php file. When I initially up...

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file `/home/carlos/secret`. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: `wiener:peter` I start by going into the website with Burp Suite on. I checked all the requests My first though it to try to upload a file even if it fails because it might give me some source code information as to where I could upload the file. When I did this it only sent me the contents of the file back it didn’t execute the script While looking around I found a comment page where I can upload another image that might not be as secure. This did not work because it was not allowing me to upload. My plan was to upload on my accou...

  This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. I went into the page and looked at the check stock which accesses the database Here I took a look at the request to see what was happening and how it was working here I first check how it would react if I just tried to use the Ip directly without using local. I will use their own URL and then &path=http://192.168.0.12:8080/admin to the end of the URL As can be seen the URL doesn’t allow for redirections. I need a URL that needs redirections. This URL allows for redirections I found this after clicking next item. /product/nextProduct?currentProductId=1&path=/product?productId=2 I can use this URL and feed it to the stock checker to then be able to go to the admin page I put the URL that I got before here to then be able to redirec...

  Practitioner Lab 6: SSRF with blacklist-based input filter I start by looking at the website itself and try to find if its communicating with the backend In this case it does this inside of the items they are selling to check if there are any items in stock Now I will take a look at the request to see how it is working Here is the stock API which I can use to send request to the backend I tried to access the /admin page using the trust of the localhost but it is blocked. It tells me that External stock check blocked for security reasons. Now There are a few things I can do and I will try to do all the options I know I tried using 127.1 instead of 127.0.0.1 but it didn’t work. I also tried to URL encode it but it also didn’t work After trial and error, I found a solution to the problem If I used simply the loopback it would be blocked. But if I used 127.1 it would pass meaning that it wasn’t only blacklisting the localhost but it was also blacklisting the admin...

I got the request and then I used intruder to brute-force the range of ip’s that could be. With this I was then able to get the ip to the admin page. Now i go to the page and delete the user I put this request to delete the user called Carlos and now I double-check that the user was deleted

 Here I have to exploit SSRF The first thing I will do is look at the requests  that the web page makes with Burpsuite The website has an option to check the stock of an item. This has to connect to the backend. If i am able to change this request with the loopback address which is often trusted then I can access a page that I don’t have normal access to. Here is the request and as can be seen it is accessing the backend. By changing the request to http://localhost/admin i was able to gain access to the admin page and delete a user. After looking at the request I saw that the path to delete Carlos was to go /admin/delete?username=carlos I then added this to my original path and sent it, I then followed the request and it worked. The user Carlos was deleted and the lab was done.

 I got two usernames and passwords. My credentials:  wiener:peter Victim's credentials  carlos:montoya I started by testing the first one to see how it worked and what pages I could access when logged in to then try to access those pages I am now gonna try to use IDOR to change the reference to Carlos to see if it would allow me but it didn’t. At this point, I still think that I might be able to change into Carlos. As I was logging into Carlos i used the reference to then change to Carlos.

I began by going to the login page and sending the request when I entered a username and password into Burpsuite After this then I sent it into intruder and gave it the word list of usernames that was provided and got the username announce. After doing this I sent the request again to Burpsuite and put a wordlist of the password and looked for a different length in the Intruder page. As can be seen, the hunter password has a different length which means there has been a change. Now when i look at the status it is a 300 which means it is a redirect. Now I plugged in the username and password and got in.

 I have to gain access to an admin account by using horizontal escalation I logged in I then saw my id and tried to transfer to admin but it failed. Lastly I tried to transfer to the other user carlos because he might have some extra privilege using Burpsuite I changed the id value to administrator and it worked. I looked at the password the administrator had and then signed in with it. After signing into the account I was able to delete Carlos.