Hello there,
I am stuck for weeks on this lab and seeking help. I believe I was able to locate an older version of html and notes.txt
I also believe that I located password in html. I was able to repeat a request and got a old log in page. I have a password but no username. In instructions it is states not to brute force. Any help is appreciated.
Hey there - I’ve posted a partially redacted version of the instructor’s solution guide below. Hopefully this helps!
Getting the Flag
Immediately upon opening the bookmark, you are greeted with an alert() popup indicating we are not authorized. If we spin-up burpsuite we can see that a cookie has been set and appears to be an encoded value. Using the burp decoder page, we can reverse the base64 encoded to see the value “false”. The natural path for any tester would be to switch this to “true” and re-encode it. In doing so we can access the login page.
Protip: Permanently set the cookie value in burpsuite to avoid repeating this step.
At the login page, no wordlists on the internet will work, and each time we incorrectly login we are informed with an alert(). Examining the source, we see a comment on the page indicating an old backup login page.
That page requires the same cookie from earlier. Once we browse to it and re-examine the source, we see a test password the engineer was using, using these credentials we can access the site.
Inside the site we see a panel that presents us various statistics and has a drop-down menu for viewing the last line of various log files. We can safely ignore the cookie as a PHPSESSID has been set.
We also see the first flag for this challenge presented to us as the top line of the statistics output!
The way in which system files are specified (i.e: by exact name, and not vaguely or through some indirect reference) should be immediately suspicious for any security engineer, as this is a good vector for file inclusion vulnerabilities and even potentially command injection. It is probable that the value is being sent to the application that processes that value and utilizes it in a command string of some type.
Select any of the options and intercept the request in burp. We see a specific parameter has been appended to the query string.
If we append that with any sort of file inclusion, we will see the output of that file, assuming it was sent to standard output (STDOUT).
Additionally, if we utilize command injection characters, we see the output of any command that www-data has the permission to run, using this we can enumerate the location of the secret directory with the flag file script.
Thank you! I was finally able to pass it!