Categoría: Portswigger Lab writeup

Routing-based SSRF

Descripción This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address. To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete the user carlos. Routing-based SSRF writeup A diferencia del laboratorio anterior (Host header […]

Host header authentication bypass

Descripción This lab makes an assumption about the privilege level of the user based on the HTTP Host header. To solve the lab, access the admin panel and delete the user carlos. Host header authentication bypass writeup Entraremos en el laboratorio y buscarmos información sobre dónde está el panel de administrador. Esta infomación la encontraremos en […]

Basic password reset poisoning

Descripción This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos’s account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client […]

Exploiting path mapping for web cache deception

Descripción To solve the lab, find the API key for the user carlos. You can log in to your own account using the following credentials: wiener:peter. Exploiting path mapping for web cache deception writeup Dividiremos este laboratorio en varias partes: Encontrar la API Key La API Key la encontraremos al iniciar sesión en ‘My account’ con el […]

Exploiting cache server normalization for web cache deception

Descripción To solve the lab, find the API key for the user carlos. You can log in to your own account using the following credentials: wiener:peter. We have provided a list of possible delimiter characters to help you solve the lab: Web cache deception lab delimiter list. Exploiting cache server normalization for web cache deception writeup Dividiremos este […]

Exploiting origin server normalization for web cache deception

Descripción To solve the lab, find the API key for the user carlos. You can log in to your own account using the following credentials: wiener:peter. We have provided a list of possible delimiter characters to help you solve the lab: Web cache deception lab delimiter list. Exploiting origin server normalization for web cache deception writeup Dividiremos este […]

Exploiting path delimiters for web cache deception

Descripción To solve the lab, find the API key for the user carlos. You can log in to your own account using the following credentials: wiener:peter. We have provided a list of possible delimiter characters to help you solve the lab: Web cache deception lab delimiter list. Exploiting path delimiters for web cache deception writeup Dividiremos este laboratorio […]

Server-side template injection with information disclosure via user-supplied objects

Descripción This lab is vulnerable to server-side template injection due to the way an object is being passed into the template. This vulnerability can be exploited to access sensitive data. To solve the lab, steal and submit the framework’s secret key. You can log in to your own account using the following credentials: Server-side template […]

Server-side template injection in an unknown language with a documented exploit

Descripción This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and find a documented exploit online that you can use to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. Server-side template injection in an unknown language with a documented exploit writeup Al intentar ver más detalles […]

Server-side template injection using documentation

Descripción This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documentation to work out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. You can log in to your own account using the following credentials: content-manager:C0nt3ntM4n4g3r Server-side template injection using documentation writeup […]