Etiqueta: Apprentice

Limit overrun race conditions

Descripción This lab’s purchasing flow contains a race condition that enables you to purchase items for an unintended price. To solve the lab, successfully purchase a Lightweight L33t Leather Jacket. You can log in to your account with the following credentials: wiener:peter. Limit overrun race conditions writeup Al iniciar el laboratorio encontraremos una tienda online. Nos registraremos […]

Modifying serialized objects

Descripción This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete the user carlos. You can log in to your own account using the following credentials: wiener:peter Modifying serialized […]

Host header authentication bypass

Descripción This lab makes an assumption about the privilege level of the user based on the HTTP Host header. To solve the lab, access the admin panel and delete the user carlos. Host header authentication bypass writeup Entraremos en el laboratorio y buscarmos información sobre dónde está el panel de administrador. Esta infomación la encontraremos en […]

Basic password reset poisoning

Descripción This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos’s account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client […]

Exploiting path mapping for web cache deception

Descripción To solve the lab, find the API key for the user carlos. You can log in to your own account using the following credentials: wiener:peter. Exploiting path mapping for web cache deception writeup Dividiremos este laboratorio en varias partes: Encontrar la API Key La API Key la encontraremos al iniciar sesión en ‘My account’ con el […]

Exploiting XXE to perform SSRF attacks

Descripción This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive. To solve […]

Exploiting XXE using external entities to retrieve files

Descripción This lab has a «Check stock» feature that parses XML input and returns any unexpected values in the response. To solve the lab, inject an XML external entity to retrieve the contents of the /etc/passwd file. Exploiting XXE using external entities to retrieve files writeup Al entrar en el laboratorio veremos una tienda online. Iremos a […]

JWT authentication bypass via flawed signature verification

Descripción This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter JWT authentication bypass via […]

JWT authentication bypass via unverified signature

Descripción This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn’t verify the signature of any JWTs that it receives. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using […]

CORS vulnerability with trusted null origin

Descripción This website has an insecure CORS configuration in that it trusts the «null» origin. To solve the lab, craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to your exploit server. The lab is solved when you successfully submit the administrator’s API key. You can log in […]