# ZTH: Web 2 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MeljExudDWcg9n-WSTX%2Fimage.png?alt=media\&token=da71b173-c6ec-4321-82a4-c1697a3aaa18) ## Introduction ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MeljQpQbFx4_nnwUuD7%2Fimage.png?alt=media\&token=716567f5-729a-45d8-95a5-dc23af6ec317) ## Section 1: IDOR ### Introduction ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MeljdptYkGkjMCLB5Pq%2Fimage.png?alt=media\&token=7ee1060a-aabe-4787-aae1-2d0b6176c080) ### Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MeljmqdKBGwXBiW2Psd%2Fimage.png?alt=media\&token=1291a16f-ddc3-4117-afc7-5f4d2dccad7c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MeljsOluS3N6PlLDCLo%2Fimage.png?alt=media\&token=410a012c-0b46-439f-b214-8e310dfcc1e9) ### Challenge ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelkI83SbSMgiEEFXcB%2Fimage.png?alt=media\&token=88d4db9b-01e6-4ba1-b06d-54cbd2625fb8) Lets check the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelkCQpM201kU2QvTRO%2Fimage.png?alt=media\&token=7a34737c-9c9e-4ddf-b5a6-3332e20002b4) Lets login with the given credentials ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelkNttsVbeBTrEPqRW%2Fimage.png?alt=media\&token=2961053d-5633-4c12-9735-4bdf7ce74518) Lets change the note parameter value to 0 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelkUP9vlBUd4PwZ0n4%2Fimage.png?alt=media\&token=243725f1-850a-41ab-97a4-258da806d7d5) ## Section 2: Forced Browsing ### Introduction ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelkknsaJGNVd0XuuC-%2Fimage.png?alt=media\&token=13c5ea6c-3d83-4a43-a926-785b0a4861da) ### Manual Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelkwZE-k6xkTlz1ROv%2Fimage.png?alt=media\&token=38bf9769-fca1-442c-a6eb-7b7af1090397) ### Automatic Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MellBtIDiR_t6hobZBH%2Fimage.png?alt=media\&token=afe6b50f-57a8-4a46-ac06-787cb0fd860c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MellER8kwAb7QfodVvw%2Fimage.png?alt=media\&token=b003dd72-ee81-4218-b8a5-029f1186ae5a) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-Mell_Uk1ao2VZE_MEBo%2Fimage.png?alt=media\&token=e5436c05-83ee-408d-80d2-22f2c70fa58b) ### Challenge Lets go to the web page ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MellkIOcNKGqz30w6jD%2Fimage.png?alt=media\&token=1fa63f94-4f0c-4420-bc27-167400223ddd) Lets login with the given credentials ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelmI_3fomXUe80Kga7%2Fimage.png?alt=media\&token=0303d0a2-bf62-48c8-b569-d94ec73479e0) Lets fuzz the name place so that we can find the right username ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Melp8E4t9rI4_IAukRf%2F-MelqAW_tmnTsv-I7XwO%2Fimage.png?alt=media\&token=dba02225-8a53-422b-8260-6e3803d719c9) After some time we get a hit which is password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Melp8E4t9rI4_IAukRf%2F-MelqGWe8phAt7F55FoX%2Fimage.png?alt=media\&token=c718eaf1-a314-40f9-bc4f-c377d6b24fe5) ## Section 3: API Bypassing ### Introduction ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MeloVwgk1MKQ_TmMVDk%2Fimage.png?alt=media\&token=596d350b-3346-4743-89ad-d4f86d86bd78) ### Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeljBj4RNklyDS1tl2_%2F-MelofXlx61RhyWyz4E4%2Fimage.png?alt=media\&token=383072ae-59ed-4887-bf1a-4822c7a5d515) ### Challenge Lets check the web page ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Melp8E4t9rI4_IAukRf%2F-MelqWXF36hD702wXb0c%2Fimage.png?alt=media\&token=213edcfd-69d9-4def-8048-6dc1246a6a62) Lets login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Melp8E4t9rI4_IAukRf%2F-MelqmBoOmBlS6op-0wP%2Fimage.png?alt=media\&token=9d27554f-453c-46f5-aa8d-c3fb71404143) We have an admin.php page and we can run commands, lets test a command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Melp8E4t9rI4_IAukRf%2F-MelqwZUqWk7GrVcK_Gf%2Fimage.png?alt=media\&token=3ab961bf-3111-4f74-86a9-4fad0dcccfd4) Looks like we are taken to a api.php page. admin.php might be a file on the machine, so we are directly accessing the directories of the machine in the URL, lets look for the flag which might be in a while called flag.txt (Most capture of the flag machines) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Melp8E4t9rI4_IAukRf%2F-MelrFl-7lo-rUGMCk1K%2Fimage.png?alt=media\&token=684e4d2b-48de-4040-b77e-5a3c8a81462b)