Skills Assessment Using Web Proxies

Feb 11, 2025 #htb #cybersec

Question 1 - The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

First make sure to enable Intercept responses and make it to POST request.
Now Forward the request.
In Response tab, remove the disabled and forward it (Going back to your browser, you can click on button which reveals the flag, don’t forget to turn Intercept off) or send it to repeater tab and click on send, which would reveal the flag.

Hitting /admin.php, we get the cookie. Which then can be sent to Decoder: cookie -> decode as ASCII Hex -> reveals base64 -> decode as base64 -> flag(31 chars value)

Using Intruder, In Payload Processing, we first add our 31 chars value as prefix and Add Base64-encode, ASCII Hex encode.
Now Let’s Load the alphanum-case.txt file. And start attack.
We can one of the request’s responses to get the flag.

Question 4 - You are using the ‘auxiliary/scanner/http/coldfusion_locale_traversal’ tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the ‘XXXXX’ directory being called in ‘/XXXXX/administrator/..’?

Using Metasploit with auxiliary/scanner/http/coldfusion_locale_traversal

use auxiliary/scanner/http/coldfusion_locale_traversal
set PROXIES HTTP:127.0.0.1:8080
set RHOSTS <ip>
set RPORT <port>

Running it and checking it in burp we get the answer.