Using application functionality to exploit insecure deserialization In this lab we need to modify the serialized cookie for the account either for wiener or gregg and delete morale.txt from carlos user's home directory

Late was an easy rated linux box which had subdomain having the functionality to convert image having some text into a text file, as it was made with flask, the application was vulnerable to SSTI (Server Side Template Injection) through which we can read ssh key svc_acc user, although it…

Modifying serialized data types In this lab we need to modify the serialized session which is vulnerable to authentication bypass through which we can get access to administrator account

Modifying serialized objects In this lab we need to modify the session cookie which is using serialization through which we need to escalate our privileges to administrator user and then delete the carlos user

Catch was a medium rated linux box, involved an apk having few tokens out of which we were able to use let’s chat token on the API giving us the credentials to catchetwhich was vulnerable to CVE 2021–39174, leaking the variables from .env …

Acute was hard rated box which involved enumerating the web site to find a word document having the link to PowerShell Web Access (PSWA) also having the hostname in meta data and the password in the document, the username was found through the about page from the site, giving us…

Routerspace was an easy rated linux box which had an android application through which we need to either extract the URL or intercept request which the application was being vulnerable command injection due to unsanitized user input to get a shell as paul, escalating to root was simple as with…