Forum Discussion

QuickSloth's avatar
QuickSloth
Icon for Bronze III rankBronze III
2 months ago

Confused in "Threat Modeling Fundamentals; SQL Injection and Server-Side Template Injection"

In the section File Download there is a question on the quiz which asks "What is the value in /etc/flag.txt?" $> ls /etc Tells me that there is no file named flag.txt  Am I looking in the wrong pla...
help & support
KieranRowley's avatar
KieranRowley
Icon for Community Manager rankCommunity Manager
2 months ago

Hi QuickSloth​ I have taken a look but I can't work out which lab you are referring to, please can you clarify the lab name?

QuickSloth's avatar
QuickSloth
Icon for Bronze III rankBronze III
2 months ago

Does this help?

 

  • netcat's avatar
    netcat
    Icon for Silver II rankSilver II
    2 months ago

    The value is on the target system in /etc/flag.txt - not on the local system.
    The target system has a vulnerability, maybe to spawn a shell allowing you to download the file, or a vulnerability in the database allowing to either read and display or to download the file.

    • QuickSloth's avatar
      QuickSloth
      Icon for Bronze III rankBronze III
      2 months ago

      Thanks

    • QuickSloth's avatar
      QuickSloth
      Icon for Bronze III rankBronze III
      2 months ago

      Still confused.

      I went and worked on the (optional) lab about Unions.

      I get the general idea, but I'm not seeing where / how to do one of those commands in this lab.

      • netcat's avatar
        netcat
        Icon for Silver II rankSilver II
        2 months ago

        Did you do the lab "SQL Injection: sqlmap"?
        Similar task, more guided.