Forum Discussion

QuickSloth's avatar
QuickSloth
Icon for Bronze III rankBronze III
7 months ago
Solved

Confused in "Threat Modeling Fundamentals; SQL Injection and Server-Side Template Injection"

In the section File Download there is a question on the quiz which asks "What is the value in /etc/flag.txt?" $> ls /etc Tells me that there is no file named flag.txt  Am I looking in the wrong pla...
help & support
  • netcat's avatar
    netcat
    6 months ago

    The value is on the target system in /etc/flag.txt - not on the local system.
    The target system has a vulnerability, maybe to spawn a shell allowing you to download the file, or a vulnerability in the database allowing to either read and display or to download the file.

QuickSloth's avatar
QuickSloth
Icon for Bronze III rankBronze III
6 months ago

Does this help?

 

netcat's avatar
netcat
Icon for Silver III rankSilver III
6 months ago

The value is on the target system in /etc/flag.txt - not on the local system.
The target system has a vulnerability, maybe to spawn a shell allowing you to download the file, or a vulnerability in the database allowing to either read and display or to download the file.

  • QuickSloth's avatar
    QuickSloth
    Icon for Bronze III rankBronze III
    6 months ago

    Thanks

  • QuickSloth's avatar
    QuickSloth
    Icon for Bronze III rankBronze III
    6 months ago

    Still confused.

    I went and worked on the (optional) lab about Unions.

    I get the general idea, but I'm not seeing where / how to do one of those commands in this lab.

    • netcat's avatar
      netcat
      Icon for Silver III rankSilver III
      6 months ago

      Did you do the lab "SQL Injection: sqlmap"?
      Similar task, more guided.