Forum Discussion

Akshay's avatar
Akshay
Icon for Bronze I rankBronze I
2 months ago

OWASP 2017 Java: Underprotected APIs

I am stuck on the "OWASP 2017 Java: Underprotected APIs" challenge.

  1. I have tried accessing "<Target URL>/FileDownloadServlet?path=/etc/&file=flag.txt," for which I received the error message "HACKING DETECTED! Your activity has been logged, and authorities have been informed."
  2. I created a user with admin privileges and used its session to access the above-mentioned URL, but that also didn't work.
offensive cyber
  • ChrisKershaw's avatar
    ChrisKershaw
    2 months ago

    Hey Akshay πŸ‘‹πŸ»,

    Welcome to the Human Connection 😊

    I've just had a look at the information on our internal lab page, and it does look like you are searching for the right endpoint here (/FileDownloadServlet).

    You will need to use the directory traversal to include the flag from /etc/flag.txt /FileDownloadServlet?file=flag.txt&path=/var/lib/tomcat9/../../../../etc

    I'm hoping that this will help, but just in case you have any further problems solving this, I'll tag in my colleague NyePrior to see if they have any other guidance to help πŸ‘πŸ»

    Let us know how you get on with your attempt! 

    Kindest regards,
    Chris 

  • ChrisKershaw's avatar
    ChrisKershaw
    Icon for Community Support rankCommunity Support
    2 months ago

    Hey Akshay πŸ‘‹πŸ»,

    Welcome to the Human Connection 😊

    I've just had a look at the information on our internal lab page, and it does look like you are searching for the right endpoint here (/FileDownloadServlet).

    You will need to use the directory traversal to include the flag from /etc/flag.txt /FileDownloadServlet?file=flag.txt&path=/var/lib/tomcat9/../../../../etc

    I'm hoping that this will help, but just in case you have any further problems solving this, I'll tag in my colleague NyePrior to see if they have any other guidance to help πŸ‘πŸ»

    Let us know how you get on with your attempt! 

    Kindest regards,
    Chris