Portswigger Labs

Lab 1: Error Messages

To solve this lab, find the version of a third-part framework used.

There's a productId parameter passed that contains an integer. If replaced by a string, it shows the error message:

Apache Struts 2 2.3.31 solves the lab.

Lab 2: Debug Page

To solve this lab, find the SECRET_KEY variable. This lab left a phpinfo.php file on the website:

Just search for SECRET_KEY within the page above.

Lab 3: Backup Files

To solve this lab, find the hard-coded database password.

I ran a gobuster scan on the site:

The /backup directory contains this:

Within this, there's some Java code for stuff, and it contains the password:

Lab 4: Authentication Bypass

To solve this lab, login as the admin and delete carlos. When trying to visit the /admin directory, I see this:

This gives me an idea to exploit SSRF. Since this lab is about information disclosure, I tried using TRACE to view debug information, and it worked!

This was the response:

There's an X-Custom-IP-Authorization header. I can use this to bypass the 'local user' check.

I can then visit /admin/delete?username=carlos to delete the user (this endpoint is found within the HTML for /admin).

Lab 5: Version Control History

There's information disclosure via version control history. When running a gobuster scan, I found a .git repository.

I can install the entire repository using wget -r https://LAB.web-security-academy.net/.git. Afterwards, I can take a look at the git log output to see any changes that were made to the repository.

Using this password, I can then login as the admin and delete carlos.

PreviousInformation DisclosureNextDirectory Traversal

Last updated