Author

🟢Learning Objective 4

Task

In the Attack Lab:

  1. Find and exploit the LFI vulnerability in resources app https://resourcespharmacorp.azurewebsites.net/

  2. Extract the information from the Application settings

Applies to: Attack Lab

Topics Covered: LFI Vulnerability Exploitation and Information Extraction

On the previous task we have found some endpoints, after investigating we have a ASPx webapp on the URL:

https://resourcespharmacorp.azurewebsites.net

Scroll down and click on : Download Brochure

A new window opens and if we check the URL and the end, it is possible to read files.

Since is an ASPx app let's try to read the file:

WEB-INF/web.xml
https://resourcespharmacorp.azurewebsites.net/main?action=getData&fileName=WEB-INF/web.xml

After reading ther file we have found a ClientSecret.

ClientSecret - 7e7730b1-29ab-4adf-bb20-7ae61987d01f:~9j8Q~f339gnUfSBxSO5yuQXM6ztfCBL8LPjXa3I

Lessons Learn

After enumerating one resource we found the LFI vulnerability and it was possible to read the ASPx file WEB-INFO/web.xml and read a ClientSecret.

PreviousLearning Objective 1NextLearning Objective 9

Last updated

Was this helpful?