# Enable button and grab flag - We will need to manipulate the response to enable the disabled button - Open `zaproxy` - Launch built-in browser - Toggle on interception with green circle - This creates a break on all requests & responses - Navigate to `94.237.54.0:31861/lucky.php` ![[images/Pasted image 20251114193006.png]] - View the response ![[images/Pasted image 20251114193143.png]] - We will have to remove the disabled string wrt the button - [Crtl+r] to enter replacer and add a replacement rule as follows ![[images/Pasted image 20251114193304.png]] - This enables repeat clicking of button with same manipulated response - After 8+ clicks, we have the flag displayed under the button in the browser # Cookie Decode - Visit `94.237.54.0:31861/admin.php` twice so that the second request includes the session ID and cookie ![[images/Pasted image 20251114200350.png]] - Send to `Decoder` - First decode with ASCII hex, second decode with base64 ![[images/Pasted image 20251114200432.png]] - Send request to `Intruder` - Setup payload such that: - wordlist = `/usr/share/Seclists/Fuzzing/alphanum-case.txt` - decoded cookie = prefix - processing = reverse order of above decoders ![[images/Pasted image 20251114200622.png]] - Start the attack - Sort by length once complete and look at response ![[images/Pasted image 20251114200753.png]] # Debug `coldfusion_local_traversal` MSF module - Setup module in MSF targeting `http://94.237.54.0:31861` - Search for module ![[images/Pasted image 20251114201613.png]] - Set options ![[images/Pasted image 20251114201636.png]] - Note proxy is set such that it will go to Burp when set to intercept: `127.0.0.1:8080` - We have the request in Burp ![[images/Pasted image 20251114201722.png]] - Send to `Repeater` and send the request to view response ![[images/Pasted image 20251114201832.png]]