## `dev.inlanefreight.local`
- after google image searching, this is an azure key vault ![[images/Pasted image 20260628152723.png]]
- `admin:admin` doesnt work
- `request:response` in burp ![[images/Pasted image 20260628211811.png]]
- test for SQLi?
### fuzzing
- directory
- raft-medium ![[images/Pasted image 20260630102835.png]]
- 2.3-medium ![[images/Pasted image 20260630103918.png]]
- page
- clearly there is a flag here ![[images/Pasted image 20260630104309.png]]
### `upload.php`
- enum available methods
```bash
curl -X OPTIONS -i http://dev.inlanefreight.local/upload.php
```
![[images/Pasted image 20260630103855.png]]
- try changing http method to POST ![[images/Pasted image 20260630103456.png]]
- try changing http method to TRACK ![[images/Pasted image 20260630103437.png]]
- interesting header in the response
- add header to request with localhost ![[images/Pasted image 20260630104943.png]]
- render ![[images/Pasted image 20260630105005.png]]
- how do we access this page in firefox?
- right-click within response portion of repeater and copy link to browser
- make sure proxy is on when pasting link ![[images/Pasted image 20260630111059.png]]
### webshell
- cannot upload plain `shell.php`
- try `shell.php.jpg` ![[images/Pasted image 20260630111317.png]]
- it's not executing the webshell ![[images/Pasted image 20260630114049.png]]
- upload `shell.php` with content type: image/jpg ![[images/Pasted image 20260630120709.png]]
- try to `curl [...] ?cmd=id`
```bash
curl http://dev.inlanefreight.local/uploads/shell.php?cmd=id
```
![[images/Pasted image 20260630120752.png]]