## `dev.inlanefreight.local` - after google image searching, this is an azure key vault ![[images/Pasted image 20260628152723.png]] - `admin:admin` doesnt work - `request:response` in burp ![[images/Pasted image 20260628211811.png]] - test for SQLi? ### fuzzing - directory - raft-medium ![[images/Pasted image 20260630102835.png]] - 2.3-medium ![[images/Pasted image 20260630103918.png]] - page - clearly there is a flag here ![[images/Pasted image 20260630104309.png]] ### `upload.php` - enum available methods ```bash curl -X OPTIONS -i http://dev.inlanefreight.local/upload.php ``` ![[images/Pasted image 20260630103855.png]] - try changing http method to POST ![[images/Pasted image 20260630103456.png]] - try changing http method to TRACK ![[images/Pasted image 20260630103437.png]] - interesting header in the response - add header to request with localhost ![[images/Pasted image 20260630104943.png]] - render ![[images/Pasted image 20260630105005.png]] - how do we access this page in firefox? - right-click within response portion of repeater and copy link to browser - make sure proxy is on when pasting link ![[images/Pasted image 20260630111059.png]] ### webshell - cannot upload plain `shell.php` - try `shell.php.jpg` ![[images/Pasted image 20260630111317.png]] - it's not executing the webshell ![[images/Pasted image 20260630114049.png]] - upload `shell.php` with content type: image/jpg ![[images/Pasted image 20260630120709.png]] - try to `curl [...] ?cmd=id` ```bash curl http://dev.inlanefreight.local/uploads/shell.php?cmd=id ``` ![[images/Pasted image 20260630120752.png]]