برای دریافت این دستاورد باید یک write-up پنج‌ستاره در آکادمی داشته باشین.

ارائه و انتشار یک رایت‌آپ پنج‌ستاره‌ای برای جعبه‌ها

Walkthrough

با شرکت در امتحان اوسپ و حل کردن تمامی سوالات آن به این دستاورد می‌رسید.

حل تمامی سوالات امتحان اوسپ و کسب نمره کامل 

OWASPer

برای دریافت این دستاورد، باید در امتحان اوسپ نمره «قبولی» کسب کنین.

نفراتی که موفق به کسب نمره قبولی در امتحان اوسپ شدن

Baby OWASP

#### Requirements
+ Programming Language: PHP
+ Skill: Source Code Analysis, Endpoint Discovery
+ Command Injection: Identifying Vulnerable Endpoints, Bypass Filters

#### Objective
Carefully browse the site, paying attention to the source code to identify an endpoint that passes user input into the shell. Your goal is to execute the `id` command and capture its output, then read the `/flag` file to complete the challenge.

Metronium

Examine the login process closely to discover and exploit a logical vulnerability.

#### Requirements
+ Category: Broken Authentication
+ Skill: Logical Analysis of Authentication Flows
+ Objective: Unauthorized Account Access

#### Objective
Log in to the web application and carefully observe the authentication flow. Pay close attention to any extra steps or unusual behavior. Understand the underlying logic, identify a flaw, and exploit it to log in as the user `mamad` to complete the challenge.


Easy Auth

Analyze the application's authentication flow and investigate potential flaws in cookie handling.

#### Requirements
+ Category: Broken Authentication
+ Skill: Cookie Analysis and Manipulation

#### Objective
Carefully review the authentication flow and monitor the cookies for any unusual behavior. Identify a vulnerability that allows you to manipulate cookies and escalate privileges to become an administrator. Successfully achieve administrative access to obtain the flag.


Broken Auth

**Requirements**

- Programming Language: JavaScript
- Browsers fundamentals such as Simple request, SameSite, etc

**Objective**
Exploit the CSRF vulnerability to change user's email address. Login with `user:password` credentials and check how forms are submitted and see if you can manipulate the request. Seems the content type is JSON, and the request cannot be CSRFed. Can we be sure about that?

Da Vinci

This is a black-box challenge, and there is no source code.

#### Requirements
+ SQL Injection: Understanding backend mechanisms and bypassing sanitization filters

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability.

SQLi Level 8 - BlackBox 1

Explore the application to locate backup files and exploit insecure deserialization.

#### Requirements
+ Vulnerability Type: Insecure Deserialization
+ Skill: File Fuzzing and Exploitation

#### Objective
Fuzz the server for `.zip` files using this [wordlist](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d) to locate a backup file. Analyze the backup file for insecure deserialization vulnerabilities. Exploit the vulnerability to execute a command on the server and read the `/flag` file to complete the challenge.

Timex

Use the path `/proxy/internal_website/mamad.txt` to investigate its behavior and potential for exploitation.

#### Requirements
+ Topic: Attacking Secondary Contexts in Web Applications
+ Skill: Understanding Proxy Behavior
+ Vulnerability: Path Traversal, SSRF

#### Objective
Determine if the path sends an HTTP request to an internal server. If so, manipulate the path to access forbidden locations on the internal server and retrieve the private note.

Simple SSRF

This challenge replicates a real-world $3500 bug. Investigate the application to uncover misconfigurations.

#### Requirements
+ Vulnerability Type: Security Misconfiguration
+ Skill: Server-side investigation and Misconfiguration Exploitation

#### Objective
The challenge will load as a blank page, this is the intended behavior. Your task is to identify a vulnerability caused by misconfiguration and exploit it to read the `/flag` file on the server.


Real Mis

#### Requirements
+ Programming Language: PHP
+ Skill: Server-Side Analysis
+ Command Injection: Understanding Server Behavior

#### Objective
Your goal is to analyze the server-side functionality to understand how inputs are handled. Develop a command injection payload to execute shell commands on the server and retrieve the `/flag` file to complete the challenge.

Safe UUID

Use the parameter `/?source=true` to view the source code.

#### Requirements
- Programming Language: PHP
- Skill: Source Code Auditing
- SQLi: WAF Bypassing techniques

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability and bypassing the WAF

SQLi Level 6 - WAF Bypass 2

Explore the application's API to identify exposed documentation and access restricted routes.

#### Requirements
+ Category: API Security
+ Skill: API Enumeration and Exploitation

#### Objective
Start by fuzzing the application to locate the Swagger documentation. Analyze the discovered API endpoints and attempt to access the admin route.

Herra

Analyze the application's password recovery process to uncover and exploit vulnerabilities in authentication.

#### Requirements
+ Category: Broken Authentication
+ Skill: Reconnaissance and Exploiting Weak Token Generation

#### Objective
Carefully examine the "Forgot Password" functionality. Look for patterns in the password reset links, Can you guess another user's reset link? Use the endpoint `/api/v1/:email` to gather information (this step is outside the challenge scope). Focus on narrowing your recon to identify the administrator's account. Exploit the vulnerability to access the administrator's account and browse the `/admin` panel.


Thor

Investigate the application's confirmation functionality to identify logical vulnerabilities.

#### Requirements
+ Category: Broken Authentication
+ Skill: Analyzing Logic Flaws

#### Objective
Carefully examine the confirmation functionality for logical flaws. While not part of the challenge, you can gather information using `/api/v1/:email`. Use this information to uncover and exploit a logical vulnerability. Successfully exploit the vulnerability to access the `/admin` panel.


#### Requirements
+ Programming Language: JavaScript
+ Cross-Origin Resource Sharing (CORS): Filters Bypass

#### Objective
Your goal is to exploit a CORS misconfiguration to steal the admin's `API_KEY`. Begin by logging into the provided credentials and monitoring all HTTP requests. Carefully analyze these requests for potential CORS issues. Conduct tests to identify and exploit the misconfiguration, then craft a malicious link to trick the admin and exfiltrate their `API_KEY`.

#### Credentials:
Admin:
- Username: `voorivex_lab`
- Password: `supersecretpassword`

User:
- Username: `user`
- Password: `user`


GoodCMS

#### Requirements
+ Programming Language: PHP
+ SQL Injection: Blind Techniques

#### Objective
Investigate the application’s logging functionality to identify an entry point for SQL injection. Analyze potential user input fields that could lead to SQLi, and leverage this entry point to retrieve sensitive information.

Crazy Log

Analyze the uploader functionality and answer the following questions:

- Where are the files stored?
- How can I access the uploaded files?
- Does it use a blacklist or whitelist approach?
- Does it safe or not?

### Requirements
- Vulnerability Type: Arbitrary File Upload
- Skill: Web application architecture, uploaders trick

#### Objective
Try to read the `/flag` in the server

Upload Me 3

Use the parameter `/?url=URL` to test for open redirect vulnerabilities. You’ll need to bypass the regex filter and closely analyze the **JavaScript** on the page to uncover how the redirection actually works.  

### Requirements  
- **Programming Language**: PHP / JavaScript  
- **Open Redirect**: Regex Bypass

### Objective  
Your goal is to:  
1. **Bypass the regex validation** to input a valid redirect URL.  
2. **Analyze the JavaScript** on the page to understand how it processes other parts of the URL.  
3. Exploit the open redirect vulnerability to redirect the user to an external site successfully.

Easy Door

This application appears static at first glance—but is it really?

#### Requirements

- Capability of fuzzing in various areas
- Narrow recon + focus
- Application analysis

Note: Use the first 1000 lines of `raft-small-directories-lowercase.txt` as your fuzzing dictionary

#### Objective
Read the `/flag` in the server


Fuzz Me

Your goal is to craft a payload that abuses the `postMessage` functionality to execute arbitrary JavaScript code. Pay attention to:

- Token Generation and Validation: The token is generated each time the page loads, and it’s expected to match the token in incoming messages. Consider if there’s a way to capture or predict the token. Since it’s shared with the parent window, see if there’s an opportunity to manipulate the exchange
- Constructing a Valid Message: If you can obtain the correct token, then crafting a message that includes { `token: <token>, url: <malicious_url>` } might trigger the redirect. Look into methods for observing the initial token or guessing it

PostMessage 3

Analyze the web application for a vulnerable endpoint and craft a payload to execute a DOM-based Cross-Site Scripting (XSS) attack.

#### Requirements
+ Cross-Site Scripting(XSS)
+ Skill: JavaScript Analysis and Payload Crafting


#### Objective
Identify a point in the application's DOM where user input is improperly sanitized, craft a malicious payload.

DOM XSS 1

Investigate the application's file upload functionality to identify potential vulnerabilities.

#### Requirements
+ Vulnerability Type: XML External Entity (XXE) 
+ Skill: Exploiting XXE via `.docx` files

#### Objective
Locate a section of the application that allows uploading `.docx` files. Determine if it is vulnerable to XXE exploitation, and leverage this vulnerability to read the `/flag` file from the server.

XXE - Docx

Analyze the application for sections that process XML data and exploit vulnerabilities in its handling.

#### Requirements
+ Vulnerability Type: XML External Entity (XXE)
+ Skill: Data exfiltration via OOB

#### Objective
Identify a section of the application that accepts XML input and produces an independent response. Exploit this functionality to read the `/flag` file.

XXE - Blind

Investigate the application's data parsing functionality and exploit it to access restricted endpoints.

#### Requirements
+ Vulnerability Type: XML External Entity (XXE)
+ Skill: Exploiting SSRF via XXE

#### Objective
Locate a section of the application that accepts JSON data. Convert the JSON to XML and check if the application parses it. If it does, exploit the XML parsing to perform SSRF and access `http://127.0.0.1:3000/admin.php`.

XXE - SSRF

Explore the application to identify an endpoint and leverage directory traversal to access sensitive files.

#### Requirements
+ Security Misconfiguration
+ Skill: Directory Traversal
+ Webserver: Nginx

#### Objective
Spot an endpoint within the application and attempt to navigate through directories to locate and retrieve the flag from the source code files.

Travel

Use the parameter `/?source=true` to view the source code.

#### Requirements
+ Programming Language: PHP
+ Skill: Source Code Auditing
+ SQL

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability.

SQLi Level 7 - Escape String Bypass

Use the parameter `/?source=true` to view the source code.

#### Requirements
- Programming Language: PHP
- Skill: Source Code Auditing
- SQLi: Blind technique in boolean values

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability

SQLi Level 3 - Boolean Blind

#### Requirements
+ Programming Language: PHP
+ SQLi: Automated Exploitation Scripting

#### Objective
Identify and exploit the SQL injection vulnerability in the challenge. Write a script to exploit and extract information from the database.

Harry

Analyze the uploader functionality to identify weaknesses in its design and bypass file upload restrictions.

#### Requirements
+ Vulnerability Type: Insecure Design
+ Skill: Uploader Tricks

#### Objective
Try to read the `/flag`

Safe Uploader

Analyze the web application's JSONP implementation to identify and exploit authentication vulnerabilities.

#### Requirements
+ Category: Broken Authentication
+ Skill: JSONP Exploitation and Information Theft

#### Objective
Log in to the web application using the credentials `user` / `123@!`. Investigate if any JavaScript object contains sensitive information, such as an API key. Develop an attack scenario to exploit the vulnerability and steal the API key. Provide a crafted link to demonstrate the attack. For testing, use the admin credentials: `admin` / `R@!xK3m$s0`.

JSONP

Identify and exploit weaknesses in the application's checker function to bypass its restrictions.

#### Requirements
+ Server-Side Request Forgery (SSRF)
+ Skill: Understanding and Bypassing Input Validation

#### Objective
Your goal is to bypass the checker function and successfully access the `/admin` endpoint.


Server Side Request Forgery 4

#### Requirements
+ Programming Language: PHP
+ Skill: Header Analysis, Out-of-Band Data Exfiltration
+ Command Injection: Analyzing Server Backend and Exploring Alternative Paylods

#### Objective
Your goal is to understand why the Level 3 payload fails here. Set up a listener on your server and specify your IP and PORT as `http://IP:PORT` to inspect the request headers. Use these insights to deduce the command executed by the server. If direct command injection is unsuccessful, explore alternative techniques to read the `/flag` file.

Command Injection 5 - Partial 2

Server Side Request Forgery 3

Explore the application's XML handling functionality to identify and exploit vulnerabilities.

#### Requirements
+ Vulnerability Type: XML External Entity (XXE)
+ Skill: Exploiting XML Parsing

#### Objective
Find a section of the application that processes XML data and generates a dependent response. Exploit the XML parsing to read the `/flag` file and demonstrate the vulnerability.

XXE - Simple

Investigate the application's authentication mechanism and analyze its cryptographic implementation.

#### Requirements
+ Cryptographic Failures
+ Skill: JWT Analysis and Token Tampering

#### Objective
Register a user and log in to observe the JWT. Analyze the token and identify potential vulnerabilities. Although the `id` claim appears to be a randomly generated value, tampering with the token could grant access to the administration panel. Use basic application reconnaissance techniques to uncover the administrator's `id`. Your goal is to successfully access the `/admin` route by exploiting weaknesses in the cryptographic design.

Odin

Identify and exploit the open redirect vulnerability.

### Requirements
+ Open Redirect
+ Skill: URL Manipulation and Validation Bypassing

### Objective
Find and exploit an open redirect vulnerability that allows you to redirect users to `https://voorivex.academy`


Close Door

Analyze the uploader functionality and answer the following questions:

- Where are the files stored?
- How can I access the uploaded files?
- Does it use a blacklist or whitelist approach?
- Does it safe or not?

### Requirements
- Vulnerability Type: Arbitrary File Upload
- Skill: Web application architecture, uploaders trick

#### Objective
Try to read the `/flag` in the server


Upload Me 2

Upload Me 1

Seems you are trapped in your restricted account, can you break and get out of your account? Register a new account on the challenge and examine the JWT token behavior and try to find a way to bypass authentication.

#### Requirements
- Cryptographic Failures
- Skill: JWT Analysis and Token Tampering

#### Objective
Get into the `administrator` account to capture the flag

**Requirements**

- Programming Language: JavaScript
- Browsers fundamentals such as Simple request, SameSite, etc

**Objective**
Exploit the CSRF vulnerability to change administrator's password. Login with `mamad:mamad` credentials and check how forms are submitted and see if you can manipulate the request. Seems the content type is JSON, and the request cannot be CSRFed. Can we be sure about that?

Easy CSRF 2

Easy CSRF 1

Your goal is to craft a payload that abuses the `postMessage` functionality to execute arbitrary JavaScript code. Pay attention to:

- Regex Pattern: The origin regex only allows `sso`, accounts, and `www` subdomains of `voorivex-lab.online`. Look for ways to craft an origin that passes this check but redirects elsewhere
- URL Validation: If you pass the origin check, the `url` in event.data must also be valid. Consider encoded values or unusual structures



PostMessage 4

Identify an endpoint vulnerable to open redirect, leverage a relative path, and redirect the user to a malicious destination to retrieve the flag.

#### Requirements
+ Open Redirect
+ Skill: Exploiting Redirect Vulnerabilities

#### Objective
Discover an open redirect vulnerability within the application, craft a relative path payload to manipulate the redirect behavior.

Relative Path 2

SQLi Level 5 - WAF Bypass 1

Use the parameter `/?source=true` to view the source code.

#### Requirements
- Programming Language: PHP
- Skill: Source Code Auditing
- SQLi: Time-based technique

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability

SQLi Level 4 - Time Blind

Investigate the web application for misconfigurations that reveal sensitive information.

#### Requirements
+ Vulnerability Type: Security Misconfiguration
+ Skill: Triggering and Analyzing Debug Information

#### Objective
Your task is to identify and exploit a misconfiguration in the application to generate a stack trace, exposing sensitive information.

PHP CMS

Command Injection 4 - Partial 1

Server Side Request Forgery 2

#### Requirements
+ Programming Language: PHP
+ Command Injection: Bypassing Filters
+ Search on the net for payloads

#### Objective
Your goal is to achieve command injection by testing various payloads to bypass server-side filters, allowing arbitrary command execution. Use manual techniques only (no automated tools like Commix) to find a way around the restrictions and read the `/flag` file.

Command Injection 3 - Filter Bypass

#### Requirements
+ Programming Language: PHP
+ RCE: Filtering bypass

#### Objective
Your goal is to execute code on the server and read the `/flag` file by identifying a way to inject commands without breaking the context.

Remote Code Execution 3

#### Requirements
+ Programming Language: PHP
+ RCE: Context Breaking and Filename Validation Bypass

#### Objective
Your goal is to read the `/flag` file by breaking the context with specific characters, analyzing the filename validation logic, and adjusting the input to achieve code injection.

Remote Code Execution 2

Explore the application's input handling to identify and exploit a mass assignment vulnerability.

#### Requirements
+ Category: API Security
+ Skill: Mass Assignment Exploitation

#### Objective
Investigate the application's forms or API endpoints for mass assignment vulnerabilities. Identify unintentionally writable parameters and exploit this flaw to perform unauthorized actions, such as escalating privileges or modifying restricted data. Use this exploit to achieve the challenge goal.

Otex

This challenge simulates a **real-world IDOR** vulnerability that’s harder to spot. The goal is to exploit an issue with how user IDs are managed in the system.  

### Steps  
1. **Login** into the web application and observe the user’s unique ID.  
2. **Find a way** to disclose other users' IDs. You may need to inspect API calls or analyze the requests in the background.  
3. Use your findings to **access the admin’s attachment (ID: 23)**.  

### Requirements  
- **Knowledge of API Interactions**: You may need to interact with the API to discover hidden endpoints or data.  
- **Exploration of the Application**: Observe how the system handles user IDs and determine if they can be manipulated.  
- **Insecure Direct Object Reference (IDOR)

### Objective  
Your goal is to find a way to **access the admin's attachment** by exploiting an **IDOR vulnerability** in the web application.  


Hack the Object

Use the parameter `/?url=URL` to test for open redirect vulnerabilities.

#### Requirements
+ Programming Language: PHP
+ Open Redirect: Regex Bypass

#### Objective
Your goal is to identify and exploit the open redirect vulnerability to redirect the user to an external site, bypassing URL validation mechanisms.


Open Door

Your goal is to craft a payload that abuses the `postMessage` functionality to execute arbitrary JavaScript code. Pay attention to:

- Origin Check: Although there is an `e.source !== window.parent` check, it does not validate the actual origin of the message. Think about ways to bypass this check if you can control the origin
- `loadJs` and `initConfig` Commands: The code responds to specific commands, which can be sent with a crafted message. Focus on how you might send a message that includes these types to inject a script or modify configuration settings

PostMessage 2

Your goal is to craft a payload that abuses the `postMessage` functionality to execute arbitrary JavaScript code. Pay attention to:

- Consider how `postMessage` works and how to send a crafted message to trigger this vulnerability
- Think about how `eval` could be exploited to execute any JavaScript code passed in
- Watch for any edge cases where `msgObj` might not be defined as expected

PostMessage 1

#### Requirements
+ Programming Language: JavaScript/HTML
+ Cross-Site Scripting (XSS)

#### Objective
Identify an input field or URL parameter where user input is not properly sanitized. Craft a XSS payload to trigger an alert or execute JavaScript within the browser. Your ultimate goal is to exploit this vulnerability and potentially read sensitive information from the page.

XSS Lab 11 - Black List

XSS Lab 10 - XML

XSS Lab 9 - Scheme

XSS Lab 8 - JS Tricks

XSS Lab 7 - POST Based

XSS Lab 6 - HTML Encode

XSS Lab 5 - Path Based

#### Requirements
+ Programming Language: JavaScript/HTML
+ Cross-Site Scripting (XSS)

#### Objective
Identify an input field or URL parameter where user input is not properly sanitized. Craft an XSS payload to trigger an alert or execute JavaScript within the browser. Your ultimate goal is to exploit this vulnerability and potentially read sensitive information from the page.

XSS Lab 4 - Break

XSS Lab 3 - Stored

XSS Lab 2 - DOM Based

XSS Lab 1 - Reflected

#### Requirements
+ Cross-Site Scripting(XSS)
+ Skill: JavaScript Tricks

#### Objective
Find a way to inject a payload using the "javascript:" schema and successfully trigger a POP alert in the application’s DOM environment to complete the challenge.

DOM Schema

Relative Path 1

Use the parameter `/?source=true` to view the source code.

#### Requirements
- Programming Language: PHP
- Skill: Source Code Auditing
- SQLi: UNION technique in integer values

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability

SQLi level 2 - Integer UNION

Use the parameter `/?source=true` to view the source code.

#### Requirements
- Programming Language: PHP
- Skill: Source Code Auditing
- SQLi: UNION technique in string values

#### Objective
Your goal is to extract the flag from the database by exploiting a SQL injection vulnerability

SQLi Level 1 - String UNION

#### Requirements
+ Programming Language: Python
+ SSTI: Exploitation Techniques, SSTImap

#### Objective
Identify the flaw in the application and attempt to exploit it to gain access to sensitive information. Utilize Tplmap or similar tools to facilitate your exploitation efforts. Your final goal is to read the `/flag` file to complete the challenge.

SSTI

#### Requirements
+ Programming Language: PHP
+ Command Injection: Command Separators, Out-of-Band Data Exfiltration

#### Objective
Your goal is to exploit the blind command injection vulnerability by using a command separator to execute commands on the server. Use an Out-of-Band (OOB) technique to retrieve command output and read the `/flag` file.


Command Injection 2 - Blind

Server Side Request Forgery 1

#### Requirements
+ Programming Language: PHP
+ Command Injection: Command Separators

#### Objective
Your goal is to exploit the command injection vulnerability by inserting a command separator to execute additional commands on the server and read the `/flag` file.

Command Injection 1

#### Requirements
+ Programming Language: PHP
+ RCE: Basic Remote Code Execution via Context Breaking

#### Objective
Your goal is to achieve PHP code execution via context breaking to read the `/flag` file.

Remote Code Execution 1

گواهینامه قبولی در امتحان کلاس، نفرانی که این گواهینامه را دریافت دارند توانسته‌اند در امتحان اوسپ نمره قبولی را بگیرند.

OWASP Exam

# Mig Mig Challenge

The challenge, **"Mig Mig,"** is designed for the **Guts Hunt Class's Talent Program.** Anyone can participate, as it also serves an educational purpose. The challenge **began on March 5th** and will be available for **seven days, until March 12th at 21:00 GMT+3:30**.

The challenge requires a basic understanding of **Networks**, **Web Applications**, **HTTP**, **JavaScript**, **Programming Concepts**, and **Security Fundamentals** *(excluding Steganography and Forensics)*. **Brute-force attacks and fuzzing are not required** for any part of this challenge and may result in a **permanent IP ban**. Strong **critical thinking skills** are essential, and you are encouraged to use online resources such as **Google**, **ChatGPT**, and others.

## Challenge Structure

This challenge features **six vulnerabilities** that you must exploit to obtain the corresponding flags. Each flag follows this format: `FLAGn_xyz...`. The flags you collect must be submitted on the `/panel/flags` page. Once all six flags are submitted, you will receive the **Final Flag** in this format: `flag_xyz...`. Along with the final flag, you will receive **instructions on where to submit the final flag, where to send the challenge write-up, and what information to include**.

It is recommended that you **create your challenge account using your Voorivex Academy username** so we can track your collected flags and progress. A **lottery will then determine class admission**.

## Scoring System

- **Three Easy vulnerabilities** – **1 point each**
- **Two Medium vulnerabilities** – **2 points each**
- **One Hard vulnerability** – **3 points**
- **Total possible score: 10 points**

## Challenge Website
You can access the challenge website from [mig-mig.ir](https://mig-mig.ir)

🔴ARE YOU A ONE OR A ZERO?