Skip to content

Latest commit

 

History

History
59 lines (33 loc) · 2.91 KB

README.md

File metadata and controls

59 lines (33 loc) · 2.91 KB

University of Straya - Part 1

University of Straya Parts 1, 2 and 3 all use the same target!

Author: ghostccamm

Category: web

Difficulty: Medium

Description

The University of Straya are about to release their new Assignment Submission System (ASS) in two days, but have some concerns about the security of the platform. These concerns stemmed by the lead web developer admitting to inhaling burnt Hungry Jacks toys while developing the Flask REST API.

To assure the security of the platform follows best standards, you have the following goals to achieve:

  1. Bypass authorization and view the admin console located at /admin.
  2. Bypass access controls that prevent students from viewing other assignment submissions or the source code for the API. To demonstrate you have achieved this goal, there is a file called flag.txt in the API source code folder.
  3. Exploit any critical vulnerabilities, such as RCE. If you can achieve RCE, run the command getfinalflag to get the flag.

University of Straya - Part 2

Author: ghostccamm

Category: web

Difficulty: Medium

Description

The University of Straya are about to release their new Assignment Submission System (ASS) in two days, but have some concerns about the security of the platform. These concerns stemmed by the lead web developer admitting to inhaling burnt Hungry Jacks toys while developing the Flask REST API.

To assure the security of the platform follows best standards, you have the following goals to achieve:

  1. Bypass authorization and view the admin console located at /admin. DONE
  2. Bypass access controls that prevent students from viewing other assignment submissions or the source code for the API. To demonstrate you have achieved this goal, there is a file called flag.txt in the API source code folder.
  3. Exploit any critical vulnerabilities, such as RCE. If you can achieve RCE, run the command getfinalflag to get the flag.

University of Straya - Part 3

Author: ghostccamm

Category: web

Difficulty: Hard

Description

The University of Straya are about to release their new Assignment Submission System (ASS) in two days, but have some concerns about the security of the platform. These concerns stemmed by the lead web developer admitting to inhaling burnt Hungry Jacks toys while developing the Flask REST API.

To assure the security of the platform follows best standards, you have the following goals to achieve:

  1. Bypass authorization and view the admin console located at /admin. DONE
  2. Bypass access controls that prevent students from viewing other assignment submissions or the source code for the API. To demonstrate you have achieved this goal, there is a file called flag.txt in the API source code folder. DONE
  3. Exploit any critical vulnerabilities, such as RCE. If you can achieve RCE, run the command getfinalflag to get the flag.