This lab is vulnerable to server-side template injection. To solve the lab, create a custom exploit to delete the file
/.ssh/id_rsa from Carlos's home directory.
You can access your own account with the following credentials:
Note: As with many high-severity vulnerabilities, experimenting with server-side template injection can be dangerous. If you are not careful when invoking methods, you could damage your instance of the lab, which could make it unsolvable. In this case, you will need to wait 20 minutes for your lab session to reset.
user.setAvatar(). Also take note of the file path
/home/carlos/User.php. You will need this later.
POSTrequest for changing your preferred name and use the
blog-post-author-displayparameter to set an arbitrary file as your avatar:
GET /avatar?avatar=wiener. This will return the contents of the
/etc/passwdfile, confirming that you have access to arbitrary files.
gdprDelete()function, which deletes the user's avatar. You can combine this knowledge to delete Carlos's file.
user.gdprDelete()method and view your comment again to solve the lab.