> For the complete documentation index, see [llms.txt](https://ctf.smithsecurity.biz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2022/readme-1/web-mutation-lab.md). # Web - Mutation Lab To start off with we are shown a login screen. This screen also has a register account button on it and that is what I utilized first to see what is past the login page. ![](/files/dwYjMeCMhS8WILHYXFr4) After logging in we can see an interesting dashboard. After messing around a bit I found a key feature that I will most likely be able to exploit and what I am going after. ![](/files/ZpIiAmahJtAhtijZ5YL6) As you can see, from the circled text above there are confidential records, the flag most likely, that only the admin can view. So I need to view this page as an admin. There is also a feature that allows you to export the samples you make as images. To do this it uses a backend feature called 'convert-svg-core' which has a CVE POC for local file inclusion (LFI), , which we could possibly exploit in this website. After a tiny bit of manipulation we got it working! We were blind in this environment but because it is a node.js app we were able to find the index.js file at /app/index.js which gave me a better insight into this web applications backend. ![](/files/iZ9pNZniyCRIs7OeKtWl) In this file we can see a reference to /app/.env ... Lets check it out. ![](/files/jGqzIwP5VTj3a0LoZtCG) A session secret key! This is big because from this applications index.js file we can see it being used to create sessions using just the username and the secret. Now we just have to replicate that on our own machine and create a session for the admin account with the secret and replace our current account session with the new admin one. This took longer than it should have but I eventually got an exact replica of my own session using the username 'test' using this locally: ![](/files/TIPyXgdPx33OW0LEPfQF) Now I just changed the username being used to 'admin' and refreshed the dashboard and there the flag was. ![](/files/IYv5I3S5sCu0i17JnQpK) PWNED!! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.smithsecurity.biz/htb-cyber-apocalypse-2022/readme-1/web-mutation-lab.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.