Shoutout to AkiraOwen for his writeup/fuzzing method. This lab is/was a bit of a jigsaw which required putting the right pieces in order to solve it.
Due to past experience with FurHire, you usually have to create two accounts. So, I began by doing this.
I registered a recruiter and a user:
Recruiter account
- Username:
recruiter1 - Password:
password123 - Email:
recruiter1@test.com - User ID:
6 - Role:
recruiter
User account
- Username:
user1 - Password:
password123 - Email:
user1@test.com - User ID:
7 - Role:
user
I then registered a company (owned by recruiter1):
Company
- Name:
TestCorp - Industry:
Technology - Location:
Test City
I fuzzed endpoints e.g <labURL>/<FUZZ> and found “/reporting” returned a 403.
URLs that didn’t exist returned a 404:
Next, I logged in as the recruiter and posted a job, using the URL I discovered in the previous step as the URL:
From here, I logged in using the user1 account (job seeker) and browsed to the job that I posted as the recruiter. This performed a GET request to /api/company/3/logo and returned the flag and confirmed a successful second order SSRF to bypass a 403 forbidden:
Thanks for following along!
