brand new to this site and fairly new to pen testing. Anyway, I signed up for a trial and dove right in to the SQLi injection 1 challenge from my dashboard. So far i have looked at the source code, manually tried injecting into various fields, and even started looking into various links with burp suite running as my MiTM to try and solve this challenge. no luck yet, but i have run into an annoyance that i wonder if it is on purpose and part of the challenge or just a bug. If you try to use any of the links/forms in that challenge it results in a page not found. It took me a moment but i realized that all the links are redirecting to a different ip. The challenge starts on 10.195.0.9 but all the links point to 10.0.195.44 and result in page not found.. If you run burp as an interceptor and modify the request to stay on the original IP the links all work (well search is a little buggy if you search for "search" lol)
Anyway, its really annoying that while trying to solve this challenge one has to deal with the redirects especially if they are not meant to be part of the challenge.
so my question-
- are the redirects on purpose?
- am i on the right path with the searching of search doubling up the search module
- there are a lot of potential wp vulns according to wp-scanner that are not related to sql injection, is it even worth attacking other vectors?
- Is there a flag to actually capture? how does the site know if i have completed the challenge?