[WEB] Under Construction

Opening discussion on the new web challenge Under Construction!!

Tagged:
«13

Comments

  • edited February 25

    Great challenge, a little bit of everything.
    I do not agree with the message in the flag. The core problem is surely different to the one described in the flag.

    joeblogg801

  • After 2 hours I spot the download, still doesn't help me lol

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited February 25

    Yeh! It's the same for me! After half day I decided to download the zip but still nothing.
    Someone of you could give to me some hints? In my opinion it is something like SQL injection because otherwise how can I read the "flag text" in a website?
    Thank you guys!

  • Awesome challenge !
    You have to exploit two things.

    For the initial foothold, look at the sweet thing when you are logged in.

    Btw, I don't know why you speak about downloading things or maybe there are unintended ways.

  • Enjoyed the choice of DB. Something different.

  • edited February 26

    Sometimes this error " user ""> doesn't exist in our database." happens. Is it the right way?

  • Type your comment> @Ga330 said:

    Sometimes this error " user ""> doesn't exist in our database." happens. Is it the right way?

    I think so, maybe it is indicating for sql injection. Because if you see the downloaded files, there is an exception.

  • My guess is that it is with some Loop SQL Injection :D We need to bypass the sanitizing login first.........

  • Spoiler Removed

  • Type your comment> @thecowmilk said:

    Type your comment> @Ga330 said:

    Sometimes this error " user ""> doesn't exist in our database." happens. Is it the right way?

    I think so, maybe it is indicating for sql injection. Because if you see the downloaded files, there is an exception.

    For this challenge I found two different ways but I don't know which one is the best. The first way is to try by using some SQL code to be execute as I mentioned before. The second way could be to make the flag appears once the login is done. And this is why I notice that if you write some javascript code (like alert() message) it will be executed in the main page after login.
    So my question are, in your opinion, what is the best way to capture the flag? In the second way (using an alert() message) is it possible to make the flag appear in some how?

    Thank you guys!

  • Damn... I haven't solved the challenge yet and I commented something which was a spoiler............... I'M SHOCKED!

  • @Ga330 said:
    Type your comment> @thecowmilk said:

    Type your comment> @Ga330 said:

    Sometimes this error " user ""> doesn't exist in our database." happens. Is it the right way?

    I think so, maybe it is indicating for sql injection. Because if you see the downloaded files, there is an exception.

    For this challenge I found two different ways but I don't know which one is the best. The first way is to try by using some SQL code to be execute as I mentioned before. The second way could be to make the flag appears once the login is done. And this is why I notice that if you write some javascript code (like alert() message) it will be executed in the main page after login.
    So my question are, in your opinion, what is the best way to capture the flag? In the second way (using an alert() message) is it possible to make the flag appear in some how?

    Thank you guys!

    tbh I have a conclusion that sql is not the the correct way to do it..... lol

  • Yeh ;) I'm trying to find a way to see the flag by using javascript. The problem is that I don't know where to find the flag... or better I don't know how to interact with DB!

  • Got something working locally, but breaking on docker...

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited February 26

    XSS is client side. You do not need to hijack an account...
    So imo, XSS or any others clientside attacks are irrevelant here.

  • Maybe this will help:
    1. There are 2 vulnerabilities (OWASP top 10 <3)
    2. Should simply 'read' the flag, not overthink it
    3. No need in javascript at all
    For me, one popular utility didn't work properly. But python + hands help a lot.

  • Awesome challenge, had a lot of fun on this one!

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Type your comment> @Danr0 said:

    Maybe this will help:
    1. There are 2 vulnerabilities (OWASP top 10 <3)
    2. Should simply 'read' the flag, not overthink it
    3. No need in javascript at all
    For me, one popular utility didn't work properly. But python + hands help a lot.

    Can you say to me the two vulnerabilities?After two days I'm still trying to solve it....:(

  • Hmm found a certain 'private' something... Not sure what to do with it though

    S1ph1lys

    We are the things that were and shall be again

  • A tip for life: Make a flask app that routes sqlmap's payload so you can craft the request with the payload however you want, neat.

  • I enjoyed this and learnt something new :)

    Hack The Box

  • Type your comment> @clubby789 said:

    Got something working locally, but breaking on docker...

    On same state. but don't know how to proceed from here.

  • @f3v3r said:

    Type your comment> @clubby789 said:

    Got something working locally, but breaking on docker...

    On same state. but don't know how to proceed from here.

    Try doing things a bit more manually

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Can anyone give me a hint on where to find something private or public?
  • got a whole bunch of weird behavious and an error message, but no matter what i do, i can't make sense of what happens behind the scenes. would appreciate a nudge

    0x41

  • i tried SQLi but no luck, now using hydra to brute force the user and password... am i on the right track?

  • edited March 3

    Analyze the source to find your way in. Replicate the environment. Some coding may be required.

    limbernie
    Write-ups | Discord - limbernie#0386

  • edited March 3

    ah hell, i kept wondering how to get the source and didn't realise there was a goddamn download button under the start instance button m)
    EDIT: aaand got it. i tried the right thing from the very beginning before i even had the source, but looks like i did something wrong the first time around :^)

    0x41

  • Aaaaand finally, I did it. These are my hints:

    • Focus on the things that can be used to extract information. XSS it's useless.
    • Try to run locally the webserver.
    • You don't have the database, but you can imagine how it's constructed.
    • When you know what you have to exploit, search for some tools on the Internet that can be easily modified to do what you need to do.

    Great challenge, I enjoyed.

    Reach me on Discord: n3b0r#2873

  • @deetee1 said:
    i tried SQLi but no luck, now using hydra to brute force the user and password... am i on the right track?

    Don't waste your time doing those, it's useless.

    Reach me on Discord: n3b0r#2873

Sign In to comment.