[WEB] Under Construction

24

Comments

  • edited March 2020

    would anyone be able to help with this one? i think i've worked out a tactic but whenever i sign something with a different algorithm and use the new value, i get an Internal server error.

    edit: nm, i did as recommended and ran the app locally. tweaked my tactic and it works now.

    daverules

  • edited March 2020

    worked out my problem. Missed something I should have picked up

  • So i read the source and know there exists a S*** attack. I've started a local instance but am not sure how to properly escape certain chars in sqlite queries.

    Any help is appreciated!

  • I have identified the vector but I think I need a private thing and cannot find it

    alt text

  • edited March 2020

    I got the exploit and (I believe) finished the challenge but I have no idea on how to get the flag :sweat_smile:
    No tools used right now, I'm doing all manually + nodejs coding.

    solved! thx to @daverules for the help , I've learnt something new about queries

    Hack The Box

  • edited March 2020

    @daverules said:

    would anyone be able to help with this one? i think i've worked out a tactic but whenever i sign something with a different algorithm and use the new value, i get an Internal server error.

    edit: nm, i did as recommended and ran the app locally. tweaked my tactic and it works now.

    Some hint? Same situation. Thx

  • if you get an internal error then it means the format of something is not quite right. in my case, it was that i was missing a line break at the end of something else . hope that helps

    daverules

  • edited March 2020

    @daverules Yes, fixed the problem. Thx

    Edit: Solved, thx again @daverules

  • It's really fun.
    Thanks @makelarisjr for the challege.

  • working locally helped a lot, good challenge!

  • Type your comment> @HumanFlyBzzzz said:

    Hmm found a certain 'private' something... Not sure what to do with it though

    Any hint on how to get that "private" thing? I don't see any way in the code to access that file....

  • edited April 2020

    @asebal said:

    Type your comment> @HumanFlyBzzzz said:

    Hmm found a certain 'private' something... Not sure what to do with it though

    Any hint on how to get that "private" thing? I don't see any way in the code to access that file....

    @HumanFlyBzzzz's message is a bit confusing and may lead to wrong assumptions. I would recommend to forget about private stuff and instead just carefully read the source code. Most probably you already have everything you need to get the flag.

  • Anyone can help me in PM? I've a local instance running but... not so skilled in nodejs and sqlite... I'll appreciate... thx

  • Feel free to message me if you need help.

  • edited April 2020

    Need some help on this :/
    just want to know if I'm looking at the right spot and not overthinking. Anyone free to help?
    Thanks!

  • it took me soooo much time, but since I'm a dumb noob, I guess it's okay :)

    learned a lot of new things
    wrote my own python script (also covered it with a test, lol)
    practiced some stuff

    I thought I would never do it, but I just didn't give up, despite it was sooo much pain for me and frustration )))

    helping tips for the noobs like me:

    • something happens as you log in;
    • can you fake the identity? <-- this can take some time; practice on some dummy data first! writing a script to automate the process is a good idea, it'll help you later on your journey a lot; also, mind an excessive new line somewhere in public!
    • no escape is a way in;
    • combine the two and go a blindfolded journey to read the stored treasure;

    sorry, I can't help you with a personal assistance, please don't dm me.

  • edited May 2020

    Great challenge, took me 2 days to solve it. I learned a lot about the authentication system used in the web application. There is one thing i did not understand though:

    I had to specify the management system in the tool i've used to obtain the flag. Otherwise the tool would not detect the vulnerability. Usually the tool does this automatically but not in this case. Is it because of the custom script I had to create for the tool or am I missing something?

  • Solved, first challenge 100% on me.
    It was fun, great lesson on how to pay attention in tiny details (e.g. `\n`, spaces).
    The fast way was to do everything manually once to try to get a positive feedback, and only then a little coding. Having something that you know already works is great for comparison when scripting.
    For tips, dm me :)

    flejz

  • Can anyone help my I have been stuck for past 2 days on this challenge. I need help on how to get the private thing.

  • I've located the vulnarability and succeeded to inject some code i retrieve at the home page but i still don't know how i can retrieve the flag (I tried several methods to get it). If you did this challenge you can DM me for more informations.
    Thank you in advance.

  • I'm not able to find anything anywhere after logging in. I've decoded stuff in the cookie but I don't really know what to do with it. Any tips?

  • edited July 2020

    @mouseknight said:

    I'm not able to find anything anywhere after logging in. I've decoded stuff in the cookie but I don't really know what to do with it. Any tips?

    The cookie stores a JSON Web Token (JWT). A good place to start would be to research how they work.

  • edited July 2020

    I've located the vulnerability and am able to fake my identity but I can't still find the flag.Any Tips?what am i missing
    Thanks in advance

  • Type your comment> @higbee said:

    @mouseknight said:

    I'm not able to find anything anywhere after logging in. I've decoded stuff in the cookie but I don't really know what to do with it. Any tips?

    The cookie stores a JSON Web Token (JWT). A good place to start would be to research how they work.

    Yea I know how they work and I decoded it, I saw a key, but I don't really know what to do with it. It's a pretty unusual implementation of JWT, it doesn't conform to the standard spec, I don't really know where to go from here.

  • edited July 2020

    Right I got a little further, the problem with the JWT is so dumb it didn't click immediately, reading up more on JWT in this context is helping

  • I'm just spinning my wheels trying to get this to work, can anyone PM me a walkthrough of what to do with this bit specifically please?

  • I've read the entire source code. I understand the flow of the challenge, however, unsure about the newline which seems to be a part of the solution. Also, uncertain whether the private key is reachable (I don't see how you can modify the data in the token, without it).
    You can PM me or write here, thank you.

  • edited August 2020

    for anyone who is struggling after finding the initial interesting bit,

    • don't use any auto exploiters. automate the generation and delivery part with script but take manual input for each payload until you find the perfect payload to automate.
    • there's online IDE available for practice and a famous repository with examples.
  • A really nice challenge, very enjoyable.

    Happy to hint if anyone is stuck.

  • Solved.

    I learned a lot from this one actually.

    DM me if you need some tips.

Sign In to comment.