[WEB] Under Construction

13

Comments

  • @11o said:
    A really nice challenge, very enjoyable.

    Happy to hint if anyone is stuck.

    i need hint plzz msg me personally

  • Solved, can DM for nudges. Had some difficulties because the tool I used couldn't seem to read the flag (I saw it, couldn't open). Upgraded it to a later version solved it.
    Also, the guy who wrote he found a private thing really threw me off - that is not the way, just misleading.

  • edited August 2020

    funny chall. It gives me many things to think and learn. Feel free to dm for questions :sweat_smile:

  • Finally got it!! I was stuck several days / weeks with last part. A fun challenge, it did me to learn a bit more. Thanks to creators @makelarisjr & @makelaris !!

  • Nice box for beginners. :)

  • edited August 2020

    I am stuck in Under Construction for 3 days. I have tried using SQLmap (post) for testing SQLi. I have tried injecting XSS into the input, but it doesnt seem to be of any good. I have tried to see the calls using burp, and found the public key in the JWT cookie. But i cant move on from there. Where do i go from here?

    I am a new user, please ignore any mistakes.

  • Solved. DM me for any help. But here are my two cents:
    1. Read the source code
    2. Understand the application workflow
    3. Yes the final step can be automated

  • Nice challenge, really enjoyed :smile:

    I give some tips that could be handy:

    1. If you have played with the application, you will notice that sometimes there is a strange error. This will give you an idea of what to do, but maybe you need to do things before.
    2. Analyze inputs of the application, one is giving you some information, why you need this? Maybe there is some paper online that explains how to take advantage of this.
    3. After you have figured what to do with 2 and 1, my recommendation is to setup a Flask app and point you automated tool to the Flask application.

    Anyways, PM if you need some push.

  • really nice challenge and completely doable without any tools

    Arrexel

  • uhh, I found the exploit, but i don't know how to get the flag... Can someone give me some hints? Thx!

  • I don't know why I found this box so hard. I was definetly over thinking it, I got stuck on just about every dead end imaginable.

    Somebody mentioned creating a flask app to automate the last step by proxying another tool. This is a great tip and definetly one I will be committing to memory.

  • edited November 2020

    so i pretty much understand what's the workflow should be, but i'm still getting
    the 500 Internal empty (without the desired output within), and i'm still don't understand
    why is it.

    What am i missing ?
    it would be great if someone could PM me (:
    thanks

    EDIT: got it.

    aimforthehead

  • Type your comment> @myller007 said:

    Nice box for beginners. :)

    In fact this was quite a hard challenge :neutral: I figured it out by getting pointers but I did not figure out why the jwt key confusion vulnerability was to be used.

    Regards,
    qmi

  • how to make a simply nmap on ipaddress:port ?
    i've trying http://ipaddress:port/ but it don't work
    someone can help me please ?

  • Try without the http. if it's a website usual ports are 80,8080,443

    Type your comment> @Yupsilon said:

    how to make a simply nmap on ipaddress:port ?
    i've trying http://ipaddress:port/ but it don't work
    someone can help me please ?

  • edited November 2020

    Guys I am stuck with this... don't know what is going wrong. It's just giving me internal server error even after manipulation with cookie. I am using jwt_tool for that and burp to send the new cookie... can someone help?? what am I missing?

    Edit: Solved it! Found out what I was doing wrong..

  • Just finished. I loved this challenge!! Tip: Make sure you download the zip file.

    I probably spent 45 minutes trying to figure out how the public key in the JWT would factor into my attack. Once I downloaded the source code I quickly saw the vulnerability. I then tried some futile ways to perform my attack. Ended up learning about jwt_tool. Adding that to my toolbox! Plus I learned about the ability to tamper with a JWT.

    zalpha
    OSCP | CISSP | CSSLP

    Respect always welcome if I can help you: https://www.hackthebox.eu/home/users/profile/140630

  • That was cool ! :) If like me you go for the snake, you might stumble upon a really annoying error when you try to forge something into something else, and that's because the library you're probably using has been updated and doesn't let you do that anymore.
    The only workaround I found (apart from walking an other path) was to directly modify the library files.
    Don't forget to revert your changes though !

    Really cool challenge, and if someone solved it without using the most famous tool for this type of attack (or similar ones), I'd like to hear from you. I tried to do everything manually and finally fell for the "easy" way, and when I was presented the payload I was like "How am I supposed to think of something like that ?".

    dragonista

  • Can someone help/DM me? I believe I have all the pieces but I am getting internal error

  • REALLY cool challenge. I'm a bit new to all of this so it definitely broadened my knowledge and taught me how to apply another layer to a traditional attack vector.

    Some hopefully vague tips:
    1) Your first instinct on the vulnerability is probably right, but there's an intermediate step.
    2) Download the files and read them carefully.
    3) Research known vulnerabilities in the protection mechanism.
    4) Return to your first instinct and have fun!

  • Can I DM anyone,I need to confirm if I am true about the vuln in workflow

  • edited January 9

    I just want to know if the manupulation of c*****e from R***6 to H***6 has something to do with the chllenge!

  • Type your comment> @mrWh17e said:

    I just want to know if the manupulation of c*****e from R***6 to H***6 has something to do with the chllenge!

    yes

    rulzgz

  • Just an FYI - not too bright on my end but I wasn't using the VPN access originally for this challenge. I wasted at least a day dealing with server 500 errors which I suspect was due to traffic redirecting through safebrowsing.googleapis. Once i logged into the VPN and retraced my steps, I was able to complete this task. Tools and commands that failed originally worked through the VPN.

  • Having trouble with this, maybe cause it's older. Wrote my python script, stuck here:


    Please don't delete

    jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.
    

    Then I found a script on Github, more or less the same as mine, seems like it was made for this challenge. It throws the same error. Digging deeper I found I would have to downgrade PyJWT to a very early version where this check hasn't been implemented. I don't want to do that. My kali is f'ed up already, I need to run most recent tools (like cme) through pyenv exec...

    Gonna try changing the cert header to public now, but idk there's gotta be a way?

  • anyone happy to help me a bit?
    i have found the interesting bit, but my payload is somehow not giving me the results back that im expecting.

    please DM me

  • edited March 17

    Hello, I'm quite lost: I managed to change the S******** of the J***W******n from S***6 to H***6. Yet the server still gives an "Internal Error". When spinning up a local instance with the supplied Source-Code, the modified J***W******n is accepted, but on the remote instance it is not. Anyone have a clue? Please PM me, I have no idea on how to proceed.

  • Type your comment> @gutjuri said:

    Hello, I'm quite lost: I managed to change the S******** of the J***W******n from S***6 to H***6. Yet the server still gives an "Internal Error". When spinning up a local instance with the supplied Source-Code, the modified J***W******n is accepted, but on the remote instance it is not. Anyone have a clue? Please PM me, I have no idea on how to proceed.

    I passed through the same and at least in my case it turned out to be an issue when echoing the key to the file. Instead, I manually copy-pasted it into the .pem file, replaced line feed strings with actual line feeds, and then it just worked!

  • Type your comment> @daverules said:

    if you get an internal error then it means the format of something is not quite right. in my case, it was that i was missing a line break at the end of something else . hope that helps

    A missing line break was my whole problem with the JWT portion. Thanks @daverules

    Learned lots of new stuff here like JWT.
    There's a great python tool for jwt exploits too.

  • A highly relevant tool for this Challenge has some tricky syntax that doesn't always combine as might be expected. Checking the Issues list for the tool might save you a lot of time and frustration.

Sign In to comment.