[WEB] Console

edited March 7 in Challenges

Let's get this thing started! I love challenges involving undocumented programs...

Edit: Pretty good challenge, had fun scripting this.

clubby789

  • GCIH
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
Tagged:
«1

Comments

  • Can we avoid installing Chrome? :D

  • edited March 7

    sure just read the code ¯\_(ツ)_/¯

    0x41

  • lol valid.

  • edited March 7

    Am I diving down a rabbit hole by thinking I need to brute-force a salty hash to get things going toward auth? (I'm thinking not mostly b/c if so should be easy-ish not requiring lots of time or cpu/gpu to do... but... ?)

  • no need to crack any hashes

    0x41

  • Type your comment> @0x41 said:

    no need to crack any hashes

    (Puts thinking cap back on.)

  • Very nice challenge I have enjoyed it, many thanks for 0x41 for your support.

    Drxxx

  • Could anyone give me some hints for this one im kinda stuck

  • Type your comment> @Bonzer said:

    Could anyone give me some hints for this one im kinda stuck

    You will need first to know the target. did you get it ?

    Drxxx

  • no, would I be going in the right direction by doing more fuzzing with burp intruder or dirbuster?

  • Type your comment> @Bonzer said:

    no, would I be going in the right direction by doing more fuzzing with burp intruder or dirbuster?

    Dirbuster is not needed to solve this challlenge. On the other hand, you should find a "backend/client technologie" which is in front of you. As always, the description of the challenge may help you to turn to the right direction. A little bit coding may be needed.

    Hack The Box

  • i've managed to get something working locally by:

    converting wordlists into correctly formatted cookie values and using wfuzz to test them all

    but it doesn't work on the challenge. even with a very big list. is this the wrong technique? Or have I messed it up?

    daverules

  • Guys i'm stuck i dont know how to take it. I figured out that the "Make sure to load php-console in order to be prompted for a password" isn't there in phpinfo() by default. That should mean i have to trigger somehow that php-console. But I can't figure out how. Hints?

  • Just google it and take the first result

    joeblogg801

  • hints to get password

  • Type your comment> @abhijasud said:

    hints to get password

    Me too....

  • cracked the challenge, if anyone needs a nudge, please PM me :)

  • any hint on the passwd?

    guanicoe

  • edited March 20

    Solved. PM me if you need any help.

  • Got it! Really a great challenge! For anyone stuck:


    Small hint for anyone stuck

    look at the source code of the console

  • @stumpswap do you mean the source code on the project or just client side?

  • I found the App and the extension! But how can I find the secret. I'm not good at client-side programming! Any help or suggest?

  • Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

  • edited March 22

    I believe to have the correct header format (since it is the same the plugin generates for the same password) but still I guessed 200K passwords and no luck. Is the response in case of success of a different length than that for the invalid password? Is the password in a reasonable top X list?

    I run both the normal authentication and my brute forcing through burp and they have the same cookies (not all headers are the same though)

  • @goetia said:
    Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

    A lot of programs will append a \n when reading an input file. Make sure to stip that out before creating the header.

    Also, try making your header in the same programming language as the original program.

  • Type your comment> @rndmgnrtd said:

    @goetia said:
    Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

    A lot of programs will append a \n when reading an input file. Make sure to stip that out before creating the header.

    Also, try making your header in the same programming language as the original program.

    That was exectly my mistake try a trim() ;)
    Don't bother DM me

  • By the way, awsome Challange!

  • Type your comment> @GTh0ng said:

    Type your comment> @rndmgnrtd said:

    @goetia said:
    Hello, I am stuck in this challenge. Read the source code but cannot replicate the correct header values. I may be lost.

    A lot of programs will append a \n when reading an input file. Make sure to stip that out before creating the header.

    Also, try making your header in the same programming language as the original program.

    That was exectly my mistake try a trim() ;)
    Don't bother DM me

    You've got to be kidding me, that was it, thanks very much

  • Finally solved. Thanks to @ama777 for helps.

    and nice challenge. Don't bother DM me.

  • Anyone who can give me a hand?

Sign In to comment.