Official Phonebook Discussion

Official discussion thread for Phonebook. Please do not post any spoilers or big hints.

«1345

Comments

  • edited October 2020

    Just think about what might be behind what you see, and think about how it works. This should be enough for this challenge!

  • edited November 2020

    i found two things that seem to point behind things so far, but haven't been able to turn them into anything useful yet. I have the whole addressbook though! Haha.

    I must be missing something obvious...

  • I found a X** on the login page, also found another web page, however I can't find anything valuable yet.

  • Type your comment> @Gorka said:

    I found a X** on the login page, also found another web page, however I can't find anything valuable yet.

    Yeah me too , but i also found the s***** page but stuck at the 4** response code.

  • edited November 2020

    Read the first hints you already saw. Then re-read them. You need to figure out one name of technology that is in play.

  • Got it. Once I realized the name of what I needed to do I wrote a small python script (31 lines including blank lines and imports) and got the flag.

    Great challenge, I would say that the second page provides a valuable hint.

  • Okay, I've been paying close attention to this forum while throwing my limited knowledge at this challenge. I just can't seem to be able to figure out what is behind. So I've found certain characters effect the first page but cannot develop a good payload, and any requests on the second are blocked no matter what I throw.

    Any further hints would be greatly appreciated...

  • Any further hints would be greatly appreciated...

    I'll send you dm.

  • edited November 2020

    I managed to circumvent the login page.
    But when I try to perform a search in the phonebook, then I (of course) get an Access Denied.
    I wonder how the authentication is supposed to work... I'll let it sit and linger a bit.

  • Well, I found the search page, but I got stuck in it.
    I'm looking for tutorials on the internet on how to bypass forbidden ... but I feel that this is not the correct way ...
    Can you help me with a link to know a new technique?
    not spoiler just link for me to learn a technique that I don't know.

    it's possible?

  • Glueing something together clearly doesn't work for me. So it's not h*** s********.
    Using different h******* doesn't want me to show anything new...
    Is this message about credentials a rabbit hole?
    I need a break.

    foxtrotcharlie

  • The message isn't a rabbit hole :). Think about how this could be implemented...

    ArtemisFY
    OSCP

  • I'm stuck at the phonebook page. Can anyone dm me some hint?

  • I'll send some dms because there are so many hints already in the service and it's hard not to spoil...

  • I've found the s°°°° page and i am also stuck at the 4°° message
    I am really clueless about what's next, someone got a smoll hint?

  • stuck in second page and s**** function, always got 4** error code..
    did i miss something?

  • stuck in second page and s**** function, always got 4** error code..
    did i miss something?

    Think more about how you bypassed the first step. For me it was useful to actually write the thing down and try to play more with it.

  • should a cookie or token be set to access the s***** page?

  • got the whole phonebook..
    is there anything else there?

    it seems i cant find any valuable things there, just some name, email, and phone number

  • edited November 2020

    Sometimes hiding things in plain sight actually turns out to be safe ;)
    When you deal with people who tend to overthink things. But I am also stumped. Probably over thinking it.

  • I was able to get some interesting things to show up in the authentication page, but I'm not sure how useful it is. I've returned to this challenge a few times now and am still quite lost.

  • I think we are overthinking it. I just seem to miss the login details.
    The grammar in that message, on the login page, makes no sense. So I figured that hides the username/password combo. But I have not figured it out. Going around the login page makes me believe that the login page is required to obtain something I need to pass on to the other api calls.

    Type your comment> @DaemonResolve said:

    I was able to get some interesting things to show up in the authentication page, but I'm not sure how useful it is. I've returned to this challenge a few times now and am still quite lost.

  • I think we are overthinking it. I just seem to miss the login details.

    But you have the username already, you must have seen it many times already! The password you don't need (for a while) to get further :)

  • Done, N!ce Challenge.

    Hint:
    First page has everything you need.

    Try!ng Hard3r, N3v3r G!v3Up.

  • Definitely may need a small hint could anyone DM?

  • edited November 2020

    Listed whole phonebook.

    Edit:
    Done! Easy one! THanx!

    foxtrotcharlie

  • I could use a hint on this, been beating my head on it for a while. I brute forced the obvious name, from the clues here it seems like im supposed to guess a DB name, but I don't see how that helps me, especially if I don't even need a password

    so confused :(

    Hilbert

  • edited November 2020

    Type your comment> @sonpkhe130056 said:

    Type your comment> @Gorka said:

    I found a X** on the login page, also found another web page, however I can't find anything valuable yet.

    Yeah me too , but i also found the s***** page but stuck at the 4** response code.

    I'm at this exact point :/

  • Attempt #5... got past the login, and was able to pull up some names. Stuck trying to figure out what technology is being used. I'll try again later.

  • edited November 2020

    Finally got there! I definitely overthought this challenge!

    Everything you need is in this discussion forum. Particularly the below hint, once you understand what is being used.

    @Icyb3r said:
    Hint:
    First page has everything you need.

Sign In to comment.