Based on some of the hints here, which are actually pretty clever, i'm assuming the solution to get the first foothold is to ***** *o**e with something like h****

Figured out where my bad assumptions were, and learned something new.

Solved this with final hint from oscrx. Thank you. Getting the content of the phonebook is not the end of challenge. I was so confused on what to do after it.

Found the x** in the first page, not sure what to use it for, tried to redirect to the s***** page I am stuck with 4** code error, also tried to bruteforce the credentials with the obvious username, but haven't found anything yet, If anyone can give me a hint in DM I'd appreciate that

I found the second page, found the possible x** in first page, I know the "New" was a hint, but I'm still stuck.
If anyone can give me a hint in DM, I'll be grateful

found the xss and the second page and tried to brut force the cridentials by using a burp simple list made of all the words that exists in the page but nothing works

i found the phonebook page (the one with the search bar and the submit button) but since i'm super new to ctf i have no idea of what to do next. can someone pm me?

found the xss and the second page and tried to brut force the cridentials by using a burp simple list made of all the words that exists in the page but nothing works

can anyone DM me with a hint please i cant send DMs yet

Hi all, I am stuck now. I've found two pages l**** and s*****, the X**. No luck with S**i and now I am trying to get some booze behind the borders. Any hints appreciated.

Been stuck with it for a while. I cant get to bypass the auth on the search page and also the login page seems pretty useless except the username but not sure how to use it. Can someone drop me a hint?

Attempt # 7 and got it, thanks to a PM'ed clue about what technology might be behind the scenes. Thanks @alyslon for pointing me in the right direction. Learned quite a bit doing this, thanks @vajkdry

Fun challenge, frustrating at the beginning because I misidentified what I was dealing with. Once I was pretty sure about what was going on, I just had to fight the snake for a bit and that was it
Even though it's true you only need the first page to get the flag, I actually used what I got in the second one to identify the thing running on the server. Google even the shortest words !

I found the technology and bypassed login. It was new for me. I suspect that flag is in some attr, maybe in u***P******* for login user, but I tried blind method and direct method, but haven't result Can anyone DM me with any hint, please?
Phew! Solved it. As was said: just dont overthinking it

Thanks for sBY11Ek to give me inspiration for problem solving. The question just solve in login page.😄
If you feel confused, give me a DM then will tell you some hint.😊

I was able to login and get the content of the whole phonebook. Can't figure out what the exact query is to fetch the flag. Could someone give me a hint in DM please?

## Comments

I am stuck. DM please with hint....=(((

I found the X** but nothing else. Please help.

Great Challenge learned something new.

Tip: Don't overthink it.

PM if You need help.

Based on some of the hints here, which are actually pretty clever, i'm assuming the solution to get the first foothold is to ***** *o**e with something like h****

Figured out where my bad assumptions were, and learned something new.

Can someone dm me a hint please? I'm still stuck getting past the login page.

Solved this with final hint from oscrx. Thank you. Getting the content of the phonebook is not the end of challenge. I was so confused on what to do after it.

Found the x** in the first page, not sure what to use it for, tried to redirect to the s***** page I am stuck with 4** code error, also tried to bruteforce the credentials with the obvious username, but haven't found anything yet, If anyone can give me a hint in DM I'd appreciate that

Stuck on the login page. Any hints would be very appreciated, thanks

I found the second page, found the possible x** in first page, I know the "New" was a hint, but I'm still stuck.

If anyone can give me a hint in DM, I'll be grateful

found the xss and the second page and tried to brut force the cridentials by using a burp simple list made of all the words that exists in the page but nothing works

Can someone dm me for help pls

i found the phonebook page (the one with the search bar and the submit button) but since i'm super new to ctf i have no idea of what to do next. can someone pm me?

Type your comment> @mahmoudEttou said:

can anyone DM me with a hint please i cant send DMs yet

Hi all, I am stuck now. I've found two pages l**** and s*****, the X**. No luck with S**i and now I am trying to get some booze behind the borders. Any hints appreciated.

This was really fun! Give me a DM if you need some help

I am super stuck on this one. Can someone DM me with some hints about the injection?

Been stuck with it for a while. I cant get to bypass the auth on the search page and also the login page seems pretty useless except the username but not sure how to use it. Can someone drop me a hint?

@wo1f try to find what is the service on that login page and how you can exploit it

I used a tool to brute force the password, I got 16 "Valid" passwords back but none of them work. Any hints?

Attempt # 7 and got it, thanks to a PM'ed clue about what technology might be behind the scenes. Thanks @alyslon for pointing me in the right direction. Learned quite a bit doing this, thanks @vajkdry

I found s***** a** and still stuck, definitely may need a small hint

Fun challenge, frustrating at the beginning because I misidentified what I was dealing with. Once I was pretty sure about what was going on, I just had to fight the snake for a bit and that was it

Even though it's true you only need the first page to get the flag, I actually used what I got in the second one to identify the thing running on the server. Google even the shortest words !

I was able to successfully log in. I'm able to search the phone book and get results back. But what's next? Where's the flag?

I found what the service is and I think I found a way to exploit it, but I can't seem to get anywhere with it... Could someone DM me a hint, please?

It took me the whole day but at the end I made it Easier than it looks

Finally got it, I was trying a really hard way to solve it, but it turns out, it's quite simple.

DM me if you need a hint.

I found the technology and bypassed login. It was new for me. I suspect that flag is in some attr, maybe in u***P******* for login user, but I tried blind method and direct method, but haven't result

Can anyone DM me with any hint, please?

Phew! Solved it. As was said: just dont overthinking it

I'm in the same situation as undefi stated in the previous comment. Would appreciate a DM with a hint.

Thanks for sBY11Ek to give me inspiration for problem solving. The question just solve in login page.😄

If you feel confused, give me a DM then will tell you some hint.😊

Hello!

I'd appreciate a hint - stuck at the first page.

Thanks in advance!

I was able to login and get the content of the whole phonebook. Can't figure out what the exact query is to fetch the flag. Could someone give me a hint in DM please?