Grammar

Morning everyone,

So I've been stuck on this challenge for a while, and I feel like I'm running around like a headless chicken at the moment.

Enumeration doesn't seem to be going anywhere and exploits for the apache version doesn't seem like the right way to go as thats the actual HTB infrastructure. Could anyone please provide me with a nudge in the right direction?

Any help would be greatly appreciated.

~hotshoto

Tagged:
«1345

Comments

  • Thanks that helped a lot, onto the next part of the challenge :P

  • I have been stuck on the second part of this challenge for days now. I have found what there is to find in the cookie itself, decoded it and seen the structure. Upon re-encoding I see that there is almost a checksum of sorts that is being used.

    What I am struggling with is figuring out what this checksum is and how it works regarding the other parts of the cookie. Can I PM someone about a hint, or even just to bounce ideas off of?

  • Hey HTB members :)
    Seems like i ran out of option i've tried to enumerate/bruteforce directories with no luck
    Any recommended wordlist to use in this case?

  • @cyborg said:
    Hey HTB members :)
    Seems like i ran out of option i've tried to enumerate/bruteforce directories with no luck
    Any recommended wordlist to use in this case?

    / is not right way. Use default page at php

    Anyone can give a hint about cookie? What way is real?

    • bypass MAC (example, "MAC":"None") or other flaws
    • need to enumerate algorithm of signature (example, username:isadmin admin:True)
    • it is a known vulnerability (example, padding oracle)

    Help pls:)

    r2d2

  • edited May 23

    Spoiler Removed - Arrexel

  • edited May 23

    @mrschyte said:
    Spoiler Removed - Arrexel

    thanks! i didn't exploit this issue yet, it will be a great experience

    r2d2

  • still cannot figure out what to do with this challenge :( according to r2d2, I have to
    bruteforce directories from the default php configuration which is not at /. I tried to brute force using dirb directories without any fruitfull information. Can anybody guide me to get my foot in front of the door? thanks :tired_face:

  • @Linoge said:
    still cannot figure out what to do with this challenge :( according to r2d2, I have to
    bruteforce directories from the default php configuration which is not at /. I tried to brute force using dirb directories without any fruitfull information. Can anybody guide me to get my foot in front of the door? thanks :tired_face:

    You don't need to brute force anything. You'll need to send a specific type of HTTP request to the default PHP page in order to get to the next step of the challenge.

  • watch the video

    peek

  • I feel like I have been stuck halfway through this challenge for going on 4 days now. I have the cookie, tried decode/encode make every form of request I can think of and i'm not making any headway. Clearly I am overthinking something here. Any clues as to what I should be focusing on.

  • think m0re !

    peek

  • HMAC am i on the right track?

  • edited May 23

    Spoiler Removed - Arrexel

    deltaclock

  • edited May 23

    Spoiler Removed - Arrexel

  • This is my first post, I'm still stuck on getting past/find correct page that's not 403 error...
    someone stated it's not brute forced and you need to send a special http request.. I'm totally lost here. I tried dirb at index.php and a few other content discovery techniques with no luck.. I watched the video too, no help there except lots of buzz words causing me confusion..

    Help would be greatly appreciated. or message me. thanks,

  • can anyone dm me?
    i know everything expect how to alter the sig hash , btw i tested if it's vuln to some PHP unsafe comparisons
  • edited June 19

    Spoiler Removed - Arrexel

  • I do have the same issue as slawill. I don't know how to abuse the juggling vulnerability. I tried using names to get something "zero-like" on the MAC, but I don't think this is the right way is it? Can someone push me in the right direction? Please DM me or answer here.

  • Someone that can help me out? Pls PM

  • edited June 19

    @slawill said:
    Spoiler Removed - Arrexel

    I'm stuck in the same place, does anyone have any suggestions on how to continue?

  • @0zcool said:
    This is my first post, I'm still stuck on getting past/find correct page that's not 403 error...
    someone stated it's not brute forced and you need to send a special http request.. I'm totally lost here. I tried dirb at index.php and a few other content discovery techniques with no luck.. I watched the video too, no help there except lots of buzz words causing me confusion..

    Help would be greatly appreciated. or message me. thanks,

    me to stuck here !!! its my third day on this.....need help pls

  • edited May 23

    Spoiler Removed - Arrexel

    Hack The Box

  • just a feeling that im closing in to solve this challenge..
    what are you trying to do huh? got this shitty response ..
    can someone PM me and give me some clue/hint to kick off some ideas?

    This is a helpful guide from Owasp about PHP Type Juggling

    Hack The Box

  • NVM just got the flag hahah

     well done! flag is: **************
    

    Hack The Box

  • @spade said:
    NVM just got the flag hahah

     well done! flag is: **************
    

    Way to go!

    cyb3rsinn3r
    | A+ | Net+ | Sec+ | CySA+ | CASP | CISSP |
    aut inveniam viam aut faciam

  • thank you @n3tc4t .. could've done it w/out your help :D

    Hack The Box

  • @n3tc4t I know about the PHP Type Juggeling but I tested every possible input... Even arrays and null... Can you PM me with a hint ?

    Hack The Box

  • @n3tc4t same for me ;-)

  • @Jackshd you can PM me :smile:

    Hack The Box

Sign In or Register to comment.