I need a confirmation for user; is it correctly understood that the culprit is on a service serving f***s? And the state of them, for which I’ve found a key?
I’m at the same the stage + thinking the same thing… just not sure how to actually use the key
@waspy no I mean the faces thing is web specific me and a few other people are working on how to do something with it from the info we got from that file have you managed to atleast view the files contents?
Well this is fun! I found the file containing the note and the other file easily enough. Managed to get some contents out of the other file (without needing a password) and that revealed w**. x**. b** which looks like it contains some potentially useful stuff (a bit like ‘heads’, without wanting to say too much), but I’ve no idea how to leverage it… any tips?
Guys about the wordlist as it’s taking a lot of time, you can intelligently create a “subset” wordlist from rockyou depending on the box. Sometimes it’s important to narrow down your resources.
99% certain I’ve found the vulnerability… totally failing to exploit it though!
Yep I am at the same stage. Tried to look at the size of the secret to determine which algo to use, as the default one requires a larger key (according to documentation).
I’ve got the secret, the algorithm associated with it, and also found the vulnerability with the application, but I’ve zero idea about how to pull it all together!
Sadly might not be able to do the box because my laptop cant bruteforce …
I haven’t needed to brite force anything yet. Also… HTB brute force guidance says box creators shouldn’t create problems that require more than just a few minutes of brute force effort.