Grammar

Morning everyone,

So I’ve been stuck on this challenge for a while, and I feel like I’m running around like a headless chicken at the moment.

Enumeration doesn’t seem to be going anywhere and exploits for the apache version doesn’t seem like the right way to go as thats the actual HTB infrastructure. Could anyone please provide me with a nudge in the right direction?

Any help would be greatly appreciated.

~hotshoto

Thanks that helped a lot, onto the next part of the challenge :stuck_out_tongue:

I have been stuck on the second part of this challenge for days now. I have found what there is to find in the cookie itself, decoded it and seen the structure. Upon re-encoding I see that there is almost a checksum of sorts that is being used.

What I am struggling with is figuring out what this checksum is and how it works regarding the other parts of the cookie. Can I PM someone about a hint, or even just to bounce ideas off of?

Hey HTB members :slight_smile:
Seems like i ran out of option i’ve tried to enumerate/bruteforce directories with no luck
Any recommended wordlist to use in this case?

@cyborg said:
Hey HTB members :slight_smile:
Seems like i ran out of option i’ve tried to enumerate/bruteforce directories with no luck
Any recommended wordlist to use in this case?

/ is not right way. Use default page at php

Anyone can give a hint about cookie? What way is real?

  • bypass MAC (example, “MAC”:“None”) or other flaws
  • need to enumerate algorithm of signature (example, username:isadmin admin:True)
  • it is a known vulnerability (example, padding oracle)

Help pls:)

Spoiler Removed - Arrexel

@mrschyte said:
Spoiler Removed - Arrexel

thanks! i didn’t exploit this issue yet, it will be a great experience

still cannot figure out what to do with this challenge :frowning: according to r2d2, I have to
bruteforce directories from the default php configuration which is not at /. I tried to brute force using dirb directories without any fruitfull information. Can anybody guide me to get my foot in front of the door? thanks :tired_face:

@Linoge said:
still cannot figure out what to do with this challenge :frowning: according to r2d2, I have to
bruteforce directories from the default php configuration which is not at /. I tried to brute force using dirb directories without any fruitfull information. Can anybody guide me to get my foot in front of the door? thanks :tired_face:

You don’t need to brute force anything. You’ll need to send a specific type of HTTP request to the default PHP page in order to get to the next step of the challenge.

watch the video

I feel like I have been stuck halfway through this challenge for going on 4 days now. I have the cookie, tried decode/encode make every form of request I can think of and i’m not making any headway. Clearly I am overthinking something here. Any clues as to what I should be focusing on.

think m0re !

HMAC am i on the right track?

Spoiler Removed - Arrexel

Spoiler Removed - Arrexel

This is my first post, I’m still stuck on getting past/find correct page that’s not 403 error…
someone stated it’s not brute forced and you need to send a special http request… I’m totally lost here. I tried dirb at index.php and a few other content discovery techniques with no luck… I watched the video too, no help there except lots of buzz words causing me confusion…

Help would be greatly appreciated. or message me. thanks,

can anyone dm me?
i know everything expect how to alter the sig hash , btw i tested if it’s vuln to some PHP unsafe comparisons

Spoiler Removed - Arrexel

I do have the same issue as slawill. I don’t know how to abuse the juggling vulnerability. I tried using names to get something “zero-like” on the MAC, but I don’t think this is the right way is it? Can someone push me in the right direction? Please DM me or answer here.