[WEB] Freelancer

Hey all, figured I could start this discussion and ask for some guidance.

I can’t seem to figure out where to go, I’ve uncovered some neat things but all the data that I can see have nothing of use?
What am I overlooking? Any help would be greatly appreciated.

EDIT: Welp… after I posted I was able to find the flag… Whether or not I did it the correct way, who knows ■■■■

I tried to do something with u@@rn@@@, as it is giving some output, but no luck.

I just got hashed message. I’m waiting to crack it. I don’t know it’s a rabbit hole or not. :worried:

@idealphase

Not a rabbit hole, but the other way is shorter than waiting hours.

Some advice to speed up the breaking of the hash- pm me

There is no need to crack a hash, because there is another way.

Spoiler Removed

if you want to save time, dont try to crack the hash.
Think smarter (maybe like doing a real pentest)

No need to crack any hashes or brute-force any creds/logins. As usual, or at least in my limited HtB experience that’s not really how things are set up to be. There’s usually a #facepalm way to the goal.

@Kougloff Thanks for your answer man. I just got flag without cracking hash. :slight_smile: Fun and learn. If anyone needs hint don’t hesitate to PM me.

HINTS:

  1. update your wordlists (not for cracking :wink: )
  2. always read the code
  3. owasp top 10 <3

Managed to get flag only after restart challenge on another instance(port) and fired up “tool” again versus another instance.
Dunno what happened exactly…

p.s. no need to crack

Thanks to @innominate

Didnt know that functionality of the tool.

My hint would be that the initial thing you have to find in the code is easier to spot in view-source:// and not in developer menu. The source served me an easy to read oneliner

  • Found login form
  • Got username/password hash.
  • Hints are saying that I don’t need to crack the hash.
  • Tried basic auth bypass with correct username - no luck.
  • Stuck now.

Update wordlists hint from innominate is a good hint :slight_smile:

Is the contact form something I should test more thoroughly?

Is the contact form something I should test more thoroughly?

No

Thanks. I’ve managed to solve it in the end.
It’s very fun and good challenge.
@rheaalleen hints were also very helpful.

Read source + enumerate + exploit + the tool that you are using can do much more fun staff :slight_smile:
Run exploit again with your enumeration findings and you’ll have the flag.

Any good source for the wordlist update?

@syserror I didnt use anything special and havent updated in a while. I ran dirb with standard wordlist (meaning only url as parameter). If you want to be safe

  • apt purge dirb
  • apt install dirb
  • dirb -u url -z 100

I am totally new here. please help me to solve it. still i didn’t solve one

there are a couple of ways on this one. the easiest method IMO is to use the initial weakness and follow the source.

there’s another method that will get you the password without cracking.

a third approach is to actually crack the hash. didn’t try that personally but that could take a while…

dirb/wordlists may help but is not required. you can more or less guess what’s there.