[WEB] Freelancer

Managed to get flag only after restart challenge on another instance(port) and fired up “tool” again versus another instance.
Dunno what happened exactly…

p.s. no need to crack

Thanks to @innominate

Didnt know that functionality of the tool.

My hint would be that the initial thing you have to find in the code is easier to spot in view-source:// and not in developer menu. The source served me an easy to read oneliner

  • Found login form
  • Got username/password hash.
  • Hints are saying that I don’t need to crack the hash.
  • Tried basic auth bypass with correct username - no luck.
  • Stuck now.

Update wordlists hint from innominate is a good hint :slight_smile:

Is the contact form something I should test more thoroughly?

Is the contact form something I should test more thoroughly?

No

Thanks. I’ve managed to solve it in the end.
It’s very fun and good challenge.
@rheaalleen hints were also very helpful.

Read source + enumerate + exploit + the tool that you are using can do much more fun staff :slight_smile:
Run exploit again with your enumeration findings and you’ll have the flag.

Any good source for the wordlist update?

@syserror I didnt use anything special and havent updated in a while. I ran dirb with standard wordlist (meaning only url as parameter). If you want to be safe

  • apt purge dirb
  • apt install dirb
  • dirb -u url -z 100

I am totally new here. please help me to solve it. still i didn’t solve one

there are a couple of ways on this one. the easiest method IMO is to use the initial weakness and follow the source.

there’s another method that will get you the password without cracking.

a third approach is to actually crack the hash. didn’t try that personally but that could take a while…

dirb/wordlists may help but is not required. you can more or less guess what’s there.

Solved. All I can say is this: pen-test the application and, as someone else already said, READ the code. I’d suggest to get back to the basics, perform some well-known pen-test actions against your target. Use well-known tools with well-known parameters to that tool.

By the way, I wouldn’t recommend cracking the hash; it may as well be me that I am a total disaster when it comes to cracking bcrypt hashes with my word lists, but I tried it out of curiosity and no luck. If someone else has did it, I’d love to hear how.

So my hints:

  1. dirb. This will get you some interesting files you will need later on.
  2. Absolutely no cracking.
  3. Use a “tool” to do something with some of the files found in 1) and READ.
  4. Try harder.

@socialkas said:
Solved. All I can say is this: pen-test the application and, as someone else already said, READ the code. I’d suggest to get back to the basics, perform some well-known pen-test actions against your target. Use well-known tools with well-known parameters to that tool.

By the way, I wouldn’t recommend cracking the hash; it may as well be me that I am a total disaster when it comes to cracking bcrypt hashes with my word lists, but I tried it out of curiosity and no luck. If someone else has did it, I’d love to hear how.

So my hints:

  1. dirb. This will get you some interesting files you will need later on.
  2. Absolutely no cracking.
  3. Use a “tool” to do something with some of the files found in 1) and READ.
  4. Try harder.

Stuck on 4 as I think %)
Tryed :

@naveen1729 said:
the easiest method IMO is to use the initial weakness and follow the source.

but no success (first time using such tool - just went through available options).
Also tried to get pass without cracking (as it was in one recent challenge/box) but also no success. Now reading all output ( -a ) of “tool” - may be missing something else. Brute force - I think challenge will retire earlier of getting results %) Also have idea to try use hash directly with other tool with hope that developers did such “mistake” ^)…

I.e. if somebody wishes push me in proper direction - will be very appreciated %))

Much thanks to @idealphase , just got the flag.
Actually all the creds you get are not necessary if you proceed like me.
The tools you are using can do more stuff than you think.
If you need any hints, just feels free to PM me :slight_smile:

nice challenge i enjoyed

no need to crack just read

That was a fun challenge. It is great to get some experience using the “tool”. All the hints are on this discussion page. (and yeah, I did try to bruteforce my way in, but the instance is not active long enough…)

Is the “tool” s****p? I tried it with s**l option, but unsuccessfully.

Alright - I’ve tried and tried with the tool and found that the current user has the file priv. However, I can’t seem to read or write anything in the /admin…/ dir.

How far off am I?

@b1narygl1tch , yes that is the tool.
@Mapperist, are you sure you have the right directory?

Spoiler Removed

oh wow. what a beast, didn’t know you could do that.
slick.
A+++ to the creator. brain building happened.

Finally done… yep. What I can say for people like me (noobies in web) - find weak place analyzing crazy formatted file %), apply tool mentioned above, again start search applying tool going deeper and deeper… until got a flag %))) (I think it is not spoiler due to all mentioned here already known in this thread). PS: and don’t overthink - some things are much simpler
PPS: And you should read tons of information about how works www applications if you never deal with them before %) like me - to be able to see important information in files)

Was fun…