[WEB] Freelancer

@Un1k0d3r said:

I’ve reached up to a special user and his hashed password using “The Tool”, I wasn’t able to find another way as mentioned by others? any nudge/hint please? wasted almost a day :frowning:

I’m not sure how others solved this, but I never actually logged in as that user.

What other interesting things can that tool do? (That may or may not show up in said tool’s -h help menu)

can anyone DM some spoilers. I got the Hash and a login page. stuck on here now… Please DM me …

@Tink2hack I sent you a DM. Working through this as well if you’d like to work together using some of ori0nx3 's hints

Type your comment> @Tink2hack said:

can anyone DM some spoilers. I got the Hash and a login page. stuck on here now… Please DM me …

Same here. I have the user, his hash, and all information I want from the DB (readonly), but I don’t know what else to do.

@Tink2hack @WilliamGiraldo
Feel free to DM me either here or on the discord server if you’re still stuck.

Found the login page, but dont know how to proceed… would someone plss help me ?

@radac98 Sent you a DM.

This ■■■■ challenge spoiling my peaceful life, help me, guys… sleeping with a hashed password, login page and username. Been 2 days now. I even took day off from work saying I’m sick …lol

Sometimes you don’t need to barge in the door. Sometimes you simply need to glance in the window…

And you should probably go to work :wink:

I have the user and the hash using The Tool but no idea how to continue… Not possible to crack the hash. Can somebody help me on how to continue? Thanks!

can someone dm me for help? i’ve found something but i can’t manage how to put everything togheter…

Man! I’m about to end this challenge. Thanks to @ori0nx3 and @idealphase for the hints. I would like to say for this challenge the login form gets completely sanitized. No need to play there. Use the vulnerability you find AND A VERY WELL-KNOWN PATH!

You don’t need any specific tool. Just try basic injection and ignore the password hash.

Use the source, Luke!
I’d be happy to give some hints, just let me know what you have.

ROOOTED!!!, ■■■… the path was easy to guess, but it took me a while. Thanks, @dnperfors and @gatete for the tips :slight_smile:

got the adm path,user and password hash,tried all i know about web pentest and NO FLAG,would someone gib me a hint in PM.

A little hint in the PM would be appreciated!!

Type your comment> @gatete said:

Type your comment> @phneutro said:

I have the user and the hash using The Tool but no idea how to continue… Not possible to crack the hash. Can somebody help me on how to continue? Thanks!

I have sent you a PM, now I hope that you speaks spanish too lol.
For anybody who needs help, feel free to PM too :slight_smile:
Also thanks to the creator of this challenge, I’ve learnt new things!

Thank you @gatete for your help!

Could any one help me for start this. I’ve already used dirbuster on this . Found several dir. s but nothing there .

To be honest, this one is not that easy imo.
But I did learn the importance of source code reading.
A hint: Remember that all files come from the server, so do not ignore their paths.

You can PM me for hints.