[WEB] Freelancer

This ■■■■ challenge spoiling my peaceful life, help me, guys… sleeping with a hashed password, login page and username. Been 2 days now. I even took day off from work saying I’m sick …lol

Sometimes you don’t need to barge in the door. Sometimes you simply need to glance in the window…

And you should probably go to work :wink:

I have the user and the hash using The Tool but no idea how to continue… Not possible to crack the hash. Can somebody help me on how to continue? Thanks!

can someone dm me for help? i’ve found something but i can’t manage how to put everything togheter…

Man! I’m about to end this challenge. Thanks to @ori0nx3 and @idealphase for the hints. I would like to say for this challenge the login form gets completely sanitized. No need to play there. Use the vulnerability you find AND A VERY WELL-KNOWN PATH!

You don’t need any specific tool. Just try basic injection and ignore the password hash.

Use the source, Luke!
I’d be happy to give some hints, just let me know what you have.

ROOOTED!!!, ■■■… the path was easy to guess, but it took me a while. Thanks, @dnperfors and @gatete for the tips :slight_smile:

got the adm path,user and password hash,tried all i know about web pentest and NO FLAG,would someone gib me a hint in PM.

A little hint in the PM would be appreciated!!

Type your comment> @gatete said:

Type your comment> @phneutro said:

I have the user and the hash using The Tool but no idea how to continue… Not possible to crack the hash. Can somebody help me on how to continue? Thanks!

I have sent you a PM, now I hope that you speaks spanish too lol.
For anybody who needs help, feel free to PM too :slight_smile:
Also thanks to the creator of this challenge, I’ve learnt new things!

Thank you @gatete for your help!

Could any one help me for start this. I’ve already used dirbuster on this . Found several dir. s but nothing there .

To be honest, this one is not that easy imo.
But I did learn the importance of source code reading.
A hint: Remember that all files come from the server, so do not ignore their paths.

You can PM me for hints.

I’ve got hash values and login pages, but I don’t know what to do next. Can you give me a hint, buddy?

I’ve got the username and the password hash but I’ve heard that you don’t have to crack the hash…how should i use the “Tool” to get it …any hint will be appreciated

dont try to crack the hash, just read source code, try to find one of the owasp10 you can use automated tool

If you got the Inj try to load the fl that you got from dirb

Nice easy challenge. No automated tools are needed (I used only gobuster), it can be done manually, just read carefully the source code and test everything.

I’m stuck on this one. Much like previous comments I’ve found the login page and two separate username/password combinations (one for the db, which I’ve ‘cracked’).

I am stuck and need a push… I have used the tools everyone has talked about but must be missing something. I see the --help doesn’t list everything it can do. I googled and can not find what else to do.

So far I have hash
I have a login
and have tried basics with said login.

Can anyone nudge me in the right direction?