[WEB] Freelancer

If you got the Inj try to load the fl that you got from dirb

Nice easy challenge. No automated tools are needed (I used only gobuster), it can be done manually, just read carefully the source code and test everything.

I’m stuck on this one. Much like previous comments I’ve found the login page and two separate username/password combinations (one for the db, which I’ve ‘cracked’).

I am stuck and need a push… I have used the tools everyone has talked about but must be missing something. I see the --help doesn’t list everything it can do. I googled and can not find what else to do.

So far I have hash
I have a login
and have tried basics with said login.

Can anyone nudge me in the right direction?

Beat my head against the wall when actually the instance was just down and s****p didn’t indicate that very well :slight_smile:

Got the flag now; overall pretty tricky I’d say. I for sure thought it’d be an XSS one based on the contact form until I followed the other leads.

Feel free to ping me for hints.

I’ve discovered the login page and I’ve tried using the tool (s****p) but no luck and Im stuck, dont really know what to do… please can anyone give me a hint

Type your comment> @mattyboy123123 said:

I’ve discovered the login page and I’ve tried using the tool (s****p) but no luck and Im stuck, dont really know what to do… please can anyone give me a hint

you can read some files with that tool

I found user/pass from a vul. But i don’t find any path to using it although i used dirbuster and read source code html. Pls give me hint for what to do now?

I found hash and login pages, but I can’t login. I have difficulties. Can you give me some hints? What are you talking about the source code for reading? That’s the source code for that part.

Could someone PM a hint to the location of the hash? I feel like I’m missing something super obvious here

After found the login form with dirb, i need to enumerate and find the username ?

Anyone available for a pm ?

@Davincible: Check your inbox. If anyone else needs a hint, feel free to PM me!

whats the path?

If something apparently juicy you found doesn’t seem to get you anywhere, look elsewhere. This challenge has a few ratholes.

For sp we

Took me a few minutes to get the hash using the proper tools, then got stuck after that for a while!
I believe (as mentioned here before) that no need to crack any hashes, my question is, would the same tool that got me the hashes help afterwards? I tried most of its options shown in the -hh with no luck.

I appreciated any help here.

@salt yes, that same tool can do more than just pull data out of a db… check the options again for other interesting features.

I can get the same place with you, and I can download it through the tool, but I can’t upload it. I have downloaded all the source code for analysis. I also thought that I can use webshell. Who can PM?

Type your comment> @alex57xp32 said:

I can get the same place with you, and I can download it through the tool, but I can’t upload it. I have downloaded all the source code for analysis. I also thought that I can use webshell. Who can PM?

Passed, it really is a problem that I did not analyze carefully. In fact, the answer has been found, that is, I have not seen it.