[WEB] Freelancer

1246

Comments

  • @PenTestPumpkin look at more files. Especially ones related to the website. Might need to use some other tools to find which files there are...
  • 0Z00Z0
    edited September 2019

    @Dethread Hmmmmmn. Thought I'd found everything already. More 'F' in Fuzzing then maybe ;-)

  • stuck at login page.. please suggest what to do next..

  • I can't seem to get this one. I've found the login page, but it doesn't seem injectable using a 'tool'. I've found some .ht* files, but I don't know how to get around auth for those. Am I using the right tool? Am I trying to inject the right spot?

  • edited October 2019

    Need help! Found login directory, hashed password and configuration file but don't know how to proceed. Can someone PM me?
    EDIT: Solved it!

  • edited October 2019

    Spoiler Removed

  • Hi Folk,
    can anybody help me with this challenge. i stucked after trying a lot of things...i find the hash value but it seems not to be the right way. i tried to read the SourceCode but i dont get it . can you help pm a Hint...Thank you in advance

  • Can someone give me a nudge? I can't even get to the login page that everyone is talking about. I ran gobuster & dirbuster. Both gave me a handful of urls, and none of them point to any login page.

  • I am damn stuck on finding the username and password ( hashed or not ) what should I do?

    zaBogdan

    If you need help with the boxes, pm me on Discord, zaBogdan#3458, I always forget to respond on form

  • edited October 2019

    Please, i need hint. I could not find any username and password. I discovered the /a*****/... path but i couldn't do anything.
    Im a newbie on this stuff.

    Thanks!

  • Source code readed.

    1. Got username, hash using the "tool".
    2. Got a********* login page
    3. Found file read option in the page using OWASP Top 10.
    4. But i can't read that file, it mentioned in source code.
    5. Also tried to read that file using "tool". But no use.

    Please give me the instructions for final step?

  • edited October 2019

    Thank You All, You Guys Are Really So Helpful.

  • Anybody is there for PM.

  • Very nice challenge! Feel free PM me if you stuck staring on hash like I did lol

  • edited October 2019

    Could anyone give me a hint? I've got the password hash and login page. I tried using the tool to somehow crack the hash, no luck. What am I missing? what is the OWASP top 10 thing that everyone is talking about?

    If anyone could DM some hints, that would be appreciated

  • i can't find login page... any hints

  • I've found the path vulnerable to OWASP Top 10, credentials and login page. Could someone give me a hint?

  • i can't find update wordlist ... can anyone help me :(

  • Type your comment> @abir2468 said:

    i can't find update wordlist ... can anyone help me :(

    You don't quite need a special wordlist. I've used the default dirbuster list. The key is to look at the right file.

    zaBogdan

    If you need help with the boxes, pm me on Discord, zaBogdan#3458, I always forget to respond on form

  • can anybody help me with this i got the login page and the tool everybody is talking about i think i figured it out but it didnt give me any results can anyone please pm me so that i can clear my doubts..

  • i am not able to go further after finding the hash anyone pls dm or pm me ..

  • edited November 2019

    I've got the account,hash and login page. Tried fuzzing pass but no success. Any tips.
    Found it : Use tool, help menu and read files.

  • Without the little helps here this one would have been impossible...

  • Hello guys, same problem. I'm stuck in the same point: I have got credential and login page. No luck with injection in login page. I have found other 2 pages:
    one give me a 302, I tried some parameters with no luck.
    the other is a contact page where parameters seems not to be injectable. In the source file I have found a comment referring a line 19 of PHP file but I cannot correlate these info... Please give me a hint, I'm blocked since 1 week.....

  • Type your comment> @j0ta1982 said:

    Hello guys, same problem. I'm stuck in the same point: I have got credential and login page. No luck with injection in login page. I have found other 2 pages:
    one give me a 302, I tried some parameters with no luck.
    the other is a contact page where parameters seems not to be injectable. In the source file I have found a comment referring a line 19 of PHP file but I cannot correlate these info... Please give me a hint, I'm blocked since 1 week.....

    you can PM me

  • use the tools deeper is better than brute-force anything

    image

  • Found the injectable page, he login page, username and password hash but i don't know what to do now, can anyone help me??
    I read the code but nothing more than the first injectable page, and can't find the tool's "magic option" you all talking about .
    Some hint or PM pls, i'm being crazy.
    Thank you all.

  • hi [email protected]$. used the s****p tool against the p******o.**p script to dump all from the dbs, able to get username and hashed password, tried to use dirb and gobuster to scan all folders for hidden files, can't find anything other than .ht, .htaccess, .htpasswd files which can't read. plz h3lp.

  • WOW, I really need to thanks you for immediately telling that brute forcing the hash is not the correct way to go, actually you need only a couple of tools to find everything you need.

Sign In to comment.