[WEB] Freelancer

Type your comment> @j0ta1982 said:

Hello guys, same problem. I’m stuck in the same point: I have got credential and login page. No luck with injection in login page. I have found other 2 pages:
one give me a 302, I tried some parameters with no luck.
the other is a contact page where parameters seems not to be injectable. In the source file I have found a comment referring a line 19 of PHP file but I cannot correlate these info… Please give me a hint, I’m blocked since 1 week…

you can PM me

use the tools deeper is better than brute-force anything

Found the injectable page, he login page, username and password hash but i don’t know what to do now, can anyone help me??
I read the code but nothing more than the first injectable page, and can’t find the tool’s “magic option” you all talking about .
Some hint or PM pls, i’m being crazy.
Thank you all.

hi h@x0r$. used the sp tool against the p**o.**p script to dump all from the dbs, able to get username and hashed password, tried to use dirb and gobuster to scan all folders for hidden files, can’t find anything other than .ht, .htaccess, .htpasswd files which can’t read. plz h3lp.

WOW, I really need to thanks you for immediately telling that brute forcing the hash is not the correct way to go, actually you need only a couple of tools to find everything you need.

Hi. I’ve used the sp tool against the p*****o.**p file but cannot bypass the waf using the tr scripts. Can anyone assist me?

Hey, I am kinda stuck after using the s****p tool. I found the hash and login page. Not to sure what people refer to when saying the certain tool can be used for other purposes. I have looked at the -h menu. Nothing really stood out.

wrong discuss…

Hello,

I’ve recently started the FreeLancer challenge, and I am stuck at hashed password, can someone PM me and point me to the right direction.
Looking forward to your response.

Sincerely,
HappyGuy.

I hated this challenge until I solved it, now I’m glad I did. Biiiiig brain boosting from this one. Best hint I can give is to RTFM about the “tool” and the server itself, feel free to PM for nudges :slight_smile:

Done, I like this challenge, something new learned :wink:

I can’t get any results with the tool. Getting only error that parameter can’t be injected. Could somebody help and tell me what I am doing wrong?
I will be very grateful!

Some hints for this:

  1. Gobuster, dirb, dirbuster, rustbuster, etc.
  2. Source …
  3. Owasp 10
  4. 2.

A some hints for noobs like me

  1. Read source code (before using dirb). You will find something interesting. This is your key. Now you need a keyhole.
  2. To find the keyhole you need dirb (etc)
  3. You have to insert the key into the keyhole with the tool everyone is talking about. To do this, you must use the TOOL, but not in the way that noobs like me USUALLY use it. It is necessary to carefully study the additional features of the TOOL (for this, one letter “H” is not enough).

i can’t find login page… any hints?
And can someone PM me because I don’t know what you guys mean with the TOOL

Should i try to upload some file on the server?

Got the flag. Almost reached to the last stage, but got stuck on how to read source code of website. Research on google gave some hints and got the flag.

My hints:

  1. Read page source carefully
  2. Dirb
    3.From particular page, you can extract data using tool or manually (I did with both)
  3. (This step is very important learning from me.) How can you work with files using hint number 3.
  4. If you got the 4 then i think you will get the flag.

PM me for any assist.

Can anyone check if the challenge is good? I’ve been meddling with the p********, still got no luck with manual method or s******. Got no response with the page.

@urushichan I am seeing the same thing…

Is the challenge broken? I’ve tried for very long without any luck.

Gave up and found both a write-up as well as a youtube video, both of which show functionality within the p********.*** file that i cant be replicated.
and the s***** tool that everyone is talking about is unable to figure out anything using that file, as people are hinting it should be able to in the here in the forum as well as in the video/walkthrough i found.

any ideas?