[WEB] ezpz

We welcome some ideas for this challenge

nemen91

«13

Comments

  • Im able to clear the first error. Getting stuck on clearing the second error. Guess im just gonna have to... T R Y H A R D E R *rolleyes

  • same here ... bit hard without the code ...

  • Both errors have been overcome. now touch **F with ***i

    nemen91

  • WAF seems to be blocking usual methods here, although I can extract some data.

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • This is a 20 point challenge? Am I going insane?


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • I was wondering the same. Who rated this as easy? Rasmus Lerdorf?

  • @farbs
    No you are not. I am insane from this too.

    snuggles

  • Any hint on how to deal with the WAF? Is blocking everything i try...

  • @Relwarc17
    Find an alternative for Information schema, and there's another thing. I hope this isn't a spoiler, please remove if it is. I still haven't solved.

    snuggles

  • edited December 2019

    GG ahmed
    That was a good challenge, I think it was just rated poorly.

    snuggles

  • edited December 2019

    I already beat it together with @snuggles and @senza. Its not easy and theres some guessing but its a very eyeopening challenge.
    As always PM me on forum for some help :)

    If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

  • Great challenge @ahmed , you don't need to guess nothing, just keep things simple.
    Try to understand what the waf is blocking and than enumerate the way snuggleshas pointed out.

  • Great challenge but definitely not easy.

  • Hi, I'm stuck on bypassing the second notice. I've tried anything I know about PHP (will not write it here to avoid spoiling). I could use some help in the right direction. Thanks!

  • Type your comment> @davidlightman said:

    Hi, I'm stuck on bypassing the second notice. I've tried anything I know about PHP (will not write it here to avoid spoiling). I could use some help in the right direction. Thanks!

    I wrote you a PM

    nemen91

  • I am stuck also. PM thanks.

  • People who are stucked on the 2nd error, think something around php datatypes.

  • Pretty stucked with second Notice, can anyone help please?

  • Type your comment> @azuax said:

    Pretty stucked with second Notice, can anyone help please?

    Same here

  • @azuax said:
    Pretty stucked with second Notice, can anyone help please?

    Same here. If you inspect the website closely, you get some good info, but not sure what to do with it

  • WAF is killing me. I got the table and DB but I can't even see what's in there. :(

  • @snuggles there are other ways of doing without it without alternatives ;)

    ahmed

                      Twitter : @ahm3dsec
    
  • WOW! That was really nice fun to solve!

    Thanks @ahmed for making it!!

  • edited December 2019

    Any hints for the very 1st step ?
    The HTML comment doesn't realy help, or I may be blind...

    EDIT : I was dumb... Thanks to @brueh for the pm.
    The HTML comment hint only applies to the 2nd notice. Try multiple data types you know.

  • edited December 2019

    pretty sure i know what i'm supposed to be doing, but i'm struggling to get past the second error. if this is built the way i think it is, it should be pretty simple and deserve the rating it got, but something is in the way :/
    would appreciate a nudge via pm

    EDIT: nevermind, i expected this to be the way more complicated option because i've been fiddling with it earlier yesterday m)

    0x41

  • Spoiler Removed

  • Hi!
    Any hints on bypassing WAF and extract some data ?

  • Challenge done. Great challenge but it should be worth 50 points imo. Learned some new WAF bypass tricks for this kind of attack.
    @snuggles already pointed a useful hint here for the last part.

  • Stuck on 2nd notice. Found a hint, but not sure what to do with it. Could anyone give a tip what direction to go next? Thank you.

  • edited December 2019

    EDIT: I did it :)

    I was trying to bypass the wrong thing :D

    Can anyone give me hint if I'm on right path if I PM them?

    I think I might have cocked up a "correct" bypass technique, and now I'm just trying weirder and weirder alternatives that won't work.

Sign In to comment.