[WEB] ezpz



  • You can PM me guys but please tell me what you have tried so far.

  • Great challenge @ahmed. That was very tough. Thanks for making it. Learned a lot

  • Thanks @ahmed for this great chanllenge.
    I enjoyed it and learned a lot

  • Wow, what a challenge, thanks @ahmed, this has been the most difficult web challenge I have done so far on htb, not ezpz at all!!
    But learned a lot more thanks.

    One thing I want to say, this challenge is not a 20 points challenge, at least not from my noob point of view :|

    Hack The Box

  • Thanks @ahmed, this was a very cool challenge!

  • Fun challenge, learned a lot about WAF bypassing. But 20 points? I don't know dude.

  • Type your comment> @davidlightman said:

    Hi, I'm stuck on bypassing the second notice. I've tried anything I know about PHP (will not write it here to avoid spoiling). I could use some help in the right direction. Thanks!

    same here:"( help me plz!

  • edited December 2019

    pm me plz :"(
    I'm stuck in second notice.....

  • Would someone mind pm'ing with a bit of assistance on the second notice? been stuck for quite a while now.

  • I'm stuck in second notice..... help pls :(

  • would be nice if someone would be kind enough to guide me through this challenge.
    I also stuck on the 2nd and really wanted to solve this and learn the things that this challenge need.
    please PM me!

    Did I help you? Please return the favour and +1 respect me

  • i'm stuck in sqli i got all databases but can't extract tables names, it looks like WAF blocks built-in functions like: H**, CR, U*H AND --> i*f*rtn_sh*m*...
    Do i need to look for more built-in functions in sql that are not blocked by the firewall ??
    pm me :)

  • Spoiler Removed


  • I'm stuck on the challenge, figured out how to send in a simple sqli but can't get any more. Any help is appreciated :)

  • Same here, I'm completely stuck with the S**i part. I can't get anything, all it's blocked by the WAF.

    Any hints will be more than welcome.

    Reach me on Discord: n3b0r#2873

  • edited December 2019

    OK... So I got as far as clearing the second part and now I am getting an error mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given
    I know I can't really put what I am doing to get the error, but someone who is willing to pm me, please help me understand what I am doing wrong.

    4 days later, I got the flag. Thank you mostly to @Idomino for your suggestion on testing on my own DB for proper syntax. It clicked for me once I realized I was missing a small part in my syntax when watching another tutorial on a completely unrelated database.

  • The WAF is blocking everything I have been trying which I have had to do manually (using burpsuite's repeater at the moment). I am not well experienced with any manual sqli, but I have spent the last six hours banging on this. The initial part of figuring out how to correctly format to get to where you can get rejected by the WAF did not take too long.

    Did others here figure out a way to use something like wfuzz or sqlmap with this to get the right technique? Or is it entirely manual? It seems like there are far too many possible different variations for this to be practical.

    I could really use a hint. PM is fine too. Thanks.

  • edited December 2019

    I'm struggling to extract column names :/ any nudges please? I know the table though...

    EDIT: got the flag. This was definitely not an easy one....

  • Am I supposed to see PHP errors when I start this challenge?

  • @theart42 yes. Error messages are a big giveaway on any website and should be turned off. Try to exploit it!

    Please + Respect me if I helped you out.

    Hack The Box

  • got it. very hard but nice
    if someone need help pm me

  • is this supposed to be blind or should I see an output?

  • 'morning everyone.

    Getting stuck on this one.
    No more php errors, but i don't find the way to infiltrate after. (so it's fine)
    Then I made my own tamper.py to inject at the right place with the right structure (am i right ?)

    Regards !

  • i am stuck help please

  • Finally, I did it. Definitely, it isn't an easy one. I learned some new things about S**i. The initial part is funny and pushes me to think as a programmer does to guessing the lines and their behavior behind the scenes.

    The part of S**i was too much for me, but researching on Google you will find the correct path.

    Definitely, this challenge will help me in the future.

    PM if you need help.

    Reach me on Discord: n3b0r#2873

  • edited January 4
    Sometimes your meal needs some ..... to add some flavor.
  • alright found some time to get back to this and took like 2 hours doing the wrong thing to get me to the flag. very hard challenge, such an annoying "waf"....


  • found a vulnerable param using s**m*p and a custom tamper script to format the payload. I am however unable to exploit this vulnerable param. Am i on the right track or should i try something else?


  • Damn it took me a few days of extensive googling and mindfuckery to get through this. I'm new to sqli but I feel I learned a ton from this.

    For people stuck at the firewall, as someone pointed out, try to understand what type of words ( special characters? hint hint) the waf is trying to filter. Feel free to hit me up if you need any more pointers

  • I'm stuck on second notice too :/

Sign In to comment.