[WEB] Under Construction

Spoiler Removed

Type your comment> @thecowmilk said:

Type your comment> @Ga330 said:

Sometimes this error " user “”> doesn’t exist in our database." happens. Is it the right way?

I think so, maybe it is indicating for sql injection. Because if you see the downloaded files, there is an exception.

For this challenge I found two different ways but I don’t know which one is the best. The first way is to try by using some SQL code to be execute as I mentioned before. The second way could be to make the flag appears once the login is done. And this is why I notice that if you write some javascript code (like alert() message) it will be executed in the main page after login.
So my question are, in your opinion, what is the best way to capture the flag? In the second way (using an alert() message) is it possible to make the flag appear in some how?

Thank you guys!

■■■■… I haven’t solved the challenge yet and I commented something which was a spoiler… I’M SHOCKED!

@Ga330 said:
Type your comment> @thecowmilk said:

Type your comment> @Ga330 said:

Sometimes this error " user “”> doesn’t exist in our database." happens. Is it the right way?

I think so, maybe it is indicating for sql injection. Because if you see the downloaded files, there is an exception.

For this challenge I found two different ways but I don’t know which one is the best. The first way is to try by using some SQL code to be execute as I mentioned before. The second way could be to make the flag appears once the login is done. And this is why I notice that if you write some javascript code (like alert() message) it will be executed in the main page after login.
So my question are, in your opinion, what is the best way to capture the flag? In the second way (using an alert() message) is it possible to make the flag appear in some how?

Thank you guys!

tbh I have a conclusion that sql is not the the correct way to do it… lol

Yeh :wink: I’m trying to find a way to see the flag by using javascript. The problem is that I don’t know where to find the flag… or better I don’t know how to interact with DB!

Got something working locally, but breaking on docker…

XSS is client side. You do not need to hijack an account…
So imo, XSS or any others clientside attacks are irrevelant here.

Maybe this will help:

  1. There are 2 vulnerabilities (OWASP top 10 <3)
  2. Should simply ‘read’ the flag, not overthink it
  3. No need in javascript at all
    For me, one popular utility didn’t work properly. But python + hands help a lot.

Awesome challenge, had a lot of fun on this one!

Type your comment> @Danr0 said:

Maybe this will help:

  1. There are 2 vulnerabilities (OWASP top 10 <3)
  2. Should simply ‘read’ the flag, not overthink it
  3. No need in javascript at all
    For me, one popular utility didn’t work properly. But python + hands help a lot.

Can you say to me the two vulnerabilities?After two days I’m still trying to solve it…:frowning:

Hmm found a certain ‘private’ something… Not sure what to do with it though

A tip for life: Make a flask app that routes sqlmap’s payload so you can craft the request with the payload however you want, neat.

I enjoyed this and learnt something new :slight_smile:

Type your comment> @clubby789 said:

Got something working locally, but breaking on docker…

On same state. but don’t know how to proceed from here.

@f3v3r said:

Type your comment> @clubby789 said:

Got something working locally, but breaking on docker…

On same state. but don’t know how to proceed from here.

Try doing things a bit more manually

Can anyone give me a hint on where to find something private or public?

got a whole bunch of weird behavious and an error message, but no matter what i do, i can’t make sense of what happens behind the scenes. would appreciate a nudge

i tried SQLi but no luck, now using hydra to brute force the user and password… am i on the right track?

Analyze the source to find your way in. Replicate the environment. Some coding may be required.

ah ■■■■, i kept wondering how to get the source and didn’t realise there was a ■■■■■■■ download button under the start instance button m)
EDIT: aaand got it. i tried the right thing from the very beginning before i even had the source, but looks like i did something wrong the first time around :^)