[WEB] Under Construction

ah ■■■■, i kept wondering how to get the source and didn’t realise there was a ■■■■■■■ download button under the start instance button m)
EDIT: aaand got it. i tried the right thing from the very beginning before i even had the source, but looks like i did something wrong the first time around :^)

Aaaaand finally, I did it. These are my hints:

  • Focus on the things that can be used to extract information. XSS it’s useless.
  • Try to run locally the webserver.
  • You don’t have the database, but you can imagine how it’s constructed.
  • When you know what you have to exploit, search for some tools on the Internet that can be easily modified to do what you need to do.

Great challenge, I enjoyed.

@deetee1 said:
i tried SQLi but no luck, now using hydra to brute force the user and password… am i on the right track?

Don’t waste your time doing those, it’s useless.

would anyone be able to help with this one? i think i’ve worked out a tactic but whenever i sign something with a different algorithm and use the new value, i get an Internal server error.

edit: nm, i did as recommended and ran the app locally. tweaked my tactic and it works now.

worked out my problem. Missed something I should have picked up

So i read the source and know there exists a S*** attack. I’ve started a local instance but am not sure how to properly escape certain chars in sqlite queries.

Any help is appreciated!

I have identified the vector but I think I need a private thing and cannot find it

I got the exploit and (I believe) finished the challenge but I have no idea on how to get the flag :sweat_smile:
No tools used right now, I’m doing all manually + nodejs coding.

solved! thx to @daverules for the help , I’ve learnt something new about queries

<img src=“https://www.hackthebox.eu/badge/image/137749”; alt=“Hack The Box”>

@daverules said:

would anyone be able to help with this one? i think i’ve worked out a tactic but whenever i sign something with a different algorithm and use the new value, i get an Internal server error.

edit: nm, i did as recommended and ran the app locally. tweaked my tactic and it works now.

Some hint? Same situation. Thx

if you get an internal error then it means the format of something is not quite right. in my case, it was that i was missing a line break at the end of something else . hope that helps

@daverules Yes, fixed the problem. Thx

Edit: Solved, thx again @daverules

It’s really fun.
Thanks @makelarisjr for the challege.

working locally helped a lot, good challenge!

Type your comment> @HumanFlyBzzzz said:

Hmm found a certain ‘private’ something… Not sure what to do with it though

Any hint on how to get that “private” thing? I don’t see any way in the code to access that file…

@asebal said:

Type your comment> @HumanFlyBzzzz said:

Hmm found a certain ‘private’ something… Not sure what to do with it though

Any hint on how to get that “private” thing? I don’t see any way in the code to access that file…

@HumanFlyBzzzz’s message is a bit confusing and may lead to wrong assumptions. I would recommend to forget about private stuff and instead just carefully read the source code. Most probably you already have everything you need to get the flag.

Anyone can help me in PM? I’ve a local instance running but… not so skilled in nodejs and sqlite… I’ll appreciate… thx

Feel free to message me if you need help.

Need some help on this :confused:
just want to know if I’m looking at the right spot and not overthinking. Anyone free to help?
Thanks!

it took me soooo much time, but since I’m a dumb noob, I guess it’s okay :slight_smile:

learned a lot of new things
wrote my own python script (also covered it with a test, lol)
practiced some stuff

I thought I would never do it, but I just didn’t give up, despite it was sooo much pain for me and frustration )))

helping tips for the noobs like me:

  • something happens as you log in;
  • can you fake the identity? ← this can take some time; practice on some dummy data first! writing a script to automate the process is a good idea, it’ll help you later on your journey a lot; also, mind an excessive new line somewhere in public!
  • no escape is a way in;
  • combine the two and go a blindfolded journey to read the stored treasure;

sorry, I can’t help you with a personal assistance, please don’t dm me.

1 Like

Great challenge, took me 2 days to solve it. I learned a lot about the authentication system used in the web application. There is one thing i did not understand though:

I had to specify the management system in the tool i’ve used to obtain the flag. Otherwise the tool would not detect the vulnerability. Usually the tool does this automatically but not in this case. Is it because of the custom script I had to create for the tool or am I missing something?