Docs are your friend !
Sadly might not be able to do the box because my laptop cant bruteforce …
Type your comment> @D4n1aLLL said:
Sadly might not be able to do the box because my laptop cant bruteforce …
I haven’t needed to brite force anything yet. Also… HTB brute force guidance says box creators shouldn’t create problems that require more than just a few minutes of brute force effort.
Type your comment> @19Rich said:
I’ve got the secret, the algorithm associated with it, and also found the vulnerability with the application, but I’ve zero idea about how to pull it all together!
Have you been able to use the secret and algorithm on the data??
Anyone got anything out of the N*U*ER.D** and other files of the same kind? I ran r**ri***r on it but not finding anything very interesting.
@19Rich said:
@D4n1aLLL said:
Sadly might not be able to do the box because my laptop cant bruteforce …
I haven’t needed to brite force anything yet. Also… HTB brute force guidance says box creators shouldn’t create problems that require more than just a few minutes of brute force effort.
Perhaps see above MinatoTW’s hint regarding the wordlist.
Type your comment> @MinatoTW said:
Guys about the wordlist as it’s taking a lot of time, you can intelligently create a “subset” wordlist from rockyou depending on the box.
Sometimes it’s important to narrow down your resources.
thx! xD
I was able to extract the data without the password but some were corrupt!
Type your comment> @MinatoTW said:
Guys about the wordlist as it’s taking a lot of time, you can intelligently create a “subset” wordlist from rockyou depending on the box.
I’m not sure why but hashcat keeps showing the Speed as 3 H/s or 2 H/s on this particular type of file/encryption, and I’m using a mac book pro that has a GPU. Trying the “common subsets” of rockyou currently.
I could literally type each word in rockyou faster than this!!
Type your comment> @lduros said:
Type your comment> @MinatoTW said:
Guys about the wordlist as it’s taking a lot of time, you can intelligently create a “subset” wordlist from rockyou depending on the box.
I’m not sure why but hashcat keeps showing the Speed as 3 H/s or 2 H/s on this particular type of file/encryption, and I’m using a mac book pro that has a GPU. Trying the “common subsets” of rockyou currently.
I could literally type each word in rockyou faster than this!!
Atleast you can bruteforce xD my hashcat didnt go beyond 0.00%
Next step will be to “kewl” batman fansites, after that, thinking of scraping close captioning of all Batman movies to make wordlists
I may be wrong but I suspect we can obtain the user flag without fully decrypting… I think we can extract everything we need using common tools.
ok so I have been able to get to a pretty decent state at where I should have got a ping back via the faces but I am not getting anything from tcpdump listening for echos and I got a 500 error after trying to exploit it via bu**
^^ I’m using the same tool, and getting the same (lack of) result. Looking at the error, I think it doesn’t like the request I’m sending to it… need to understand the interaction more.
Type your comment> @MinatoTW said:
Guys about the wordlist as it’s taking a lot of time, you can intelligently create a “subset” wordlist from rockyou depending on the box.
Thabks!! This hint helped me crack it
Guys we are making some headway, Me and a friend beat our heads off a wall most the night but by today I am hearing we might have a way after a few kind messages from the creator of this box. I guess the best thing I can say here is pay attention to the payload carefully and figure out how to validate that data so the back end will accept it
So, I’m able to execute commands on remote machine, but I’m struggling to get a shell. Some hints?
Really interesting box!
Type your comment> @D4n1aLLL said:
Type your comment> @MinatoTW said:
Guys about the wordlist as it’s taking a lot of time, you can intelligently create a “subset” wordlist from rockyou depending on the box.
Thabks!! This hint helped me crack it
I cracked it but I don’t think i’ve obtained any additional useful information from that. I was able to get all the files which I think are important quickly by using common tools.
were obviously dealing with a blind injection here so we have to find a way to get our output of the command outside of a curl callback my friend has some good results I am working with him to expand access lets do this guys we got this all of us
Without trying to give too much of the game away, has anybody worked out how to deconstruct the long string yet? I’ve got the encryption bit, but struggling on the hash bit. I know the algorithm but can’t get my head around how the hash is actually calculated and/or incorporated in to the long string. Until I work out how to deconstruct one, I can’t be certain I’m building my own payloads properly… argh! PM?