Official AbuseHumanDB Discussion

Official discussion thread for AbuseHumanDB. Please do not post any spoilers or big hints.

Hey everyone, can I have a little nudge for the challenge? I see two possible paths for it but I’m completely stuck on either. Feel free to PM as I can’t make myself clearer without spoiling anything.

Thanks in advance

I’m pretty stuck too :<

Hi ya, how you’re getting on with AbuseHumanDB? Feel free to PM

Does this room require any XSS? I think I’m just going down a big rabbithole chasing request headers

I think the secret is in the pupeteer that is used on the main page, since it’s able to visit other pages, but i can’t get over CORS

Also stuck.

I know that with pupeteer you can interact with DevTools but I dont know if it is the right direction…

I got over that using a CORS proxy. You can make your own or there are plenty available on the github

Ok found it! Bypassing CORS (but not realy bypassing them) is the right direction. (dont be so blind :stuck_out_tongue: )

I dont know who scored this one as “easy” but it is not.

Hello. I am new to this forum (and to hacking in general), so I don’t really understand how to discuss (or rather ask about) this challenge without spoiling a bit…? I have two solutions in mind that use puppeteer but there are problems with both (maybe a trick or a tool exists that I don’t know about)…

EDIT (hope there are no spoilers, if there are any, please notify me!) : To be precise, I think I need to run javascript on the server somehow. This could be done by inputting the URL of a file that has my script and letting it run on puppetteer, or by injecting JS in the URL directly. I don’t know if the second method is even possible; and as for inputting the URL of a file, the only way I can think of to do that is to create a webserver and forward its port… but I think this is definitely not the way to go… am I on the right track? Can someone point me to useful readings?

Hey i also have no clue how to solve the AbuseHumanDB thing. Nothing seems to work, so you can share if you find a way to do it

Ok, this is the challenge that, if you have an exfil point it’s a lot easier. If not and you don’t want to put you card on some cloud service, you will be literally a hacker full-of-hack attacks.

I swear not giving spoilers.

P.S.
Check the syntax of the query you are attacking when you code your exploit.

P.S. 2 (launched 2000)
Thanks @plann1n3 for the slight tip but that helped me a lot.

Anybody have some information on how to get the flag from the webapp?

This is intense

Honestly didn’t think this attack could work, very fun machine

(post deleted by author)

If you’re running into problems with CORS, keep trying, come up with different ideas, hit the googles, eventually you will persevere.

I’m guessing the like/dislike ratio for this is because people find the exfil annoying, but I appreciated it, as it forced me to learn how to speed everything up.

learned quite a bit from this challenge, thanks!

Can you give this poor man a hint? I’m still a noob :frowning:

Edit:

Dude… got the flag. This one’s not easy. It was really frustrating for someone like me just starting.

Finally, finished this beast. If you did the correct google search, this is a sure easy one, if not, boy this is hard. DM if you are stuck kavigihan#8518

1 Like