Official AbuseHumanDB Discussion

Finnaly completed it too. I got no clue how that is an Easy level, unless im missing something crucial

This one’s kicking my rear. I have an idea of what I should be trying to do (I think,) I just don’t know how to actually do it.

Update: Got the flag! I learned about an EXCESSively cool type of attack and techniques I hadn’t seen before on the way. I concur with kavigihan; once I’d read up on the vulnerability class, exploitation was super straightforward but I sunk two days into this challenge fumbling around before that.

1 Like

Hello,

I had some trouble with the docker provided with this chall. There is a missing lib so puppeteer won’t work and the form to submit url won’t work either :slight_smile:

I had to
$ apt-get install libxshmfence1
in the docker to get everything wokring properly.
Or you can fix it in the Dockerfile.

The version of puppeteer is outdated and I got this error when I tried to launch puppeteer in the docker

/app/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:197
            reject(new Error([
                   ^

Error: Failed to launch the browser process!
/app/node_modules/puppeteer/.local-chromium/linux-901912/chrome-linux/chrome: error while loading shared libraries: libxshmfence.so.1: cannot open shared object file: No such file or directory

Hope it helps

Nice chall btw

Is it possible to solve this challenge without hosting my own web page?

If you have a router and can configure it, you can use port forwarding to send traffic to a specific port and host a webpage with python -m http.server.

any hints for obtaining the web flag

I’ve been looking at this for some hours, poked at the only obvious vector.

I can do one thing and another thing, but failed when I tried to chain them together. I saw many people here talking about CORS but I’m not sure if that’s applicable in that case - if I can do them individually then why can’t I do them combined? Any help would be appreciated.

P.S. I’m not sure if the docker image has changed, but I have to manually add libxshmfence1 libglu1 to the list of packages installed for puppeteer to work.

Do I have to pay the for pro version to solve this challenge?

There is a landing page and puppeteer actually needs to click it

no, ngrok is just a tunnel, to host a page or get requests or anything I just use the python simple http server.

so use ngrok to tunnel traffic to say port 8080, then use “python -m http.server 8080” and then any traffic that goes to the link ngrok gives you is directed to your http server

i dont get it… i used ngrok so redirect to my local environment, and then when i put the ngrok url in the submit i dont receive any http request from the page. BUT when i used a webhook recently created i received a http request.

I’m doing something wrong , or the ngrok does not apply for this challenge ?

Any help will be apreciated.

Thanks!

Since some time in the past, ngrok will display a landing page before loading any content from user as a misuse prevention measure. That’s documented on their website. This means that it cannot be used to solve this challenge unless you pay.

I can accept DMs.