Official discussion thread for DoxPit. Please do not post any spoilers or big hints.
what the f is the way to interact with the backend
Sometimes you need to check something before the code
How to interact with backend???
in AV, there is an unsafe method being called that should suggest a certain type of exploit, and the fact that the author blacklists certain characters in a parameter
any hints? do you figure out?
that filter bypass is crazy. nice challenge.
Do you have any hints for the filter bypass?
I just can’t figure it out
I would tag ssti
blind injection
rce
jinja2
filter bypass
and we got google vs chatgpt. no more hints.
why would I be googling jinja2 ssti?
I’m trying to bypass the filter, I bypassed all the chars except the “\”
do you have a critical hint that get me out of this challenge? Btw ChatGPT is not helpful for me, he always use badchars to fix my payload.
actually you don’t need a backslash and neither chatgpt. all you need is to read some pages and figure out how to smuggle a character.
I was frustrated for a while, but it was super satisfying figuring out how to talk to the backend!
I was able to interact with the backend and register but I can’t get the token. I tried with curl and Burp Suite but I get the same result, the response is {}.
Help would be appreciated
how to interactc with backend
stuck on how to bypass the character _ and .
can anyone give me nudge on how to move forward
Hey guys im stuck i managed to resolve the chall locally but when i try to get the flag from the instance i can’t get it
after 4 hours I could finally solve it. probably the hardest one I’ve done so far
anybody pls nudge me, how to interact with background. Stuck on 1st step
Wow this was a cool one - very interested to see how others did the last part, if you are keen to swap let me know!
Pretty hard one. Nudge for tips.