Official DoxPit Discussion

Official discussion thread for DoxPit. Please do not post any spoilers or big hints.

what the f is the way to interact with the backend

2 Likes

Sometimes you need to check something before the code

How to interact with backend???

in AV, there is an unsafe method being called that should suggest a certain type of exploit, and the fact that the author blacklists certain characters in a parameter

1 Like

any hints? do you figure out?

Do you have any hints for the filter bypass?
I just can’t figure it out

I’m trying to bypass the filter, I bypassed all the chars except the “\”

do you have a critical hint that get me out of this challenge? Btw ChatGPT is not helpful for me, he always use badchars to fix my payload.

I was frustrated for a while, but it was super satisfying figuring out how to talk to the backend!

I was able to interact with the backend and register but I can’t get the token. I tried with curl and Burp Suite but I get the same result, the response is {}.

Help would be appreciated :slight_smile:

how to interactc with backend

stuck on how to bypass the character _ and .
can anyone give me nudge on how to move forward :question:

Hey guys im stuck i managed to resolve the chall locally but when i try to get the flag from the instance i can’t get it

after 4 hours I could finally solve it. probably the hardest one I’ve done so far

anybody pls nudge me, how to interact with background. Stuck on 1st step

Wow this was a cool one - very interested to see how others did the last part, if you are keen to swap let me know!

Pretty hard one. Nudge for tips.

One of the best medium level challenges i ever did (maybe its a bit above medium), for anyone that is stuck with the filters, the following guide is very helpful

When you combine it with PayloadAllTheThings SSTI repo you will be able to construct a valid payload, maybe there is more than one way to exploit this, mine was veery ugly, like around 700 chars :joy:

1.next@14.1.0 vulnerability .
2.SSTI keywords bypass.