Official Intentions Discussion

system · July 1, 2023, 3:00pm

Official discussion thread for Intentions. Please do not post any spoilers or big hints.

Paradise_R · July 1, 2023, 4:05pm

Hard Linux machine, I hope to have it completed before my birthday on Friday

OniSec · July 1, 2023, 6:55pm

Looking forward to learning something new

surfinerd · July 1, 2023, 7:09pm

“Hello my friends, stay a while and keep hacking” - Deckard Cain

Aiden · July 1, 2023, 8:29pm

sure is a tough one

Aiden · July 1, 2023, 8:30pm

i’m still not able to figure out what the attack vector is

RudeusGreyrat · July 1, 2023, 8:33pm

Not sure but it must have to do with the new feature. Was able to get a 500 server error but nothing more …

Aiden · July 1, 2023, 8:33pm

i was able to get a blank page but how did you get 500 server error?

Aiden · July 1, 2023, 8:36pm

i tried sqlmap already but doesn’t seem like there is sql injection:/

Aiden · July 1, 2023, 8:36pm

i could be wrong though

LaserCat · July 1, 2023, 8:37pm

ay same, high level with second_req was not very fruitful

LaserCat · July 1, 2023, 8:40pm

Something interesting is that you could use nature\n and it still works

RudeusGreyrat · July 1, 2023, 9:01pm

This is interesting, can give hints on the language used to parse the Favorite Genres, tried to dig more but still …

Aiden · July 1, 2023, 9:08pm

O_o i think i got something, not sure if it’s of any use though. since ffuf showed me before that there is a directory called /st***** but i wasn’t able to access it before cos forbidden. Then i did something to the javascript parameters and now everytime i login to the user, it goes to the st***** but throws a forbidden

JimShoes · July 1, 2023, 9:19pm

I’m feeling you may be onto something there.

pickman · July 1, 2023, 9:22pm

I’ve been looking at some of the burpsuite requests and maybe there’s something there Im just trying to find every where that accepts POST

e.g : /a**/v*/g******/i*****

Aiden · July 1, 2023, 9:26pm

everytime we login, the request first goes to /st***** and then to /g****** which is why when i changed the value of the parameter, it is throwing forbidden. Atleast that’s what i think is happening

ziadaligom3a2 · July 1, 2023, 10:01pm

I don’t know if that interesting but if you tried to access /ga**** without authentication and changed the host header it’ll redirect you to the host and same in the jwt.

EDIT : in the jwt token admin = 0 so can we use the host header injection to make it 1?

Nightsedge · July 1, 2023, 10:59pm

tbh something like that seems like the path, looks like the goal of the first part is probably to access the admin directory and somehow get foothold from there by changing the admin value on different accounts to 1

Nightsedge · July 1, 2023, 11:16pm

either that or its a major rabbit hole