Official discussion thread for Neonify. Please do not post any spoilers or big hints.
I would love to get a hint \ maybe someone interested in doing it togther on discord
@v3ctr0n
it seems there is some whitelisting going on⌠is it really bypassable? hints?
May be HTTP Request Smuggling.
But it only affects WEBrick 1.6.0 or prior
UPDATE: Resolved.
@tidena Yes, possible.
Hello fellas,
I dont know what to do
i tried the chunked method but my request lend nothing
I would reall really reallly like a hint;
I asked on discord but no reply;
I also donât mind if you could give me the full walthrough but one hint is enough for now please
I tried but it still gives mallicius input detected
You might want to look in to the regex further. It might be more INSECURE then you think.
If anyone gets stuck or wants a nudge feel free to dm
You donât need to know anything about docker really unless you want to run the machine locally for testing.
For anyone looking for a hint, the most important thing for any web challenge is to find any user controlled input, and then follow it all the way through the code. As you follow that code path, google any functions or packages that are acting on it that you donât know what they are or understand what they are doing.
If you understand what is happening, then still google the function or package but add âexploitâ or âvulnerabilityâ to the search and see if you get any interesting results.
Just doing that youâll knock out a majority of the challenges, as well as gain a lot of understanding about how various programming languages work.
I didnât find this to be âeasyâ. I definitely made assumptions on the vulnerability and followed a rabbit hole that consumed about two daysâHTTP Smuggling was not a fruitful endeavor me, though it seems @h47d3n may have had luck with smuggling (Iâd love to see how you did that).
Some helpful comments from @Gizzle definitely led me down a path to resolution, though the implementation was not quite so straight forward. Also, I wasted a lot of time using Burp, Curl was definitely the way to go with this particular exploit throw. Hint, I was also successful just pasting my payload in the browser web dev tools feature, but could still not get Burp to treat me right.
Definitely not easy, but glad to hear you got it @nv1us ! I also got the flag using curl.
Last hint for people getting stuck on the payload part: when you try to encode the payload, make sure ALL special characters are encoded. Burpâs CTRL+U is not your friend.
I also use curl to bypass.
Just pay attention on regular expression.
Thanks. Iâll read about request smuggling.
Hi I am new to here.
After checking several http smug payload. All return malicious detected.
Hope some one can give me some hint
Some tips regarding testing vulnerabilities that has helped me in this machine and others:
- Read the source code line by line and file to file, at least 3/4 times
- If there is a library, command or piece of code that you donât understand, google it until you do
- In the source code that is given to you, if the flag is not in a DB and is on the file system, that means that there must be a way for you to execute code and access the flag on the target file system.
- There must also be a way for you to input a command or piece of code into the code (user input being one way)
- From my experience, a lot of time is wasted on network requests and coding/decoding. You might have the answer in your hand, but a tiny encoding issues can make it wrong.
- Best way to debug and try encoding issues is to run the docker container, and hard code user inputs without receiving them over network requests to make sure you are not messing up in the encoding part until you have a working exploit. Then you can go backwards in steps and see where the encoding is being the problem and research it.
- For regex, a google search on âonline regex testâ would give you nice and descriptive websites which allow you to try different things
Best of luck, and remember that the flag may be closer to you than you think, so donât give up!
found out it uses whitelisting with regex but donno how to escape it. any hints ?
@inth3wild showed me he did it in Burp Suite. curl not required
To everyone whoâs trying out this challenge:
I can confirm that cURL is the best tip given.
The weakness was easy enough to find, but I really struggled with the payload.
If anyone needs a hint, feel free to DM me.