USING WEB PROXIES
OBJECTIVE: utilize Burp/ZAP to answer the questions
The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.
# DEV TOOLS PROCEDURE #
-----------------------
root@htb:~$ BROWSER > http://94.237.48.73:36264/lucky.php
F12 > <form id="form1" class="form" name="fetflag" method="post">
* MUST change <button id="submit"...disabled=""> to
<button id="submit"...enabled="true">
- keep changing the form value to "enabled="true" until the flag
is revealed; took 10+ times of clicking
* HTB{d154bl3d_bu770n5_w0n7_570p_m3}
# BURP SUITE PROCEDURE #
------------------------
root@htb:~$ BROWSER > FoxyProxy
* Enable Burp proxy or use Burp's Built-In Browser
root@htb:~$ BROWSER > http://94.237.48.73:36264/lucky.php
F12 > <form id="form1" class="form" name="fetflag" method="post">
remove the "disabled" keyword/attribute from the button
<button id="submit"...disabled=""> then click the button on the page
root@htb:~$ BURP > Proxy > Intercept > Intercept is On
* click the button on target site
* ensure the disabled="" attribute is removed
root@htb:~$ BURP > Proxy > Intercept > right-click any spot on request > Send to Repeater
* GET /lucky.php HTTP/1.1
root@htb:~$ BURP > Repeater > Send
root@htb:~$ BURP > Repeater > Response > Render > Send
root@htb:~$ BURP > Repeater > Send
* keep sending the request until the flag displays on the rendered page
* HTB{d154bl3d_bu770n5_w0n7_570p_m3}
# ZAP PROCEDURE
root@htb:~$ OWASP Zap > Set Break On All Requests & Responses
* this will enable ZAP to capture network traffic
root@htb:~$ BROWSER > FoxyProxy
* Enable Burp proxy or use Burp's Built-In Browser
root@htb:~$ BROWSER > http://94.237.48.73:36264/lucky.php
F12 > <form id="form1" class="form" name="fetflag" method="post">
remove the "disabled" keyword/attribute from the button
<button id="submit"...disabled=""> then click the button on the page
root@htb:~$ ZAP > right-click any spot on request > Open/Resend w/ Request Editor > Response > Send
* keep sending and monitor the response HTML source code until the flag is displayedThe /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer.
Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)
You are using the 'auxiliary/scanner/http/coldfusion_locale_traversal' tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the 'XXXXX' directory being called in '/XXXXX/administrator/..'?
Last updated