Return to forum

TheAstralTraveller · May 4, 2022 at 6:41 PM

I haven't solved it yet. But I do know it involves cache poisoning through headers and parameters. That's as far as I have got.
Have you made any progress?

NoobHTB · May 4, 2022 at 7:18 PM

(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

Sorry to interrupt, but have you finished AbuseHumanDB? Thank you.

undeadly · May 4, 2022 at 9:06 PM

(May 4, 2022, 07:18 PM)NoobHTB Wrote:
(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

Sorry to interrupt, but have you finished AbuseHumanDB? Thank you.

flag is stored in a database and the /api/entries/search?q= endpoint allows users to query this db. But there's surprise, code tells us that API requests from the localhost will have access to entries with approved=0 . Anyway, you still can write your own queries and abuse it. It's not easy challenge.
Flag: HTB{5w33t_ali3ndr3n_0f_min3!}
code tells us that API requests from the localhost will have access to entries with “approved” value equal to zero, we need to access Flag: HTB{5w33t_ali3ndr3n_0f_min3!

NoobHTB · May 6, 2022 at 1:31 PM

(May 4, 2022, 09:06 PM)undeadly Wrote:
(May 4, 2022, 07:18 PM)NoobHTB Wrote:
(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

Sorry to interrupt, but have you finished AbuseHumanDB? Thank you.

flag is stored in a database and the /api/entries/search?q= endpoint allows users to query this db. But there's surprise, code tells us that API requests from the localhost will have access to entries with approved=0 . Anyway, you still can write your own queries and abuse it. It's not easy challenge.
Flag: HTB{5w33t_ali3ndr3n_0f_min3!}
code tells us that API requests from the localhost will have access to entries with “approved” value equal to zero, we need to access Flag: HTB{5w33t_ali3ndr3n_0f_min3!

If you don't mind. You can help me with this chall ExpressionalRebel?
I have read two write up
[Hackthebox] - ExpressionalRebel Writeup (tistory.com)
HTB: ExpressionalRebel - DEV Community
But when i tried both of them failed

undeadly · May 7, 2022 at 8:34 PM

(May 6, 2022, 01:31 PM)NoobHTB Wrote:
(May 4, 2022, 09:06 PM)undeadly Wrote:
(May 4, 2022, 07:18 PM)NoobHTB Wrote:
(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

Sorry to interrupt, but have you finished AbuseHumanDB? Thank you.

flag is stored in a database and the /api/entries/search?q= endpoint allows users to query this db. But there's surprise, code tells us that API requests from the localhost will have access to entries with approved=0 . Anyway, you still can write your own queries and abuse it. It's not easy challenge.
Flag: HTB{5w33t_ali3ndr3n_0f_min3!}
code tells us that API requests from the localhost will have access to entries with “approved” value equal to zero, we need to access Flag: HTB{5w33t_ali3ndr3n_0f_min3!

If you don't mind. You can help me with this chall ExpressionalRebel?
I have read two write up
[Hackthebox] - ExpressionalRebel Writeup (tistory.com)
HTB: ExpressionalRebel - DEV Community
But when i tried both of them failed

didn't tried this yet. will do later.

LaLisa · May 10, 2022 at 5:41 PM

Anyone has a writeup for Easter Bunny challenge??

Can anyone help me with this challenge..???

LaLisa · May 11, 2022 at 4:29 AM

Anyone solved

Can you guys help me ????

NoobHTB · May 11, 2022 at 12:20 PM

(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

I read this writeup
[Hackthebox] EasterBunny Writeup (Problem Solving) (tistory.com)
I tried modifying the href value of the base tag to my address ( i use ngrok). It's not work
any help is appreciated. Thanks bro

mrfart · May 11, 2022 at 11:33 PM

(May 11, 2022, 12:20 PM)NoobHTB Wrote:
(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

I read this writeup
[Hackthebox] EasterBunny Writeup (Problem Solving) (tistory.com)
I tried modifying the href value of the base tag to my address ( i use ngrok). It's not work
any help is appreciated. Thanks bro

Don’t forget to change the Host header to 127.0.0.1

NoobHTB · May 12, 2022 at 2:28 AM

(May 11, 2022, 11:33 PM)mrfart Wrote:
(May 11, 2022, 12:20 PM)NoobHTB Wrote:
(May 3, 2022, 08:50 PM)Internetdreams Wrote: Anyone managed to solve this?

I read this writeup
[Hackthebox] EasterBunny Writeup (Problem Solving) (tistory.com)
I tried modifying the href value of the base tag to my address ( i use ngrok). It's not work
any help is appreciated. Thanks bro

Don’t forget to change the Host header to 127.0.0.1

Can I send you a pm? I really stuck. This is my discord

Hidden Content

You must register or login to view this content.