FLAG Context Fortress
by y0ukn0wm3 - October 24, 2020 at 03:32 PM
#13
i'm checking the mailbox but couldn't find anything use full
can some one help ?
Reply
#14
i need help from second flag please can anyone help please please guys
Reply
#15
quick guide for first 3 flags

Nmap

443/tcp  open  ssl/https
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2070.00; GDR1
|  DNS_Domain_Name: TEIGNTON.HTB
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Add 10.13.37.12 TEIGNTON.HTB to /etc/hosts
Browse TEIGNTON.HTB
Look at source page
Find comment with 1st  flag and a username:password

Dirbuster
/admin
/owa

Login to /admin with the credentials
/admin/management
Can do SQL-injection

SQLmap –r
Get POST from burp and paste into file, add https:// and url to file
sqlmap –r file.txt
find databases
find tables in user database
dump username,password
get 2nd flag and a new user:password

Outlook
Use new credentials on /owa
“open other mailbox”
Search for the first username
Looks in sent messages and find 3rd flag

+rep me for more flags/better details
Reply
#16
I have a CONTEXT WRITEUP from 1st to 6th flag

https://shoppy.gg/product/hTT0j8D

Still working on 7th flag...
Reply
#17
(November 14, 2020 at 12:12 AM)raidmail2020 Wrote: I have a CONTEXT WRITEUP from 1st to 6th flag

https://shoppy.gg/product/hTT0j8D

Still working on 7th flag...

I don't have ethereum or bitcoin, is an amazon gift card okay?
Reply
#18
(November 13, 2020 at 11:03 AM)whocaresboutchees Wrote: quick guide for first 3 flags

Nmap

443/tcp  open  ssl/https
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2070.00; GDR1
|  DNS_Domain_Name: TEIGNTON.HTB
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Add 10.13.37.12 TEIGNTON.HTB to /etc/hosts
Browse TEIGNTON.HTB
Look at source page
Find comment with 1st  flag and a username:password

Dirbuster
/admin
/owa

Login to /admin with the credentials
/admin/management
Can do SQL-injection

SQLmap –r
Get POST from burp and paste into file, add https:// and url to file
sqlmap –r file.txt
find databases
find tables in user database
dump username,password
get 2nd flag and a new user:password

Outlook
Use new credentials on /owa
“open other mailbox”
Search for the first username
Looks in sent messages and find 3rd flag

+rep me for more flags/better details

For second flag,
how did you use sqlmap -r 
It says 
[CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)

this is my request
POST /Admin/AddProduct HTTP/1.1
Host: https://teignton.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://teignton.htb/Admin/Management
Content-Type: application/x-www-form-urlencoded
Content-Length: 221
Connection: close
Cookie: .AspNetCore.Antiforgery.oS4Q00mERc0=CfDJ8AIJMYt2J9dErP3tl2JmzsOitkwyziYVsrELJxFK4iTZWZZJy9dIeTsmSnof1dU4IpPBExFN_o3IUFc43hDGuW6KXuwtaAqXzOPOMaPfWLbyHjMomxWXiPU8nryw1gjoXaFuPgmWhs1FOoSZ0x-XRwo; .AspNetCore.Session=CfDJ8AIJMYt2J9dErP3tl2JmzsN0QZwLd65OlSLOF0Eh1%2BAILK55eeYHVkIo1%2Bb8VeyInysl3TH4X4etVbuyZNYpRYdZ3a0GEQkKo7D4t21Pg5zoDrMsLTRRNdRTUWd4ZlkDZHoFefkhE6kMWOEBmNqcBBflAuC1XMspwLlZgXgYVdeY
Upgrade-Insecure-Requests: 1

certified=1&__RequestVerificationToken=CfDJ8AIJMYt2J9dErP3tl2JmzsOLiSfhlOp22BraoraHwTMTkDu3KB6lYYfmvAosG7yHA_XGTStg_UkOS_G04PbkapMjWvrrW07Nqds9LOrQ_t8zrOUHfAFfJuyXMwmfRn-w9bXgr2al5yvX2h-vXYZ6zuQ
can some one help me...
Reply
#19
(November 27, 2020 at 07:09 AM)esh_din1 Wrote:
(November 13, 2020 at 11:03 AM)whocaresboutchees Wrote: quick guide for first 3 flags

Nmap

443/tcp  open  ssl/https
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2070.00; GDR1
|  DNS_Domain_Name: TEIGNTON.HTB
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Add 10.13.37.12 TEIGNTON.HTB to /etc/hosts
Browse TEIGNTON.HTB
Look at source page
Find comment with 1st  flag and a username:password

Dirbuster
/admin
/owa

Login to /admin with the credentials
/admin/management
Can do SQL-injection

SQLmap –r
Get POST from burp and paste into file, add https:// and url to file
sqlmap –r file.txt
find databases
find tables in user database
dump username,password
get 2nd flag and a new user:password

Outlook
Use new credentials on /owa
“open other mailbox”
Search for the first username
Looks in sent messages and find 3rd flag

+rep me for more flags/better details

For second flag,
how did you use sqlmap -r 
It says 
[CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)

this is my request
POST /Admin/AddProduct HTTP/1.1
Host: https://teignton.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://teignton.htb/Admin/Management
Content-Type: application/x-www-form-urlencoded
Content-Length: 221
Connection: close
Cookie: .AspNetCore.Antiforgery.oS4Q00mERc0=CfDJ8AIJMYt2J9dErP3tl2JmzsOitkwyziYVsrELJxFK4iTZWZZJy9dIeTsmSnof1dU4IpPBExFN_o3IUFc43hDGuW6KXuwtaAqXzOPOMaPfWLbyHjMomxWXiPU8nryw1gjoXaFuPgmWhs1FOoSZ0x-XRwo; .AspNetCore.Session=CfDJ8AIJMYt2J9dErP3tl2JmzsN0QZwLd65OlSLOF0Eh1%2BAILK55eeYHVkIo1%2Bb8VeyInysl3TH4X4etVbuyZNYpRYdZ3a0GEQkKo7D4t21Pg5zoDrMsLTRRNdRTUWd4ZlkDZHoFefkhE6kMWOEBmNqcBBflAuC1XMspwLlZgXgYVdeY
Upgrade-Insecure-Requests: 1

certified=1&__RequestVerificationToken=CfDJ8AIJMYt2J9dErP3tl2JmzsOLiSfhlOp22BraoraHwTMTkDu3KB6lYYfmvAosG7yHA_XGTStg_UkOS_G04PbkapMjWvrrW07Nqds9LOrQ_t8zrOUHfAFfJuyXMwmfRn-w9bXgr2al5yvX2h-vXYZ6zuQ
can some one help me...

Make sure you have a request with a valid session cookie
Include all params into the request body but inject only on certified param, using the placeholder certified=*
Use --dbms=mssql if you want to speed up things a little...

Once you get the injection technique
  Parameter: #1* ((custom) POST)
      Type: stacked queries

sqlmap could save the progress, so if it stops you could simply restart it
Reply
#20
(November 27, 2020 at 10:23 AM)raidmail2020 Wrote:
(November 27, 2020 at 07:09 AM)esh_din1 Wrote:
(November 13, 2020 at 11:03 AM)whocaresboutchees Wrote: quick guide for first 3 flags

Nmap

443/tcp  open  ssl/https
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2070.00; GDR1
|  DNS_Domain_Name: TEIGNTON.HTB
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Add 10.13.37.12 TEIGNTON.HTB to /etc/hosts
Browse TEIGNTON.HTB
Look at source page
Find comment with 1st  flag and a username:password

Dirbuster
/admin
/owa

Login to /admin with the credentials
/admin/management
Can do SQL-injection

SQLmap –r
Get POST from burp and paste into file, add https:// and url to file
sqlmap –r file.txt
find databases
find tables in user database
dump username,password
get 2nd flag and a new user:password

Outlook
Use new credentials on /owa
“open other mailbox”
Search for the first username
Looks in sent messages and find 3rd flag

+rep me for more flags/better details

For second flag,
how did you use sqlmap -r 
It says 
[CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)

this is my request
POST /Admin/AddProduct HTTP/1.1
Host: https://teignton.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://teignton.htb/Admin/Management
Content-Type: application/x-www-form-urlencoded
Content-Length: 221
Connection: close
Cookie: .AspNetCore.Antiforgery.oS4Q00mERc0=CfDJ8AIJMYt2J9dErP3tl2JmzsOitkwyziYVsrELJxFK4iTZWZZJy9dIeTsmSnof1dU4IpPBExFN_o3IUFc43hDGuW6KXuwtaAqXzOPOMaPfWLbyHjMomxWXiPU8nryw1gjoXaFuPgmWhs1FOoSZ0x-XRwo; .AspNetCore.Session=CfDJ8AIJMYt2J9dErP3tl2JmzsN0QZwLd65OlSLOF0Eh1%2BAILK55eeYHVkIo1%2Bb8VeyInysl3TH4X4etVbuyZNYpRYdZ3a0GEQkKo7D4t21Pg5zoDrMsLTRRNdRTUWd4ZlkDZHoFefkhE6kMWOEBmNqcBBflAuC1XMspwLlZgXgYVdeY
Upgrade-Insecure-Requests: 1

certified=1&__RequestVerificationToken=CfDJ8AIJMYt2J9dErP3tl2JmzsOLiSfhlOp22BraoraHwTMTkDu3KB6lYYfmvAosG7yHA_XGTStg_UkOS_G04PbkapMjWvrrW07Nqds9LOrQ_t8zrOUHfAFfJuyXMwmfRn-w9bXgr2al5yvX2h-vXYZ6zuQ
can some one help me...

Make sure you have a request with a valid session cookie
Include all params into the request body but inject only on certified param, using the placeholder certified=*
Use --dbms=mssql if you want to speed up things a little...

Once you get the injection technique
  Parameter: #1* ((custom) POST)
      Type: stacked queries

sqlmap could save the progress, so if it stops you could simply restart it

Thanks for your time about explaining 😃

this is what happened.I just waited 30 minutes but no result 😥.

[18:26:28] [INFO] parsing HTTP request from '.\context.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[18:26:44] [INFO] testing connection to the target URL
[18:27:05] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:27:05] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[18:28:09] [CRITICAL] unable to connect to the target URL
[18:28:09] [INFO] testing if the target URL content is stable
[18:28:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:29:33] [CRITICAL] unable to connect to the target URL
[18:29:33] [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
[18:29:33] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[18:29:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:30:58] [CRITICAL] unable to connect to the target URL
[18:30:58] [WARNING] (custom) POST parameter '#1*' does not appear to be dynamic
[18:31:19] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N] y
[18:32:29] [CRITICAL] unable to connect to the target URL
[18:32:29] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable
[18:32:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:33:53] [CRITICAL] unable to connect to the target URL
[18:33:53] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[18:33:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:34:14] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:35:18] [CRITICAL] unable to connect to the target URL
[18:35:39] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:36:42] [CRITICAL] unable to connect to the target URL
[18:37:03] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:38:06] [CRITICAL] unable to connect to the target URL
[18:38:27] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:39:30] [CRITICAL] unable to connect to the target URL
[18:39:51] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:40:55] [CRITICAL] unable to connect to the target URL
[18:40:55] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:41:16] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:42:19] [CRITICAL] unable to connect to the target URL
[18:42:19] [INFO] testing 'Generic inline queries'
[18:42:40] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:43:43] [CRITICAL] unable to connect to the target URL
[18:43:43] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[18:44:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:45:07] [CRITICAL] unable to connect to the target URL
[18:45:28] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:46:32] [CRITICAL] unable to connect to the target URL
[18:46:53] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:47:56] [CRITICAL] unable to connect to the target URL
[18:48:17] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:49:20] [CRITICAL] unable to connect to the target URL
[18:49:41] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:50:44] [CRITICAL] unable to connect to the target URL
[18:50:44] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[18:51:05] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:52:09] [CRITICAL] unable to connect to the target URL
.
[18:52:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:53:33] [CRITICAL] unable to connect to the target URL
.
[18:53:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:54:57] [CRITICAL] unable to connect to the target URL
.
[18:55:18] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:56:21] [CRITICAL] unable to connect to the target URL
.
[18:56:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:57:46] [CRITICAL] unable to connect to the target URL
.
[18:58:07] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:59:10] [CRITICAL] unable to connect to the target URL
.
[18:59:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[18:59:52] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd de
Reply
#21
try the --force-ssl parameter with sqlmap
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING Fortress Context Flags yexsas 9 1,694 Yesterday at 10:32 PM
Last Post: bombahero
SELLING HTB Context WRITEUP (up to 6th flag) raidmail2020 3 525 Yesterday at 04:23 PM
Last Post: bakie
SELLING CONTEXT ALL 7 FLAGS (only 8 credits) 0xvijay 1 317 November 25, 2020 at 06:03 PM
Last Post: Kali76

 Users browsing this thread: 1 Guest(s)