DEV Community

Hacker101 CTF - Petshop Pro

DaNeil C on March 13, 2020

CTF Name: Petshop Pro Resource: Hacker101 CTF Difficulty: Easy Number of Flags: 3 Note::: NO, I won't be posting my found FLAGS, but I will be p...
Collapse
 
shchypylov profile image
Nikita Shchypylov

Please, be aware that post has mistake in hydra command: when you first try to get correct username you want to check for "Invalid username" error, not "Invalid password". Only when you will have username you should launch hydra with "Invalid password" error check.
Hope that helps!

Collapse
 
caffiendkitten profile image
DaNeil C

That's interesting because it worked for me.... I was under the impression that the command "hydra -L rockyou.txt -p aaa 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password" " was using the rockyou.txt for the usernames and waiting for the error to change to "incorrect password" to tell me that it was the correct username... no??

Collapse
 
koroep profile image
koroep • Edited

You need to use an error message which isn't on the page when it finds the right username. In this case, the login page will display the message "Invalid username" until you find the right one, which will then change to "Invalid password". So you want Hydra to know that it succeeds when the "Invalid username" is no longer displayed.

Thanks for the great post!

Collapse
 
middle__b8c762f0c6a223b0d profile image
Middle

Where do you get the /73fxxxxxxx from?

Collapse
 
lordrukie profile image
Yudistira Arya Mutamang

Hello, i think you can easily found flag2 without sign in.
i notice that after scanning the web directories with dirscan, and then found /edit page.
first, i try to open that directories, but i got an 400 reply. then i think.. "how if i provide an id on the url?" so, the web url now look like ip/edit?id=idhere.

then i search for possible id.. so i going to inspect element and found id 0 for cat, and id 1 for puppy.
then i put the id to the url that i mentioned before.
the url now look like this ip/edit?id=0

then voila..!! i entered the edit pages without being administrator.
on that pages, i tried to entered some xss payload, but nothing happend :D. so i came to this writeup and try the payload.. and it's work!!

sorry for my bad english :(
and thank you for this writeup, i very like it!

Collapse
 
tauseef9580 profile image
Tauseef Raza • Edited

Hey bro, I just wanted to tell you that /edit/id=0 OR /edit/id=1 works for flag2.
change the name parameter to "" and keep all the same(I also change the price to -ve like -1.0 or -2.0) I my case works for me,save the changes now.
I added that item to my cart.
Go to checkout now, and here is your Flag2.

Collapse
 
wrth profile image
wrth

Hello, thank you very much for the writeup!

Collapse
 
0xmmalik profile image
0xmmalik

For Flag1, what wordlist did you use for usernames?

Collapse
 
caffiendkitten profile image
DaNeil C
Collapse
 
tuyenistuyen2 profile image
tuyenistuyen2

I run hydra 5 times and all found passwords not work. Anybody face this problem ?
Image description

Collapse
 
chain00x profile image
Chain00x • Edited

Flag 1 use turbo intruder is OK.