CTF Name: Petshop Pro
Resource: Hacker101 CTF
Difficulty: Easy
Number of Flags: 3
Note::: NO, I won't be posting my found FLAGS, but I will be p...
For further actions, you may consider blocking this person and/or reporting abuse
Please, be aware that post has mistake in hydra command: when you first try to get correct username you want to check for "Invalid username" error, not "Invalid password". Only when you will have username you should launch hydra with "Invalid password" error check.
Hope that helps!
That's interesting because it worked for me.... I was under the impression that the command "hydra -L rockyou.txt -p aaa 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password" " was using the rockyou.txt for the usernames and waiting for the error to change to "incorrect password" to tell me that it was the correct username... no??
You need to use an error message which isn't on the page when it finds the right username. In this case, the login page will display the message "Invalid username" until you find the right one, which will then change to "Invalid password". So you want Hydra to know that it succeeds when the "Invalid username" is no longer displayed.
Thanks for the great post!
Where do you get the /73fxxxxxxx from?
Hello, i think you can easily found flag2 without sign in.
i notice that after scanning the web directories with dirscan, and then found /edit page.
first, i try to open that directories, but i got an 400 reply. then i think.. "how if i provide an id on the url?" so, the web url now look like ip/edit?id=idhere.
then i search for possible id.. so i going to inspect element and found id 0 for cat, and id 1 for puppy.
then i put the id to the url that i mentioned before.
the url now look like this ip/edit?id=0
then voila..!! i entered the edit pages without being administrator.
on that pages, i tried to entered some xss payload, but nothing happend :D. so i came to this writeup and try the payload.. and it's work!!
sorry for my bad english :(
and thank you for this writeup, i very like it!
Hey bro, I just wanted to tell you that /edit/id=0 OR /edit/id=1 works for flag2.
change the name parameter to "" and keep all the same(I also change the price to -ve like -1.0 or -2.0) I my case works for me,save the changes now.
I added that item to my cart.
Go to checkout now, and here is your Flag2.
Hello, thank you very much for the writeup!
For Flag1, what wordlist did you use for usernames?
I usually use github.com/danielmiessler/SecLists
I run hydra 5 times and all found passwords not work. Anybody face this problem ?
Flag 1 use turbo intruder is OK.