Understand it
1 | grep --color=auto -rnw '.' -ie "HTB" --color=always 2> /dev/null |
So we are exporting 2 variables, The flag and the Password
It will be too hard to find the password, and he change every time.
I’m searching for an another file.
1 | grep --color=auto -rnw '.' -ie "FLAG" --color=always 2> /dev/null |
./src/src/routes.js
Zip structure
The ingredients in the web page in in fact the flag, the flag should start with Secret HTB{ .
There is no encryption.
Signature:
The signature of the local file header. This is always ‘\x50\x4b\x03\x04’.
Compression method:
00: no compression
And this is what I have if I enter nohing in the ingredinents field:
Iv’e downloaded multiple files with different Ingredients:https://i.imgur.com/y05ptiD.png
So I will try Secret: H, Secret: HT and Secret: HTBSecret: H:
Secret: HT
Secret: HTB
3C is everywhere, let’s do a misstake.Secret: HTC
Now we have 3D, instead of 3C
I will now find a way to get this value only.
1 | xxd Secret:\ HTB.zip |awk '{print $3}'| sed -n 2p |
Download via bash
Copy as curl commandand add -O for output:
1 | curl 'http://167.71.131.210:31269/ingredients' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0' -H 'Accept: application/json, text/plain, */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/json' -H 'Origin: http://167.71.131.210:31269' -H 'Connection: keep-alive' -H 'Referer: http://167.71.131.210:31269/' --data-raw '{"ingredients":"dfgdfg"}' -O |
Script it
I will try something like this:
not 3200 but 3c00.
Download it
Check it
Generate chars
I have to set the i at 21 because there is no chars beffor.
Try the char
Let’s try it and guess the first next char only.
Let’s try it:
Finish the script
The else is useless, I will remove the echo too.
I just keep the echo at line 17 to show the response.
Line 16 I add the good char to the string.
And voila
