[test888]

Did someone manage to make the script work?

[0xbeef]

I´ve been working on a full script for the CTF but still stuck on the session id fixing. This scripts makes the json file by predicting its id 20 seconds before. Then it triggers the login and it works because the id created is the same as the redis one but, redis overwrites it modifying the role again to user. I dont know at this point what can i do.

You should still change the user id manually an by default it should work on localhost:1337 but also you can specify the url by "-u".

Here is the code https://defuse.ca/b/iDqShNZh

Password : DesireHTB

Let me know if you could make it

If you want to go that way (session prediction) then you should not use a local time but server replies (due to different zones, sync problems...)

Finally! Thanks i did it by the wrong login attempt i did not realize that redis was doing that on the code. On local with the docker the approach was correct but as you says when trying against the server its a headache to syncronize... but finally did it. I leave a link to the final script i used and the command parameters. 

Link: https://defuse.ca/b/kdNBXbUv Password: DesiresHTB

The times depends on your location and so on. I first did a ping to the server eg:

PING 94.237.53.146 (94.237.53.146) 56(84) bytes of data.
64 bytes from 94.237.53.146: icmp_seq=1 ttl=56 time=35.3 ms
 
The more accurate the times between easier will be to achieve it, but keep running ping some time util you can get the average time then craft the command like this.

-u http://94.237.53.146:44659 --brute --start 0.035 --end 0.050 --step 0.001 -d 2

It should work and  keep trying until the all attempts are failed or the flag is retrieved. 

Thanks all for the hints and advices

This one worked after many trials lol
Thanks for sharing

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[machakilos]

can someone make a video writeup about it would be very lucky pls

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reposting hidden content for free

[LCF]

Thank you for all your work

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[peterpeter]

I´ve been working on a full script for the CTF but still stuck on the session id fixing. This scripts makes the json file by predicting its id 20 seconds before. Then it triggers the login and it works because the id created is the same as the redis one but, redis overwrites it modifying the role again to user. I dont know at this point what can i do.

You should still change the user id manually an by default it should work on localhost:1337 but also you can specify the url by "-u".

Here is the code https://defuse.ca/b/iDqShNZh

Password : DesireHTB

Let me know if you could make it

If you want to go that way (session prediction) then you should not use a local time but server replies (due to different zones, sync problems...)

Finally! Thanks i did it by the wrong login attempt i did not realize that redis was doing that on the code. On local with the docker the approach was correct but as you says when trying against the server its a headache to syncronize... but finally did it. I leave a link to the final script i used and the command parameters. 

Link: https://defuse.ca/b/kdNBXbUv Password: DesiresHTB

The times depends on your location and so on. I first did a ping to the server eg:

PING 94.237.53.146 (94.237.53.146) 56(84) bytes of data.
64 bytes from 94.237.53.146: icmp_seq=1 ttl=56 time=35.3 ms
 
The more accurate the times between easier will be to achieve it, but keep running ping some time util you can get the average time then craft the command like this.

-u http://94.237.53.146:44659 --brute --start 0.035 --end 0.050 --step 0.001 -d 2

It should work and  keep trying until the all attempts are failed or the flag is retrieved. 

Thanks all for the hints and advices

Gracias mi amigo, Thanks for the script and the explanation, it's really well done and helps a lot in fully understanding all the steps!