grimoire

personal wiki
git clone git://git.pyratebeard.net/grimoire.git
Log | Files | Refs

hackthebox.md (2002B)


      1 # hack the box
      2 
      3 - [web](#web)
      4 - [misc](#misc)
      5 
      6 ## invite code
      7 url: https://www.hackthebox.eu/invite
      8 
      9 - inspect invite code input box element
     10 	- find script 'src="/js/inviteapi.min.js"'
     11 - navigate to script url (https://www.hackthebox.eu/js/inviteapi.min.js)
     12 - run 'makeInviteCode' function in browser console
     13 	- expand Object output
     14 	- decode data string (base64)
     15 		```
     16 		echo <string> | base64 -d -
     17 		```
     18 	- output gives '/api/invite/generate'
     19 - use `curl` to send POST request
     20 	```
     21 	curl -X POST https://www.hackthebox.eu/api/invite/generate
     22 	```
     23 	- output gives us encoded code string
     24 - decode code string
     25 	```
     26 	echo <string> | base64 -d -
     27 	```
     28 - copy invite code into input box and submit
     29 
     30 ## web
     31 #### lernaean (20 pts)
     32 - open url:port provided from instance
     33 - proxy page through burpsuite
     34 	- submit password to see response
     35 		- submit root is '/'
     36 		- response containse 'Invalid password!' string
     37 - lernaean is the hydra from greek mythology
     38 - hydra is a password bruteforce tool
     39 - run a password list through hydra
     40 	```
     41 	hydra -l "" -P <pass_list> -s <port> -f docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password\!"
     42 	```
     43 	- `-l` : user (blank as no username field)
     44 	- `-P` : password file (used common-passwords.txt first with no luck, success with rockyou.txt)
     45 	- `-s` : port
     46 	- `-f` : exit when creds found
     47 	- url (from instance)
     48 	- service
     49 	- root of submit, tell it to use passwords from file, login failed message (escape the !)
     50 - once password is found submit in field
     51 - this displays a new page
     52 - check response in burp to find HTB flag
     53 
     54 ## misc
     55 #### 0ld is g0ld (10 pts)
     56 - download zip file
     57 - unzip a password protected pdf
     58 - use `pdfcrack` to bruteforce password
     59 	```
     60 	pdfcrack -f 0ld\ is\ g0ld.pdf -w /path/to/rockyou.txt
     61 	```
     62 - open pdf with password
     63 - scroll to bottom and zoom in a lot to find morse code
     64 	```
     65 	.-. .---- .--. ... .- -- ..- ...-- .-.. -- ----- .-. ... ...--
     66 	```
     67 - translate code
     68 	```
     69 	R1PSAMU3LM0RS3
     70 	```
     71 - submit flag (wrap with HTB{<string>})
     72