grimoire

personal wiki
git clone git://git.pyratebeard.net/grimoire.git
Log | Files | Refs

hackthebox.md (2435B)

      1 # hack the box
      2 
      3 - [web](#web)
      4 - [misc](#misc)
      5 
      6 ## invite code
      7 url: https://www.hackthebox.eu/invite
      8 
      9 - inspect invite code input box element
     10 	- find script 'src="/js/inviteapi.min.js"'
     11 - navigate to script url (https://www.hackthebox.eu/js/inviteapi.min.js)
     12 - run 'makeInviteCode' function in browser console
     13 	- expand Object output
     14 	- decode data string (base64)
     15 		```
     16 		echo <string> | base64 -d -
     17 		```
     18 	- output gives '/api/invite/generate'
     19 - use `curl` to send POST request
     20 	```
     21 	curl -X POST https://www.hackthebox.eu/api/invite/generate
     22 	```
     23 	- output gives us encoded code string
     24 - decode code string
     25 	```
     26 	echo <string> | base64 -d -
     27 	```
     28 - copy invite code into input box and submit
     29 
     30 ## forensics
     31 #### marshal in the middle
     32 - download zip file
     33 - unzip using password
     34 - following files extracted
     35 	```
     36 	.
     37 	├── bro/
     38 	│   ├── conn.log
     39 	│   ├── dns.log
     40 	│   ├── files.log
     41 	│   ├── http.log
     42 	│   ├── packet_filter.log
     43 	│   ├── ssl.log
     44 	│   └── weird.log
     45 	├── bundle.pem
     46 	├── chalcap.pcapng
     47 	└── secrets.log
     48 	```
     49 - open pcap file in wireshark
     50 
     51 ## web
     52 #### lernaean (20 pts)
     53 - open url:port provided from instance
     54 - proxy page through burpsuite
     55 	- submit password to see response
     56 		- submit root is '/'
     57 		- response containse 'Invalid password!' string
     58 - lernaean is the hydra from greek mythology
     59 - hydra is a password bruteforce tool
     60 - run a password list through hydra
     61 	```
     62 	hydra -l "" -P <pass_list> -s <port> -f docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password\!"
     63 	```
     64 	- `-l` : user (blank as no username field)
     65 	- `-P` : password file (used common-passwords.txt first with no luck, success with rockyou.txt)
     66 	- `-s` : port
     67 	- `-f` : exit when creds found
     68 	- url (from instance)
     69 	- service
     70 	- root of submit, tell it to use passwords from file, login failed message (escape the !)
     71 - once password is found submit in field
     72 - this displays a new page
     73 - check response in burp to find HTB flag
     74 
     75 ## misc
     76 #### 0ld is g0ld (10 pts)
     77 - download zip file
     78 - unzip a password protected pdf
     79 - use `pdfcrack` to bruteforce password
     80 	```
     81 	pdfcrack -f 0ld\ is\ g0ld.pdf -w /path/to/rockyou.txt
     82 	```
     83 - open pdf with password
     84 - scroll to bottom and zoom in a lot to find morse code
     85 	```
     86 	.-. .---- .--. ... .- -- ..- ...-- .-.. -- ----- .-. ... ...--
     87 	```
     88 - translate code
     89 	```
     90 	R1PSAMU3LM0RS3
     91 	```
     92 - submit flag (wrap with HTB{<string>})
     93