· Manuel López Pérez · hackthebox · 4 min read
HackTheBox Challenges – Web: HDC
First web challenge in the HackTheBox series completed. We learn how to bypass a hardcoded login in JavaScript, discover a secret area with a list of emails, and use Intruder (ZAP or Burp) to find the special address that reveals the flag.
HackTheBox Challenges – Web: HDCThis is the first post solving HackTheBox challenges. We’re going to try to solve most of the challenges removed from the platform and this time it’s about a web challenge called HDC. It’s a simple level challenge, but it will help us to see how the challenges we will face in the next days are. In it we will have to bypass a login page and finally, with the help of the ZAP Intruder, find the flag.
My nick at ‘HackTheBox’ is: ‘https://www.hackthebox.eu/home/users/profile/25205’. If you have any proposal or correction don’t hesitate to leave a comment, so we all learn.
Statement
We believe that a certain individual is using this website for shady purposes. Can you find out who it is and send them an email to check it out, using the website’s functionality? Note: The flag is not an email address.
Solution
First we open the website in the browser:
Let’s review the source code:
[...] <script src="jquery-3.2.1.js"></script> <script src="myscripts.js"></script> [...] <form id='formaki' name='formaki' action="./main/index.php" method="post"> <p align="center">Enter Username / Password <input type="text" name="name1" size="20"> <input type="text" Name="name2" size="20">
</p>
<p align="center"> <input type="hidden" value= name="name1"> <input type="hidden" value= name="name2">
<input type="button" value="Submit" onclick="doProcess()"/> </p> </form> [...] The javascript of the files “myscripts.js” and “jquery-3.2.1.js” are included. Now we check the code of “myscripts.js”:
function doProcess() { document.forms["formaki"].submit(); } The function doProcess makes submit in the form. Let’s find out what .submit() does:
The submit method submits the form (same as clicking the Submit button).
As you can see, it does the same as when you click on the button, let’s look if in the jQuery there is any doProcess() function:
function doProcess() { var form = document.createElement("form"); form.setAttribute("method", "post"); form.setAttribute("action", "main/index.php"); form.setAttribute("target", "view"); var hiddenField = document.createElement("input"); hiddenField.setAttribute("type", "hidden"); hiddenField.setAttribute("name", "name1"); hiddenField.setAttribute("value", "TXlMaXR0bGU"); var hiddenField2 = document.createElement("input"); hiddenField2.setAttribute("type", "hidden"); hiddenField2.setAttribute("name", "name2"); hiddenField2.setAttribute("value", "cDB3bmll"); form.appendChild(hiddenField2); form.appendChild(hiddenField); form.appendChild(hiddenField2); document.body.appendChild(form); window.open('', 'view'); form.submit(); } In the function there are some credentials: TXlMaXR0bGU:cDB3bmll with which we access the platform.
In this portal we find two tasks: “Send EMail” and “Mailbox of Special Customers”.
In the code of the second one we found something interesting:
</head><body><font size="6"><span lang="en-us">Special Customers' Mailbox</span></font><b><font size="6"> </font></b>
<img src="./secret_area_/mails.gif" width="21" height="20" border="1"><hr><p> </p> <p>Up to now we have 5 special customers who will help us to achieve our goals.<br> <br> This list will soon be expanded with the new 'expansion program' for our corporate goals.<br> <br> It is planned that within the next six months we will have reached 20 dedicated Special Customers.<br> </p> <p><span lang="us"><a href="main.htm">���������</a></span></p> The image mails.gif is in the directory /secret_area_, let’s see if there is something else:
In mails.txt we find:
All good boys are here… hehehehehehe! ---------------------------------------- Peter Punk CallMePink@newmail.com Nabuchodonosor BabyNavou@mailpost.gr Ilias Magkakos imagkakos@badmail.com Nick Pipshow NickTheGreek@mail.tr.gr Don Quixote Windmill@mail.gr Crazy Priest SeVaftise@hotmail.com Fishroe Salad fishroesalad@mail.com TaPanta Ola OlaMaziLeme@mail.gr Laertis George I8aki@mail.gr Thiseas Sparrow Pirates@mail.gr Black Dreamer SupaHacka@mail.com Callme Daddy FuckthemALL@mail.com Aggeliki Lykolouli FwsStoTounel@Traino.pourxetai Kompinadoros Yannnnis YannisWith4N@rolf.com Serafino Titamola Ombrax@mail.gr Joe Hard Soft@Butter.gr Bond James MyNameIsBond@JamesBond.com Endof Text EndOfLine@mail.com
Now that we have the email list, let’s go over the statement: “Can you find out who he is and send him an email to check it out, using the functionality of the website?”
It seems that we have to use the functionality of ‘Send EMails’ with the addresses in this list. With a Python script we get the list of the emails and write it in a file to use in the Intruder of ZAP:
import re
raw = """Peter Punk CallMePink@newmail.com Nabuchodonosor BabyNavou@mailpost.gr Ilias Magkakos imagkakos@badmail.com Nick Pipshow NickTheGreek@mail.tr.gr Don Quixote Windmill@mail.gr Crazy Priest SeVaftise@hotmail.com Fishroe Salad fishroesalad@mail.com TaPanta Ola OlaMaziLeme@mail.gr Laertis George I8aki@mail.gr Thiseas Sparrow Pirates@mail.gr Black Dreamer SupaHacka@mail.com Callme Daddy FuckthemALL@mail.com Aggeliki Lykolouli FwsStoTounel@Traino.pourxetai Kompinadoros Yannnnis YannisWith4N@rolf.com Serafino Titamola Ombrax@mail.gr Joe Hard Soft@Butter.gr Bond James MyNameIsBond@JamesBond.com Endof Text EndOfLine@mail.com"""
with open("mails.txt", "w") as f: f.write('\\n'.join(re.findall(r'[\\w\\.-]+@[\\w\\.-]+', raw)))
We add the list to the ZAP Intruder:
We execute the attack and order according to the size of the response. We do this to easily detect if the server responds differently to some requests. We get a different answer with “fishroesalad@mail.com”
Let’s check the request output:
The flag is HTB{FuckTheB3stAndPlayWithTheRest!!}
