Home.md
... ...
@@ -43,6 +43,7 @@
43 43
## projects
44 44
- [pyratenet](projects/pyratenet)
45 45
- [startpage](projects/startpage)
46
+- [hackthebox](projects/hackthebox)
46 47
47 48
## technology
48 49
projects/hackthebox.md
... ...
@@ -0,0 +1,50 @@
1
+# hack the box
2
+
3
+## invite code
4
+url: https://www.hackthebox.eu/invite
5
+
6
+- inspect invite code input box element
7
+ - find script 'src="/js/inviteapi.min.js"'
8
+- navigate to script url (https://www.hackthebox.eu/js/inviteapi.min.js)
9
+- run 'makeInviteCode' function in browser console
10
+ - expand Object output
11
+ - decode data string (base64)
12
+ ```
13
+ echo <string> | base64 -d -
14
+ ```
15
+ - output gives '/api/invite/generate'
16
+- use `curl` to send POST request
17
+ ```
18
+ curl -X POST https://www.hackthebox.eu/api/invite/generate
19
+ ```
20
+ - output gives us encoded code string
21
+- decode code string
22
+ ```
23
+ echo <string> | base64 -d -
24
+ ```
25
+- copy invite code into input box and submit
26
+
27
+## web
28
+### lernaean (20 pts)
29
+- open url:port provided from instance
30
+- proxy page through burpsuite
31
+ - submit password to see response
32
+ - submit root is '/'
33
+ - response containse 'Invalid password!' string
34
+- lernaean is the hydra from greek mythology
35
+- hydra is a password bruteforce tool
36
+- run a password list through hydra
37
+ ```
38
+ hydra -l "" -P <pass_list> -s <port> -f docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password\!"
39
+ ```
40
+ - `-l` : user (blank as no username field)
41
+ - `-P` : password file (used common-passwords.txt first with no luck, success with rockyou.txt)
42
+ - `-s` : port
43
+ - `-f` : exit when creds found
44
+ - url (from instance)
45
+ - service
46
+ - root of submit, tell it to use passwords from file, login failed message (escape the !)
47
+- once password is found submit in field
48
+- this displays a new page
49
+- check response in burp to find HTB flag
50
+