46cfa571f20b163b1941879b871e11a7943e4a42
Home.md
... | ... | @@ -43,6 +43,7 @@ |
43 | 43 | ## projects |
44 | 44 | - [pyratenet](projects/pyratenet) |
45 | 45 | - [startpage](projects/startpage) |
46 | +- [hackthebox](projects/hackthebox) |
|
46 | 47 | |
47 | 48 | ## technology |
48 | 49 |
projects/hackthebox.md
... | ... | @@ -0,0 +1,50 @@ |
1 | +# hack the box |
|
2 | + |
|
3 | +## invite code |
|
4 | +url: https://www.hackthebox.eu/invite |
|
5 | + |
|
6 | +- inspect invite code input box element |
|
7 | + - find script 'src="/js/inviteapi.min.js"' |
|
8 | +- navigate to script url (https://www.hackthebox.eu/js/inviteapi.min.js) |
|
9 | +- run 'makeInviteCode' function in browser console |
|
10 | + - expand Object output |
|
11 | + - decode data string (base64) |
|
12 | + ``` |
|
13 | + echo <string> | base64 -d - |
|
14 | + ``` |
|
15 | + - output gives '/api/invite/generate' |
|
16 | +- use `curl` to send POST request |
|
17 | + ``` |
|
18 | + curl -X POST https://www.hackthebox.eu/api/invite/generate |
|
19 | + ``` |
|
20 | + - output gives us encoded code string |
|
21 | +- decode code string |
|
22 | + ``` |
|
23 | + echo <string> | base64 -d - |
|
24 | + ``` |
|
25 | +- copy invite code into input box and submit |
|
26 | + |
|
27 | +## web |
|
28 | +### lernaean (20 pts) |
|
29 | +- open url:port provided from instance |
|
30 | +- proxy page through burpsuite |
|
31 | + - submit password to see response |
|
32 | + - submit root is '/' |
|
33 | + - response containse 'Invalid password!' string |
|
34 | +- lernaean is the hydra from greek mythology |
|
35 | +- hydra is a password bruteforce tool |
|
36 | +- run a password list through hydra |
|
37 | + ``` |
|
38 | + hydra -l "" -P <pass_list> -s <port> -f docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password\!" |
|
39 | + ``` |
|
40 | + - `-l` : user (blank as no username field) |
|
41 | + - `-P` : password file (used common-passwords.txt first with no luck, success with rockyou.txt) |
|
42 | + - `-s` : port |
|
43 | + - `-f` : exit when creds found |
|
44 | + - url (from instance) |
|
45 | + - service |
|
46 | + - root of submit, tell it to use passwords from file, login failed message (escape the !) |
|
47 | +- once password is found submit in field |
|
48 | +- this displays a new page |
|
49 | +- check response in burp to find HTB flag |
|
50 | + |