hack the box
invite code
url: https://www.hackthebox.eu/invite
- inspect invite code input box element
- find script 'src="/js/inviteapi.min.js"'
- navigate to script url (https://www.hackthebox.eu/js/inviteapi.min.js)
- run 'makeInviteCode' function in browser console
- expand Object output
- decode data string (base64)
echo <string> | base64 -d - - output gives '/api/invite/generate'
- use
curlto send POST requestcurl -X POST https://www.hackthebox.eu/api/invite/generate- output gives us encoded code string
- decode code string
echo <string> | base64 -d - - copy invite code into input box and submit
web
lernaean (20 pts)
- open url:port provided from instance
- proxy page through burpsuite
- submit password to see response
- submit root is '/'
- response containse 'Invalid password!' string
- submit password to see response
- lernaean is the hydra from greek mythology
- hydra is a password bruteforce tool
- run a password list through hydra
hydra -l "" -P <pass_list> -s <port> -f docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password\!"-
-l: user (blank as no username field) -
-P: password file (used common-passwords.txt first with no luck, success with rockyou.txt) -
-s: port -
-f: exit when creds found - url (from instance)
- service
- root of submit, tell it to use passwords from file, login failed message (escape the !)
-
- once password is found submit in field
- this displays a new page
- check response in burp to find HTB flag
misc
0ld is g0ld (10 pts)
- download zip file
- unzip a password protected pdf
- use
pdfcrackto bruteforce passwordpdfcrack -f 0ld\ is\ g0ld.pdf -w /path/to/rockyou.txt - open pdf with password
- scroll to bottom and zoom in a lot to find morse code
.-. .---- .--. ... .- -- ..- ...-- .-.. -- ----- .-. ... ...-- - translate code
R1PSAMU3LM0RS3 - submit flag (wrap with HTB{})