invite code

url: https://www.hackthebox.eu/invite

  • inspect invite code input box element
    • find script 'src="/js/inviteapi.min.js"'
  • navigate to script url (https://www.hackthebox.eu/js/inviteapi.min.js)
  • run 'makeInviteCode' function in browser console
    • expand Object output
    • decode data string (base64)
        echo <string> | base64 -d -
      
    • output gives '/api/invite/generate'
  • use curl to send POST request
      curl -X POST https://www.hackthebox.eu/api/invite/generate
    
    • output gives us encoded code string
  • decode code string
      echo <string> | base64 -d -
    
  • copy invite code into input box and submit

forensics

marshal in the middle

  • download zip file
  • unzip using password
  • following files extracted
      .
      ├── bro/
      │   ├── conn.log
      │   ├── dns.log
      │   ├── files.log
      │   ├── http.log
      │   ├── packet_filter.log
      │   ├── ssl.log
      │   └── weird.log
      ├── bundle.pem
      ├── chalcap.pcapng
      └── secrets.log
    
  • open pcap file in wireshark

web

lernaean (20 pts)

  • open url:port provided from instance
  • proxy page through burpsuite
    • submit password to see response
      • submit root is '/'
      • response containse 'Invalid password!' string
  • lernaean is the hydra from greek mythology
  • hydra is a password bruteforce tool
  • run a password list through hydra
      hydra -l "" -P <pass_list> -s <port> -f docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password\!"
    
    • -l : user (blank as no username field)
    • -P : password file (used common-passwords.txt first with no luck, success with rockyou.txt)
    • -s : port
    • -f : exit when creds found
    • url (from instance)
    • service
    • root of submit, tell it to use passwords from file, login failed message (escape the !)
  • once password is found submit in field
  • this displays a new page
  • check response in burp to find HTB flag

misc

0ld is g0ld (10 pts)

  • download zip file
  • unzip a password protected pdf
  • use pdfcrack to bruteforce password
      pdfcrack -f 0ld\ is\ g0ld.pdf -w /path/to/rockyou.txt
    
  • open pdf with password
  • scroll to bottom and zoom in a lot to find morse code
      .-. .---- .--. ... .- -- ..- ...-- .-.. -- ----- .-. ... ...--
    
  • translate code
      R1PSAMU3LM0RS3
    
  • submit flag (wrap with HTB{})