Bits and Bytes Security

Hack The Box / Challenges / Web / Emdee

This one I think it was the easiest.. I dont think it is actually a web challenge, instead it is a scripting challenge.

We see from the frontpage that a string is provided and we’ve to MD5 hash it then make a POST request with the MD5 hash. If we’re quick enough (we can see by making a bunch of requests in sequence that the string remains for a short period of time like 2 seconds) to provide the hash before the string changes it will give us the flag.

I made the following python3 script to solve it.

	#!/usr/bin/env python
	import requests
	import re
	import hashlib

	params = { 'name': 'value' }
	headers = { 'Encoding'}

	url = "http://docker.hackthebox.eu:51334"
	s = requests.Session()
	req = s.get(url)

	t = req.text.split('\n')[5]

	regexp = re.compile(r"center'>([^<]*)")
	matches = regexp.findall(t)
	payload = matches[1]

	m = hashlib.md5()
	m.update(payload.encode('utf-8'))
	md5 = m.hexdigest()

	print("md5(%s) = %s" % (payload,md5))

	data = {'hash': md5}
	req = s.post(url, data=data)

	print(req.text)

Running will give us:

	$ python3 solve.py 
	md5(LAy3AtGYByKR6Ylc6rkp) = 1a5bed4c898a16c41e7d8bcf7b3adfe2
	<html>
	<head>
	<title>emdee five for life</title>
	</head>
	<body style="background-color:powderblue;">
	<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>LAy3AtGYByKR6Ylc6rkp</h3><p align='center'>HTB{N1c3_ScrIpt1nG_B0i!}</p><center><form action="" method="post">
	<input type="text" name="hash" placeholder="MD5" align='center'></input>
	</br>
	<input type="submit" value="Submit"></input>
	</form></center>
	</body>
	</html>

That’s it. No black magic thinking in this one.