Hackthebox.gr Virtual Lab (FREE)

hacking
pentesting

(demontwozero) #1

I started this thread for anyone else interested in pwning this network. if you’re able to get passed the log in page you will have access to the rest of the network.

I’m still trying to get passed the log in page myself. I just found out about this site. Feel free to join in on the discussion and post your feedback or tutorials here.


Please help on "hackthebox" challenge
#2

Interesting, Just took a look at it, so far so easy lol. The login box is a piece of cake. Perhaps you should check how it verify’s the codes :wink:


(Constantly Learning) #3

That was actually a very nice tip :smiley:


(Ne0_) #4

Lol. All this obfuscation and all you had to do was call a function
:smiley:

Took me about 30 minutes to figure that out. Should have been less.


(Constantly Learning) #5

never mind my previous comment… how does one create spoiler text?


(The C# Dude) #6

[spoiler] Text to hide [/spoiler]


(exploit) #7

It isn’t that hard ^.^
Here’s how:

When we enter to register, we can see that it asks for invite-code…
Let’s see the source:


Uhmm… This one seems interesting, when we enter it we get:

Ohh obsfucated…
I’ll use jsbeautifier.org:

So, there are two functions, one to check, and to generate!
we’ll focus on the generate one…
So it creates a request of type POST to: https://www.hackthebox.gr/api/invite/generate
With this in Postfields: dataType=json
Awesome, let’s try to send a request like that and see the result…

We got code!
let’s decode that base64 :smiley:
HQDRA-HDMXN-WRZEC-RCEYA-XURMM
And here we go, we got our registration code :slight_smile:

Hope it helped, if you got stuck in the registration of course!


#8

Hi ,

I am not able to generate the code . I found the function and executed in the console. But it always gives me the error - ‘In order to generate the invite code, make a POST request to /api/invite/generate’

can any one help.

In the function its taking the url as ‘url: ‘/api/invite/how/to/generate’’ . But i am getting the error message as the above.



(exploit) #9
  • Use Hackbar ( a mozilla add-on ), which i think you will like…

https://addons.mozilla.org/en-US/firefox/addon/hackbar/

Or, just a programming language… ( Javascript used as an example… )

function send_post(){
	var url = "https://www.hackthebox.gr/api/invite/generate";
	var postdata = {'dataType':'json'};
	var request = new XMLHttpRequest();
	request.open("POST", url, 1);
	request.send(postdata);
	request.onreadystatechange = function(){
		if( request.readyState == 4 ){
			var response = JSON.parse(request.responseText);
			var encrypted = response.data.code;
			var format = response.data.format;
			if( format == "encoded" ){
				var decrypted = atob(encrypted);
			}else{
				var decrypted = encrypted;
			}
			alert(decrypted);
		}
	}
}
send_post();

Run it in console, and you will get your registration code :smile:!


(thomas) #10

After to get access to hackthebox i saw some interesting challenges. If i get sucess in some i’ll to expose it here.


(Sergeant Sploit) #11

I think you should read the rules for members creating tutorials on exploiting machines in the network. It ain’t friendly :stuck_out_tongue_winking_eye:


(Community & PR manager) #12

Well look at that, Our sergeant is still alive!

It has been a while old friend. Where did you go?


(Sergeant Sploit) #13

I’m always around watching you and watching them. A lot of personal work, busy revamping my old website and learning a lot so pretty occupied lately.


(syanide) #14

was easy , to crack the login haha but must try


(DamaneDz) #15

IP: 10.10.10.6
Hostname: Popcorn

WalkThrough Video:

http://www.mediafire.com/file/j2dl6c6d62c7qlr/popcorn_user.rar

Compressed With Winrar


(Security Architect & Founder) #16

I would strongly recommend uploading to YouTube, or Vimeo, or even to 0x0.st. So that people can stream it.


(DamaneDz) #17

I Have a Bad Net 512 kb/s so if anyone can do that i’ll edit my post am so sorry !


#18

I’m uploading it on vid.me because I don’t have Youtube and Vimeo doesn’t accept custom emails, I will edit this post when is done!

EDIT: @DamaneDz, there is the video: https://vid.me/wLa3


(DamaneDz) #19

(demontwozero) #20

I’m glad to see so many people having fun with this. I know i am. I created this thread before i read the rules regarding discussing the lab. Too late now.