Hack the Box - Emdee Five For Life Challenge - Walkthrough
Introduction
Today we're going to be doing a CTF challenge walkthrough of the Emdee Five for Life challenge hosted at https://app.hackthebox.eu/challenges/67 . Emdee five for life is a cryptography and scripting challenge. For this walkthrough, we'll be using a Kali Linux virtual machine as our attacking system. After starting the challenge instance, we find that the associated URL is http://139.59.178.146:30204/ . The challenge's description is as follows:
CHALLENGE DESCRIPTION
Can you encrypt fast enough?
Initial Enumeration
From the challenge name and description, we can guess that MD5 encryption will play a part in completing the challenge. Let's visit the challenge URL:
We can copy the string, then use the MD5sum command to return a MD5-encrypted version of the string:
echo -n "dc4YGQyrs6q9BsIAituO" | md5sum
Then we copy the output of the command and submit it to the web form, which results in this:
We know that we will need to receive a random string from the web app each time we access the page, and we're required to encrypt the string and post the encrypted string to the page within a limited time. To solve this challenge, we will write a Python script to handle the web requests, then encrypt the string, then send the encrypted string as an HTTP POST request.
Before we construct our Python script, let's determine what variable we're sending in our POST request using BurpSuite:
Our POST variable is call hash. Next we determine what is returned to us when we send a GET request to this page, also using BurpSuite:
Now that we have this information, we can start crafting our Python script. Our Python script will include the following modules:
Requests - Because we're going to be making HTTP requests.
Hashlib - Because we're going to be doing encryption.
Re - Because we're going to be manipulating strings
Our finished script looks like this:
#!/bin/env/python3
import hashlib
import requests
import re
# module variables
m = hashlib.md5
r = requests.session()
# other global variables
url = "http://138.68.182.108:31171/"
request_output = ""
# defining our cleanUp function
def Strip_To_String(request_output):
pattern = re.compile('<.*?>') # prep variable for next method
return re.sub(pattern, '', request_output) # strips out all the HTML tags
# request the webpage
req_get = r.get(url) # prep variable for next method
request_output = req_get.content.decode('utf-8') # saving GET request to variable
# strip out all info execept for the random string
organized_output = Strip_To_String(request_output) # strips out HTML tags on request_output
split_output = organized_output.split('string')[1] # splits text after the word 'string', then returns only the latter half
raw_string = split_output.rstrip() # removes white space left in split_output
# perform encryption function on the random string
md5string = m(raw_string.encode('utf-8')).hexdigest() # encodes the raw_string into utf-8, then converts it to MD5 encrypted hex string.
# send the encrypted string as an HTTP POST request
data = dict(hash=md5string) # dictionary to be sent in POST request
req_post = r.post(url=url, data=data) # sends an HTTP POST request to the server with the md5 encrypted hex string as data.
# receive response from web-server
print(req_post.text) # returns the HTTP reponse from the web-server
Running the Script
Running the script results in this:
python3 MD5_4_Lyfe.py
The resulting flag is this:
HTB{N1c3_ScrIpt1nG_B0i!}
Summary
This challenge required us to navigate to a webpage, encrypt a string provided on the page, then submit the encrypted string as a post request to the webserver, however, the process must be done in a very short timeframe in order to receive our objective flag string. After determining the format of the HTTP GET and POST requests involved, we were able to create a script using Python to handle the required tasks in a quick manner, which caused the web-app to return our desired flag string.
Finish
Today we're going to be doing a CTF challenge walkthrough of the Emdee Five for Life challenge hosted at https://app.hackthebox.eu/challenges/67 . Emdee five for life is a cryptography and scripting challenge. For this walkthrough, we'll be using a Kali Linux virtual machine as our attacking system. After starting the challenge instance, we find that the associated URL is http://139.59.178.146:30204/ . The challenge's description is as follows:
CHALLENGE DESCRIPTION
Can you encrypt fast enough?
Initial Enumeration
From the challenge name and description, we can guess that MD5 encryption will play a part in completing the challenge. Let's visit the challenge URL:
http://139.59.178.146:30204/
We can copy the string, then use the MD5sum command to return a MD5-encrypted version of the string:
echo -n "dc4YGQyrs6q9BsIAituO" | md5sum
Then we copy the output of the command and submit it to the web form, which results in this:
We know that we will need to receive a random string from the web app each time we access the page, and we're required to encrypt the string and post the encrypted string to the page within a limited time. To solve this challenge, we will write a Python script to handle the web requests, then encrypt the string, then send the encrypted string as an HTTP POST request.
Before we construct our Python script, let's determine what variable we're sending in our POST request using BurpSuite:
Our POST variable is call hash. Next we determine what is returned to us when we send a GET request to this page, also using BurpSuite:
Now that we have this information, we can start crafting our Python script. Our Python script will include the following modules:
Requests - Because we're going to be making HTTP requests.
Hashlib - Because we're going to be doing encryption.
Re - Because we're going to be manipulating strings
Our finished script looks like this:
#!/bin/env/python3
import hashlib
import requests
import re
# module variables
m = hashlib.md5
r = requests.session()
# other global variables
url = "http://138.68.182.108:31171/"
request_output = ""
# defining our cleanUp function
def Strip_To_String(request_output):
pattern = re.compile('<.*?>') # prep variable for next method
return re.sub(pattern, '', request_output) # strips out all the HTML tags
# request the webpage
req_get = r.get(url) # prep variable for next method
request_output = req_get.content.decode('utf-8') # saving GET request to variable
# strip out all info execept for the random string
organized_output = Strip_To_String(request_output) # strips out HTML tags on request_output
split_output = organized_output.split('string')[1] # splits text after the word 'string', then returns only the latter half
raw_string = split_output.rstrip() # removes white space left in split_output
# perform encryption function on the random string
md5string = m(raw_string.encode('utf-8')).hexdigest() # encodes the raw_string into utf-8, then converts it to MD5 encrypted hex string.
# send the encrypted string as an HTTP POST request
data = dict(hash=md5string) # dictionary to be sent in POST request
req_post = r.post(url=url, data=data) # sends an HTTP POST request to the server with the md5 encrypted hex string as data.
# receive response from web-server
print(req_post.text) # returns the HTTP reponse from the web-server
Running the Script
Running the script results in this:
python3 MD5_4_Lyfe.py
The resulting flag is this:
HTB{N1c3_ScrIpt1nG_B0i!}
Summary
This challenge required us to navigate to a webpage, encrypt a string provided on the page, then submit the encrypted string as a post request to the webserver, however, the process must be done in a very short timeframe in order to receive our objective flag string. After determining the format of the HTTP GET and POST requests involved, we were able to create a script using Python to handle the required tasks in a quick manner, which caused the web-app to return our desired flag string.
Finish
Comments
Post a Comment