Emdee five for life

Challenges Hack The Box Web No Comments
$ nikto -h 159.65.18.5:30496
+ Server: Apache/2.4.18 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a differ
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 8 item(s) reported on remote host
$ dirb http://159.65.18.5:30496
---- Scanning URL: http://159.65.18.5:30496/ ----
+ http://159.65.18.5:30496/index.php (CODE:200|SIZE:388)                                                                     
+ http://159.65.18.5:30496/server-status (CODE:403|SIZE:302)  

http://159.65.18.5:30496/
MD5 encrypt this string
0v0qmpt4P3TmZwRmkrKZ
$ echo 0v0qmpt4P3TmZwRmkrKZ|md5deep
9570a6453244345e1fe2f83bae28645a
Too slow! So we have to write script:

Then view the page source:
<input type="text" name="hash" placeholder="MD5" align='center'></input>
</br>
<input type="submit" value="Submit"></input>
here is the python code(initially ceded with bash but too slow.):
emdee.py
#!/usr/bin/python3

import requests
import hashlib
import re

url="http://138.68.182.108:30325"

r=requests.session()
html=r.get(url)
#print("0:", html)
#print("1:", html.text)
# ^ $, start and end, . single char, [np] group of char 
# * match 0 or more, ? match 0 or one, + match 1 or more
# {n} exactly n times, {n,} least n times, {,m} at most m times, {n,m} from n to m
# <h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>NBXTWCmrlBUn10SDN92K</h3><p align='center'>Too slow!</p><center><form action="" method="post">
tmpstr=re.search("<h3 align='center'>+.*?</h3>",html.text) 
#print("2:", tmpstr)
#"<h3 align='center'>VGGLKcugAoAkz1U3cO8G</h3>"
tmpstr=re.search("'>.*<",tmpstr[0])
#print("3:", tmpstr)
#'>VGGLKcugAoAkz1U3cO8G<'
inputstr=re.search("[^|'|>|<]...................",tmpstr[0])
#print("4:", inputstr)
#VGGLKcugAoAkz1U3cO8G<'
md5str = hashlib.md5(inputstr[0].encode('utf-8')).hexdigest()
#print("5:", md5str)
#print("sending md5 :-{}".format(md5str))
data={'hash': md5str}
flag = r.post(url = url, data = data)
print(flag.text)

emdee5.py
#! /usr/bin/env python

from __future__ import print_function
import requests
import re
import hashlib
import os

# We setup our proxy here to pass our requests through burpsuite for checking
#---------------------------------------------------------------------------------
#  proxy = '127.0.0.1:8080'

#  os.environ['http_proxy'] = proxy
#  os.environ['HTTP_PROXY'] = proxy
#  os.environ['https_proxy'] = proxy
#  os.environ['HTTPS_PROXY'] = proxy

# Here, we make the get request to get our initial page requesting for the md5
#by creating a session, as we need to post our response to the same session
#---------------------------------------------------------------------------------
url = "http://138.68.182.108:30325"

req = requests.session()
page = req.get(url)
text = page.text
print(text)

# We use python regex to find seperate our hash out of the html file, we can
#find the regex by analyzing the whole html file first.
#---------------------------------------------------------------------------------
x = re.findall("<h3 align='center'>(.*)</h3>", text)[0]
x = x.rstrip()

print("hash: " + x)
# print(s)

# We find the md5sum of the supplied string and pass it as data to a post
#request made to the session
#---------------------------------------------------------------------------------
emd5 = hashlib.md5(x.encode('utf-8')).hexdigest()

print("md5sum: " + emd5)

payload = dict(hash=emd5)
print(payload)
response = req.post(url=url, data = payload)

# And here we get the response back and get the flag out
#---------------------------------------------------------------------------------
# print(response.text)
flag = re.findall("<p align='center'>(.*)</p>", response.text)[0]
print("flag: " + flag)

<html>
<head>
<title>emdee five for life</title>
</head>
<body style="background-color:powderblue;">
<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>7g5aN5ucOhiBzAVXU9WJ</h3><center><form action="" method="post">
<input type="text" name="hash" placeholder="MD5" align='center'></input>
</br>
<input type="submit" value="Submit"></input>
</form></center>
</body>
</html>

hash: 7g5aN5ucOhiBzAVXU9WJ
md5sum: 732d950656864a4464f8ba0543d01d6c
{'hash': '732d950656864a4464f8ba0543d01d6c'}
flag: HTB{N1c3_ScrIpt1nG_B0i!}

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation