Written by shakuganz

HackTheBox – Emdee five for life Write-up

Dear readers,

Today’s post is on the “Emdee five for life” challenge which is a web challenge. The challenge was created on 22nd May 2019. It is a very basic challenge so the write-up will be quite short. Let’s dive right into the write-up.

Fig 1. Emdee five for life challenge on HackTheBox

Files provide

There are no files provided hence we have to directly go into the challenge’s website to take a look.

Website outlook

When we first access the website, this is a view presented to us.

Fig 3. Outlook of the website

Analysis done

Just like the hint stated in the description of the challenge in Fig 1, the website requires us to quickly submit the MD5 hash of the string given to us. If we submit it too slow, a slow message will be sent to us as shown on Fig 4a. Every time we refresh the page, the string will change. Hence, the only way to solve this is to script out the process of getting string of the page, hash the string, and submit the hashed string. For the scripting process, I will be using Python3 to obtain the flag. However, before I begin to write the script, there are a few analysis is to be made such as is the submission of the hash in POST or GET request, the parameter/name of the text box for the hash, etc.

Fig 4a. Slow message shown to us

When inspecting the element in the browser, we can see that it uses a POST request when submitting the flag and after submitting the hash, it stays on the same page (see the blue underlines in Fig 4b). Besides that, we know that the name of the parameter of the hash string to be submitted is “hash” during POST request (see the red underline in Fig 4b). Finally, to obtain the string of the page, we can use the “h3” tag when using the BeautifulSoup library in Python to find the element of the HTML content we need.

Fig 4b. Inspecting HTML content of the page

Note that the cookie is important during submission of the hashed string has the server will need the session ID to know what was the string they sent to us, and what time did they send the string to us. In this way, it will know if we submitted the correct MD5 hash of the string given to us, as well as have we submitted the hashed string quick enough to pass their condition. Fig 4c. shows that the cookie given to us is a session ID.

Fig 4c. Cookie’s content is given to us is a session ID

Therefore, below contains the crafted Python3 script to get the string, hash it, and submit it along with the session cookie. 

from bs4 import BeautifulSoup
import hashlib
import requests

# get the string in the page that wants us to submit in md5 hash of that string
def get_string(html_in_text):
    soup = BeautifulSoup(html_in_text, "html.parser")

    # return the location of the string of the page
    return soup.find("h3").text

# URL to the challenge's website
url = "http://46.101.33.243:31997/" 

# get the HTML content of the page
response = requests.get(url)
# get the string in the page that we need to hash it
string_in_page = get_string(response.text)
# hash the string we obtained from the webpage
hashed_string = hashlib.md5(string_in_page.encode()).hexdigest()
# get the cookie so that can attach it when sending the MD5 hash via post request later
cookies = response.cookies.get_dict()

# crafting the post request variable to submit the hash of the string given
post_data = {'hash' : hashed_string}
# submit the hash in POST request with the previous cookie
response = requests.post(url, cookies=cookies, data=post_data)

# flag should be print
print(response.text)

## HTML example of the page
# <html>
# <head>
# <title>emdee five for life</title>
# </head>
# <body style="background-color:powderblue;">
# <h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>me0GDEDNG5Tu4T5Ulpme</h3><center><form action="" method="post">
# <input type="text" name="hash" placeholder="MD5" align='center'></input>
# </br>
# <input type="submit" value="Submit"></input>
# </form></center>
# </body>
# </html>

Flag obtained

Sometimes due to your internet connection speed, it may be too slow to obtain the flag. A too-slow message will be printed to you. Try it a few times and the page with the flag will be returned to you. Below shows the HTML content with the flag returned when printed on Python3.

<html>
<head>
<title>emdee five for life</title>
</head>
<body style="background-color:powderblue;">
<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>OnV3Gee3B9IxGYmjwzXo</h3><p align='center'>HTB{N1c3_ScrIpt1nG_B0i!}</p><center><form action="" method="post">
<input type="text" name="hash" placeholder="MD5" align='center'></input>
</br>
<input type="submit" value="Submit"></input>
</form></center>
</body>
</html>

Flag: HTB{N1c3_ScrIpt1nG_B0i!}

I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.