Hack The Box is a great platform for hackers/penetration testers to practice and learn with. Their site has a plethora of hacking content including challenges specific to a category of your choosing. This allows you to hone your skills in that specific area to take into the labs or wherever you please. “HDC” is a Web Application hacking challenge and will be the focus of this writeup.

HDC overall was pretty easy, I’ve followed the bug bounty world for a while now and have practiced bug bounty a bit myself. I’m decent at reading web-based source code and that came into play with this challenge.

HDCInfo

HDCDone

Initial Enumeration

I know this is a Web Challenge, and Web Challenges are geared toward honing your web application hacking skills. Since this isn’t a typical machine on the Hack The Box, I skip the normal nmap scan and go straight for Gobuster while I look around on the site.

gobuster dir -u http://docker.hackthebox.eu:31791/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

HDCGobuster

Gobuster comes up with nothing useful, just some default pages. I haven’t been wasting time however, I’ve been digging into the source code of the login page.

Web Page Enumeration

Here is the login page for HDC:

HDCLoginPage

I threw some SQL injection and username:password credentials into the input fields, but got no leads. Looking into the source code, I can see two .js files:

jquery-3.2.1.js
myscripts.js:

HDCJSFiles

jquery-3.2.1.js was huge, but myscripts.js shows a simple doProcess() function that seemed to be useful. It seems like it was a submission command linked to “formaki”:

HDCdoProcess

I remember seeing “formaki” in the login page source code, and this seems to be a submit function, so I use Inspect Element on the username and password input fields. Here I find two text inputs:

name1
name2

HDCCredentialFields

Going back to the large jquery file, I do a search for name1 and name2 and find some hidden fields containing the credentials needed to authenticate:

HDCCredentials

Once logged in, I look around a bit and immediately see a lead to enumerate email addresses. This is the objective of the challenge, to send an email to “the certain individual who uses this website for shady business”. Once I access the “Mailbox of Special Customers” page, I use Inspect Element again and discover a /secret_area_/ path linked in the HTML:

HDCSecretArea

After accessing /main/secret_area_/, there is a mails.txt file:

HDCMailsTextFile

Inside the mails.txt file, there is a promising list of email addresses that could be used to get the flag:

HDCEmailList

Exploitation

I take note of the email addresses and go to the “Send EMail” page I noticed on the home page, linked right above “Mailbox for Special Customers”:

HDCSendEmailButton

The link leads to a control panel that allows you to send email:

HDCEmailControlPanel

Immediately I open the Burp Suite proxy and intercept the send email request:

HDCBurpRequest

From here I can put the request into Burp Suite’s Intruder, configure the payload, and easily send email to all of the email addresses in the payload:

HDCPayloadOptions

I start the attack, and find the flag in the response from “fishroesalad@mail.com”:

HDFlag

Conclusion

HDC was pretty simple, but a great way to get back into CTFs. I’ve been gone for a while, busy in life with job promotions but still around and learning. My goals are the same and I continue to pursue them. You can find me in the Hack The Box Discord server, or contact me on Twitter @rootcollector.