HackTheBox Web Challenges Grammar

For any HackTheBox Challenge you need to first look for the Files that can be downloaded or Start instances with a given port on docker.hackthebox.eu and for any zip file first password is always hackthebox.

So, I started the instance and get a port on which I can access on host: docker.hackthebox.eu port: 30306

HackTheBox often consist of clues that can really help in understanding what needs to be done. For Web challenges always intercept requests via Burp Suite.

So, in this challenge we get to know that

When we access this page we get a Forbidden error. However we believe that something strange lies behind... Can you find a way in and retrieve the flag?

So, when I searched for the website docker.hackthebox.eu:30306 a Forbidden page was appeared. Then I used Burp Suite on proxy 127.0.0.1 to intercept the request on Port 8080. I get a request mentioned below:

Now, I send this request to repeater and change the methods/directories and find out that If I change "GET" to "POST" and put directory from "/" to "/index.php" a set cookie parameter is generated. Then I checked it's encryption and it was Base64.

After this, I decode the ses and find out following:

{"User":"whocares","Admin":"False","MAC":"ff6d0a568d61e5a03bcdb04509d5885d"}

Now, I changed the Admin as true as It tells me to login through admin account but still didn't get the flag. Then, I changed the MAC value to zero

{"User":"whocares","Admin":"False","MAC":0} & encode it with base64 and finally find out the HTB flag.

Please share your comments and If you enjoyed this blog post, share it with a friend! See you guys in next post soon.