Hack The Box writeup – Emdee five for life

This challenge was my second challenge to complete on the Hack The Box website under the Web category. It was a quite fun challenge and I had no big issues with solving it, probably one of the faster ones I ever solved. It is ranked around easy-medium in difficulty and I will now go through how I attacked this challenge.

When you first browse the URL you are greeted by this website. Not much to it but it already gives you a hint of what is needed to complete this challenge. Also, the comment above (Can you encrypt fast enough?) gives a hint.

Every time you reload the page it changes the MD5 hash and if you simply try to encrypt this string and pass the hash in the input-field it will give you the following message saying you are too slow ☹

Clearly, we need to do this very fast, which is not possible to do by hand. Therefore we need to write a script that can do the following tasks.

  • Open a browser and navigate to the URL
  • Fetch the current MD5 string
  • Encrypt the string
  • Send it back to the browser, filling in the input field and pressing the submit-button.

Since I was doing this challenge from a Windows 10 machine and my preferred scripting-language is PowerShell I thought I should be able to do all these tasks in Powershell.

Task #1 – # Open IE and browse

I created a new Internet Explorer object and set it´s visibility to true so I could see what is going on, I then navigated to the URL for the challenge and waited for the page to fully load.

$ie = New-Object -Com InternetExplorer.Application
$ie.Visible = $true
$ie.Navigate("http://157.245.40.149:31826/")
while ($ie.ReadyState -ne 4) {Start-Sleep -m 100};

Task #2 – Get latest MD5 to encrypt

I grabbed the MD5 string from the HTML body which was sitting inside a H3 tag, making it easy to select from the rest of the source-code.

$Doc = $ie.Document.body
$string = $Doc.getElementsByTagName("h3")[0].innerHTML

Task #3 – Encrypt string to MD5

I Googled for a way to encrypt strings to MD5 using PowerShell and found this example below which worked just fine.

$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$utf8 = new-object -TypeName System.Text.UTF8Encoding
$hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($string)))
$hash = $hash.ToLower() -replace '-', ''

Task #3 – Send back the hashed string and submit

I then found the form input field and added my newly created hash to it and clicked the submit-button.

$form = $ie.document.forms[0]
$inputs = $form.GetElementsByTagName("input")
($inputs | where {$_.Name -eq "hash"}).Value = $hash
($inputs | where {$_.type -eq "submit"}).Click() 

When I run this code, it takes about 0.850 seconds to complete, giving me the following result.

(Blurred out the flag so you can find it yourself)

Full code below – MD5forLife.ps1

# Open IE and browse
$ie = New-Object -Com InternetExplorer.Application
$ie.Visible = $true
$ie.Navigate("http://165.232.47.168:32257/")
while ($ie.ReadyState -ne 4) {Start-Sleep -m 100};

# Get latest MD5 to encrypt
$Doc = $ie.Document.body
$string = $Doc.getElementsByTagName("h3")[0].innerHTML

# Encrypt string to MD5
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$utf8 = new-object -TypeName System.Text.UTF8Encoding
$hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($string)))
$hash = $hash.ToLower() -replace '-', ''

# Send back the hashed string and submit
$form = $ie.document.forms[0]
$inputs = $form.GetElementsByTagName("input")
($inputs | where {$_.Name -eq "hash"}).Value = $hash
($inputs | where {$_.type -eq "submit"}).Click()

Leave a Reply

Your email address will not be published.