HackTheBox Web HDC Challenge

Challenge By : Thiseas

Challenge Description : We believe a certain individual uses this website for shady business. Can you find out who that is and send him an email to check, using the web site's functionality?
Note: The flag is not an e-mail address. 

Points : 30

Author : Rehman S. Beg (HTB Profile : MrReh )


Lets Start the instance and open the page, we see the login page

lets see the source code here we see script tag

In jquery-3.2.1.js, we will see the “function doProcess()” have hidden credentials

After use those Creds we passed login screen, and redirected to new page.

Now lets find the email address, Under Main Tasks > Mailbox of Special Customers, read the source code

My firefox browser not support their frames so we can’t see what is in the frames, request to that page again on burp suite and we could get clearly see information from that page.

Here we see path “secret_area_” lets check if we have something more on that it show two files mails.gif and mails.txt

In mails.txt we see a list of mail

After some try we find the correct mail address, lets go back to main page and send mail to grep the flag

FLAG : “HTB{FuckTheB3stAndPlayWithTheRest!!}”

Leave a Reply

Your email address will not be published. Required fields are marked *