Emdee five for life

Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info ¶

Emdee five for life [by L4mpje]
Can you encrypt fast enough?

The challenge ¶

When visiting the web page, you are greeted with a simple string and the instruction to enter the MD5 hash of said string.

So I opened up a command terminal to calculate the MD5 hash of this string.

$ python
Python 2.7.16+ (default, Jul  8 2019, 09:45:29) 
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> print hashlib.md5("whatever your string is").hexdigest()
855f938d67b52b5a7eb124320a21a139

Entering the resulting MD5 hash into the form results in a rather insulting message, calling me “too slow”. And a new string is given.

This calls for automation!

Automation ¶

I open up the tool present in any web app pentester’s set: Burp Suite.
Note that the free version suffices to beat this challenge.

Activate the proxy, set up the browser to use this proxy and capture the POST request in which you submit anything.
Send this request to the Intruder module.

POST request in Intruder. Payload position marked.

Set the payload position to the value of the hash parameter.

The payload type will be Recursive grep, the extract grep will be defined in the Options tab.
Make sure you set Payload Processing to Hash: MD5.

Under the Options tab, we define the grep extration rule with which we’ll capture the string to be hashed. Define the grep rule as From [<h3 align='center'>] to [</h3].
We’ll also set a grep match rule which will help use later. Set a flag for Too slow!.

Launching the attack, you’ll notice some request don’t have a flag for “Too slow!”. These are the ones in which Intruder was quick enough to calculate and submit the MD5 hash of the string. Especially with the free version, which is throttled, you might need to wait for a few requests before pausing the attack.

Yet again a nice challenge by L4mpje!