Lernaean Web Challenge — HackTheBox

HackTheBox is one of the greatest place to sharpen your skills when it comes to practicing real life based penetration testing. Before you start you must be the registered member of HTB.

Firstly, make your way by hacking through their registration portal.

Moving further,

This is going to be the solution of one of the HackTheBox web challenges named Lernaean by Arrexel.

This challenge has 20 points for successfully completing it.

Before you start the challenge the need is to connect to the HTB servers via vpn. You will find the connection file under access directory. Once you get it downloaded all you need is to run the below command in your terminal.

openvpn YourFile.ovpn

Once connected you will move onto the web challenges section and click on the dropdown to start the instance. Once the instance has been initiated you will get the IP/Domain:Port to access the web challenge.

Opening the ip/domain:port in your browser.

On opening the Lernaean Ip/Domain:Port we got the administrator login portal.

The page says do not try to guess my password!. This is the hint here that we need to guess the password. Random passwords do not work here. But on the wrong password it gives us an error.

An error saying Invalid password!. Note it down!.

Let’s start the burp suite and see what’s going on behind the scenes. So in actual we have a post request being made to the server. Note it down!.

Let’s move onto with HYDRA and bruteforce the password.

So we have successfully found the password. Let’s log into the administrator portal with the password.

Oops! it says we are too slow. That means there is something going on behind the scenes. No issue we have the burp suite. Let’s intercept the login request, send it to repeater and forward the request!.

Here we go!. Congratulations we have successfully found the “KEY”. Submit this key to the HTB.

You have successfully completed your first HTB Web Challenge.

Thank for reading.