Shockz
SHOCKZ
bash -i >& /dev/tcp/localhost/1337 0>&1

Pentesting & Red Team Lead | Offensive Security Engineer | Developer | Ethical Hacker | HTB & THM Player

Posts about Cybersecurity, CTF's, Ethical Hacking and other projects


Eternal Loop - Hack The Box Challenge

1 minute read

  1 minute read

eternal loop htb

Environment

Kali Linux - So we have John The Ripper, Python3 and wordlists like “rockyou” preinstalated. It could be another distribution like Parrot OS.

Pre-start

So, to get started we have to download the zip from the web.

Automate

Now we can execute the following script, the script will unzip all the zips one inside another, the first zip will unzipped with the passwd ‘hackthebox’ and for the next we discovered that the name of the file inside the zip is the password of the zip itself.

#!/usr/bin/env python3

from zipfile import ZipFile as zp

##Extracting the first zip
zip_file = 'Eternal_Loop.zip'
passwd = 'hackthebox'

with zp(zip_file,"r") as zf:
    zf.extractall(pwd = bytes(passwd, encoding='utf8'))
zf.close()

##Extracting the rest of files, using the file inside as password for the next zip

internal_zip_file = '37366.zip'
passwd_internals = '5900'

while True:
    with zp(internal_zip_file,"r") as zf:
        for name in zf.namelist():
            passwd_internals = name.replace(".zip","")
        
        print(internal_zip_file + " = " + passwd_internals)
        if internal_zip_file == "6969.zip":
            print("The last file is: " + internal_zip_file + " with file: " + passwd_internals)
            break
        zf.extractall(pwd = bytes(passwd_internals, encoding='utf8'))
        internal_zip_file = passwd_internals + ".zip"
        zf.close()

Running..

eternal loop htb 1

When the script finish, we’ll see this output:

The last file is: 6969.zip with file: DoNotTouch

Cracking

Now, after we check that we dont know the password of this zip, we’ll need to crack it, I’ll use John The Ripper:

To get the hash, use zip2john:

zip2john 6969.zip > htb.hash

And to get the hash cracked i’ll use the wordlist “rockyou”, if you are using kali you’ll find this file in the route used in the command:

john htb.hash --wordlist=/usr/share/wordlists/rockyou.txt

eternal loop htb 2

It only remains to unzip the file.

The file will be “DoNotTouch”, if we check what type of file it is..

file DoNotTouch

Output:

DoNotTouch: SQLite 3.x database, last written using SQLite version 3021000

Reading the database

So, we open the file with a SQLite Reader, we browse the datasheets until we got the flag.

eternal loop htb 3