write-ups and what not

HDC [WEB] (30 pts)


We believe a certain individual uses this website for shady business. Can you find 
out who that is and send him an email to check, using the web site's functionality?

Note: The flag is not an e-mail address.


Login Page

  • Landing Page:

    HDC Home

  • Input Form (Page Source):

    <form id='formaki' name='formaki' action="./main/index.php" method="post">
      <p align="center">Enter Username / Password
        <input type="text" name="name1" size="20">
        <input type="text" Name="name2" size="20">
      <p align="center">
        <input type="hidden" value= name="name1">
        <input type="hidden" value= name="name2">
        <input type="button" value="Submit" onclick="doProcess()"/>
    1. The form submission is handled by a function doProcess().
      • onclick= is always referenced to a JS script
    2. There are two hidden inputs – name1 and name2.

  • Included Scripts:
    <script src="jquery-3.2.1.js"></script>
    <script src="myscripts.js"></script>
    1. myscripts.js:
      function doProcess()
    2. jquery-3.2.1.js:
      • It’s very notable that the included jquery file was not minified.
      • It also includes a function definition of doProcess():
      // ...omitted...
      function doProcess() {
          var form = document.createElement("form");
          form.setAttribute("method", "post");
          form.setAttribute("action", "main/index.php");
          form.setAttribute("target", "view");
          var hiddenField = document.createElement("input");
          hiddenField.setAttribute("type", "hidden");
          hiddenField.setAttribute("name", "name1");
          hiddenField.setAttribute("value", "TXlMaXR0bGU");
          var hiddenField2 = document.createElement("input");
          hiddenField2.setAttribute("type", "hidden");
          hiddenField2.setAttribute("name", "name2");
          hiddenField2.setAttribute("value", "cDB3bmll");
'', 'view');
      // ...omitted...
      • It sets the hiddent inputs, name1 and name2, to TXlMaXR0bGU and cDB3bmll respectively.
      • name1 and name2 are also input names for the username and password in the login form’s user input.


  1. Login using the credentials, TXlMaXR0bGU:cDB3bmll

    Hellenic Distribution Company


    1. The page sections are loaded using HTML Frames.
    2. There is a section of the page named Mailbox of Special Customers:
      • According to the challenge description, the objective is to find the an e-mail address and then inbox the individual.
      • Since an e-mail address is still yet to be found, it must be imperative to explore this section.
  2. Explore Mailbox of Special Customers:

    Mailbox of Special Customers

    • Frame Source:
        <meta http-equiv="Content-Type" content="text/html; charset=windows-1253">
        <meta http-equiv="Content-Language" content="us">
        <meta name="ProgId" content="FrontPage.Editor.Document">
        <font size="6"><span lang="en-us">Special Customers' Mailbox</font>
        <b><font size="6">&nbsp;&nbsp;&nbsp; </font></b>
          <img border="1" src="./secret_area_/mails.gif" width="21" height="20">
            Up to now we have 5 special customers who will help us to achieve our goals.<br><br>
            This list will soon be expanded with the new 'expansion program' for our corporate goals.<br><br>
            It is planned that within the next six months we will have reached 20 dedicated Special Customers.<br>
          <p><span lang="us"><a href="main.htm">���������</a></span></p>

      NOTE(S): 1. A GIF is loaded using from a directory, ./secret_area_:

       <img border="1" src="./secret_area_/mails.gif" width="21" height="20">
  3. Navigate to<port>/main/secret_area_:

    HDC secret_area_

    • mail.txt:
      All good boys are here... hehehehehehe!
      Peter Punk
      Ilias Magkakos
      Nick Pipshow
      Don Quixote 
      Crazy Priest
      Fishroe Salad
      TaPanta Ola
      Laertis George
      Thiseas Sparrow
      Black Dreamer
      Callme Daddy
      Aggeliki Lykolouli FwsStoTounel@Traino.pourxetai
      Kompinadoros Yannnnis
      Serafino Titamola
      Joe Hard
      Bond James
      Endof Text


      1. A list of names and e-mails have now been found.
      2. There is a section named Send EMail:
        • Since the objective is to send a shady guy an e-mail, this should be the final step towards the flag.
  4. Send an e-mail to the listed users in mail.txt:

    • Mailing Form:

      HDC Send EMail

    • After sending an e-mail to

      HDC Flag

FLAG : HTB{FuckTheB3stAndPlayWithTheRest!!}