Burp’s Recursive Grep for Owning Emdee five for life HTB Challenge

4 min readAug 10, 2021

Bonjour fellow offsec bugs. I have a super special h@shtalk for you today.

I know it’s been a while, but I’m starting a journey that I have a feeling is going to be super important for me and I’d like to have it documented.

Today I pwned my first challenge on Hack The Box and since I want to make this a daily thing I believe it won’t hurt to share what I learned here.

Of course, having the rules of the platform, where only write-ups of retired HTB machines or challenges are allowed here’s a little ‘emdee five for life’ treat to get us started.

The Challenge

When you enter the challenge it navigates you to page where a simple string is given and the instruction is to enter the MD5 hash of the given string.

Challenge Page

Solution Chain of Thoughts

First, I attempted the obvious solution. Opened a command line terminal to calculate the MD5 hash of the string.

Calculated MD5 hash

And no, it’s not that easy. After entering the calculated MD5 hash, the message I got back is — Too slow! Not only am I too slow, but they were quick enough to already provide another string that needs to be hashed.

Message after entering the calculated hash

I also tried entering “abcgdfd”, “fkdjghdkj”, or another wrong value to see if another message would pop-up except how slow I am, but no, they just want faster.

So, I decided to give the challenge what it wants. Automation!

Now, after extensive research on “How to be Usain Bolt in String Hashing” I found that several approaches could be quite useful. Came down to two of them. Writing a Python Script or using Burp. The Burp thing caught my attention, especially a pretty useful feature they have — called Recursive Grep.

Recursive grep to the rescue

Recursive grep payload source is an option in Burp Intruder, which works by generating each attack payload dynamically based upon the application’s response to the previous request.

Pretty neat, ha?

Okay, let’s see it in action.

Open Burp Suite, activate the proxy and capture the POST request in which you submit anything. Send this request to the Intruder module.

Set the payload position to the value of the hash parameter.

Payload position to the value of hash parameter

The payload type will be Recursive grep and the extract grep will be defined in the Options tab. The Payload Processing should be set to Hash: MD5.

Payload Options and Payload Processing

The Payload Options tells us what exact value we need to process. The value between <h3 align=’center’> to </h3> is the string which needs to be hashed and that is the value that we need to capture from the response of the previous request. With simple Inspect Element on the Challenge page you can find the exact tags that you need, which are the ones mentioned above.


Those tags should be defined in the Options tab and it should look like this:

Besides that, one more thing should be defined in the Options tab and that is Grep Match. With this if we define — Too slow! — as a tag, Burp will see if it exists in the response or not, and that would make it easier for us to see which responses succeeded and which have not.

Launching the attack, we can see that some requests don’t have a flag for ‘Too slow!’ and that means that in those requests the Intruder was quick enough to calculate and submit the MD5 hash of the string.

The flag can be found in the response of those requests.

Recursion has always been super cool, right?

Thanks for reading bugs. Catch me in some of my other h@shtalks and keep thinking on your feet!

Some useful resources:

  1. Using recursive grep for harvesting data
  2. Super cool Medium Article on Burp Intruder