The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so? Category: web Solver: davex, shm0sby Flag: HTB{b3nt_tw1g_t0_my_will!} Writeup The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;) The challenge used Symfony as application framework and Twig as templating engine. We simply had to use basic injection on Twig which could be found in [1]. ...
I wrote this advanced program to only work on my computer but I think I might have made a mistake somewhere, as I canât even confirm my own identity. Category: reversing Solver: t0b1 Flag: HTB{Id3nt1ty_c0nf1rmat1on} Writeup In this challenge we get a Windows executable. We open it up in Ghidra to see what it does. The main function is printing Starting to confirm identity... and then calls the RegOpenKeyExA function with Control Panel\Desktop as the argument. ...
After a long investigation we have revealed the enemyâs service, which provides their agents with any needed documents. Recent events indicate that there are double agents among us. We need to read the double_agents.txt file in order to identify their names and treat them accordingly. Can you do it? Category: crypto Solver: kh1 Flag: HTB{1v_sh01d_b3_r4nd0m} Writeup When connecting to the server, it sends Welcome, agent! Request a document: When sending something after this, the server interprets it as hexadecimal data and decodes it. If the decoded data is a multiple of 16 bytes long, it is decrypted (using AES in CBC mode) and the content of the file with the decrypted string as name is returned. ...
Hackers made it onto one of our production servers. Weâve isolated it from the internet until we can clean the machine up. The IR team reported four different backdoors on the server, but didnât mention what they were and we currently canât get in touch with them. We need to get this server back into prod ASAP - weâre losing money every second itâs down. Please find the four backdoors (both remote access and privilege escalation) and remove them. Your creds are user / hackthebox, and that user will have full sudo rights, so running sudo su - will provide a shell as root. Remove any malicious files and configurations, and then run /root/solveme as root to get the flag. ...
Our domain has been attacked. An APT group has taken over our server and they have locked us out. Our incident response team was able to find some files added on the upload directory but havent been able to extract any information from them. Could you help us login back? Category: crypto Solver: Miroka, HTTP418, kh1 Flag: HTB{15b_4tt4ck5_4r3_c001} Writeup What we got encryption.py - the script used to encrypt the new password leaks - the scriptâs variables n, rp, and rq new_password - the encrypted new password encryption.py resembles RSA encryption with two primes p and q that are slightly above square numbers and the variables rp = 228 and rq = 75 tell us, how much above. We have also given the implicit RSA-e-Variable of the public key as it is a constant in the encryption.py. ...
Time for an emoji-test! No need to worry.. You have 500 seconds to answer 100 questions. Five seconds for each question is more than enough! You need to score 100/100 in order to win an amazing prize! Good luck! Category: misc Solver: lmarschk Flag: HTB{3m0j1s_R_fUn_4nd_m4k3_m3_c0d3_f4st} Writeup Starting with a telnet connection to the server, we are given a set of questions: Trying 139.59.202.58... Connected to docker.hackthebox.eu. Escape character is '^]'. You have only a few seconds for each question! Be fast! â° Question 1: â đ đ§ đș đŠ - đŠ â đŠ đș Answer: > 123 Time: 2.47 Wrong answer! đż The correct answer was 11382 The problem is, that when it is taking too long to get an answer, the connection will be shut down from the server. So there is no possibility to solve this one âby handâ, needing a script in order to do so. ...
There is serious suspicion that John is a double agent. We found the cipher in his trash can. It looks like he extracted the message and forgot to get rid of the evidence. Can you decrypt the secret message? Category: crypto Solver: kh1 Flag: HTB{m1551ng_v4lu35_m4k3_m3_s1ck} Writeup flag.txt contains a list of 32 lists containing 32 numbers from 0 to 255 each. This is a One-Time-Pad with 32 parts, xoring the lists and interpreting the result as ascii code gives the flag. ...
Just some not so regular disable_functions / open_basedir PHPfu. Category: web Solver: davex, shm0sby, lmarschk Flag: HTB{iconv_r34lly_b3_d01ng_us_lik3_th4t} Writeup The challenge php file was quite simple itself, it was a Docker container with some further configs. The configs were the more interesting thing. The php file only included an GET-parameter which then has been sent to an eval()-call. Also we know there is a file called /readflag which obviously prints the flag. ...
A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will they be able to overcome this enemy? Category: reversing Solver: 3mb0, HTTP418, mp455 Flag: HTB{Retr0_Kunai} Writeup We found ourself here in a reversing challenge. So - as we were used to - we prepare for a static binary analysis. Open Ghidra and install the GhidraBoy [1] to inspect the Game Boy ROM. ...
Youâre being interrogated in the enemyâs headquarters. Fake it and get out of there alive, without telling them anything! Category: pwn Solver: t0b1, Pandoron Flag: HTB{m0ms_sp4gh3tt1_1s_f4k3!} Writeup The first thing we do is running the checksec tool to get any clues where this challenge might be heading. It outputs the following. [*] '/home/user/htb-unictf-2020/finals/pwn/reality_check/reality_check' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) We extract the following information: ...
A remote facility is secured by a two-part access control system. The exterior device contains a keypad that is connected to a microcontroller, which sends entered passwords to a remote API for authorization. During an operation, we succeeded in tapping the connection between the keypad and embedded device. The only thing preventing us from gaining access to the facility now is to decode the obtained data and send the password to /api. ...
During your usual crop field stroll you were abducted by aliens. Luckily you were able to escape their grip and flee to an escape pod, but alas starting it requires a key code. Figure out how this strange mechanism works and return to earth. Category: reversing Solver: t0b1 Flag: HTB{_3st3r31K3yP4d_} Writeup In this challenge we get a binary. We start by analyzing it in Ghidra and find the following main function (we already renamed the functions to be more readable). ...
While I was surfing the web I probably clicked something that I shouldnât have, and now I believe that someone knows everything about me. Help me find out what is going on! The profile is Win10x64_17134. drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Category: forensics Solver: 3mb0, mp455 Flag: HTB{t3ll_me_@ll_Your_S3cr3ts} Writeup This time we got an url: drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Here we find a zip archive containing two files: tioe.pcap and ioe.raw tioe.pcap Letâs focus on tioe.pcap. This packet capture file can be divided in two parts. First HTTP Traffic and after that plain TCP streams. ...
A famous TV channel has decided to deploy Smart Contracts in a novel quiz game format. They want an audit of their code to make sure they are ready for the official launch. Will you be able to steal the ether stored in this contract? Category: blockchain Solver: davex, lmarschk Flag: HTB{N0b0dY_WiLL_R3ceIv3_M0n3y} Writeup In this challenge, you receive the address of a deployed smart contract and its source code. The source of the contract is: ...
Who let the blacklists out? Category: web Solver: davex, shm0sby Flag: HTB{wh0_l3t_th3_w4fs_0ut?!..w00f..w00f.w00f!} Writeup When you entered the site of the challenge the site directly gives you the source of the challenge. <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) . '<br/>'; } $result->free(); } } while ($mysql->next_result()); $mysql->close(); As you can see we can enter two variables via getting parameters and they are checked for some keywords. Therefore we are not permitted to have a select, union or where statement (case insensitive) or neither a ' nor ( in our variables. ...
Join the HTB x UNI Finals discord channel. Category: warmup Solver: t0b1 Flag: HTB{f1n4lists_ass3mbl3_f0r_th3_ult1m4t3_pwn4ge_ev3nt} Writeup As the challenge description states, one has to join the HTB x UNI Finals discord channel. There we find the uni-ctf-finals-rules channel that contains the rules of the CTF. Carefully reading the rules, just like every good CTF player, we find the flag in there. How generous!
The SOC identified a bunch of suspicious emails with ZIP attachments. The zips donât have executables in them, so how dangerous can they be? Category: forensics Solver: 3mb0, mp455 Flag: HTB{d4ng3r0Us_z1p_ZiP_z1pp3R} Writeup In the provided zip archive there is another archive callled zipper.zip. We can also extract this archive to the files zipper.jpg and zipper.lnk. As .lnk is the file extension for windows shortcuts we inspect its properties. As target there is ...