HackTheBox Cyber Apocalypse 2021 CTF

Hello guys back again with another walkthrough this time we’ll be tackling Cyber Apocalypse 2021 capture the flag hosted by HackTheBox. Since am part of a team this time i decided to do web challenges and i had a couple of solves. And also learned some important lesson that i would like to share Without much say let’s jump in

Caas is a web challenge that start off by a user providing a host and the web application does a heath check of some sort using curl

But no matter the host i provided i always got a illegal character detected as you can see from the screenshot below.

I decided look at the source code using ctrl + u

We see from the screenshot below that it has a JavaScript file called main.js

Analyzing the JavaScript file we that it is using an API and performing curl request with an IP Address or hostname using an IP post parameter

So i decided to intercept the request with burpsuite and see if i could replicate the functionality my main aim was to first try and bypass the client side JavaScript validation

And after sending the request i got a feedback.

But for sanity check i did set up a server on my box and using ngrok and tried connecting to my server

And forwarding the request using the repeater tab it seemed to work fine

I got a call back on my box. The next set was to fingerprint the exact program that was making HTTP request and the way i usually do is by using the user-agent. So i did send the request once again but this time i used netcat so that i could view the request header i got

Looking at the screenshot above we get that the user-agent is curl/7.64.0. Sweet. Next i tried to see if i could exploit the web application to get code execution since my thinking was that the PHP code was something like

<?php
$ip = $_POST['ip'];
if(isset($ip)){ system("curl {$ip}");
}
?>

So if i could place a system command in the URL i thought i could get code execution on the system

I tried executing command but looking at the screenshot below it didn’t work

Next i knew that curl has a -o command which saves the result of what was outputted so i tried dropping a shell on the server

First i created a PHP web shell from my box

Next i tried uploading the shell

Looking at HTTP logs it got the file

Next i tried accessing the web shell from burpsuite and looking at the screenshot below the file had been written successfully

I got the file. Sweet!!!

Let’s try executing commands

And it works we have code execution on the box now lets read the flag!!!

And the challenge is done though there was an intentional method which i used when solving the challenge first

We know web browsers can use the file:// protocol to access files on a system so i tried to see if i could include a file from the remote server

And it seems to work!!!. Looking at the nginx.conf file we see that the web root is in /www

And the flag is supposed to be one folder up

So i tried accessing the flag using file:// protocol

And looking at the screenshot above it worked!!!!! we again have the flag and the challenge was done

The second challenge i attempted was Wild Goose Hunt. First i downloaded the source code since it was given and one file that stood out was the entry-point file

Looking at the entry-point bash file we get that the web application was running mongo database

Am sure by now NoSQL injection is already running through your head

But first of all let’s take a look at the web page

We get standard a web page which seems to be having a login form

So i tried logging in and intercepted the request with burpsuite

Then forwarded the request to repeater tab to play with it a bit. If you’ve come across a NoSQL injection before an sure you know that by providing [$ne] in the login parameter we could bypass the login prompt completely

But first let’s try a legit login using wrong credential

We get a login Failed. let’s try bypassing the login using $ne (not equals)

Looking at the screenshot above we get a login success meaning we’ve just confirmed that it’s NoSQL inject able. Next we can use $regex to leak the enter password which in our case will be the flag for the challenge

the [$regex] command ask the application if the password starts with a certain character

example

password[$regex]=^char

if it returns with a login success we know that the password begins with that character

Since i love coding i ended up creating a python script to retrieve the flag

Looking at the screenshot below we have the flag

The third challenge which i attempted was extortion. In this challenge we are not provided with a source code of the web application. So i ended up enumerating it manually

On opening the website we get a standard webpage

Clicking the links we see that it uses some parameter which in-turn includes some files

But we could also put the name of the plane to depart

So again i intercepted the request of this page using burpsuite

And we get a message saying departure successful

The first page included files so my first through was a Local file inclusion vulnerability

So i tried including the passwd file

And looking at the screenshot above it worked we had successfully included the passwd file. Next i tried including a file that doesn’t exist to see of the web application would cough out an error message

And it work we see that the application uses include but we can leak the source code using PHP filter since it begins with files in the include statement

So i tried numerous techniques to see if i could leak the flag like:

  1. Getting remote code execution through Log poisoning
  2. Getting remote code execution though /proc/self/environ
  3. Getting remote code execution using expect://
  4. Getting code execution using data://
  5. Trying to guess random location where the flag could be stored but it all didn’t work

Then i remembered about the PHP session id cookie

It can be stored in several places but the most common place are:

  1. /var/lib/php/sessions/
  2. /tmp

So i tried to access the cookie and Looking at the screenshot below it worked

The cookie is stored in /tmp directory

And a while back when we did send “musyoka” in the send.php(plane to depart web page)

So whatever we type in that textbox gets saved in the session cookie. And voila that’s where the vulnerability arises. We are supposed to get remote code execution through session poisoning. So i tried including a PHP payload and see if i include the session cookie if it would get executed

Next i forwarded the request and then included the session file using the LFI vulnerability

Looking at the screenshot above we get code execution

Next i decided to build a simple python exploit script that automates the process of sending the payload, capturing the output of the system command and filtering out the notice below is how it looked

Trying to execute command using the custom built script as you can see below it works perfectly!!!

Now it’s time to get the flag

And we are done!!!!

I hope you liked the walkthrough if so don’t forget to clap for me down below and follow me so that you won’t miss any upcoming articles. I’ll leave a link to my GitHub page containing all the python scripts i created below. Thanks for reading goodbye!!

GitHub

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)