Last updated: 15 Apr 24 09:26:40 (UTC)
HackTheBox Apocalypse 2024
HackTheBox Apocalypse 2024
HTB Apocalypse 2024 was a open event with over 12000 players in 5600 total teams
for this event my team classed 146/5600, our team was composed of 2 other players.
- Lawcky
- Oblivios
- Thaysan (MVP)
Was a fun experience and a good introduction to HTB’s CTF challenges
Here is all my write-ups for that event, i kept only the ones i flagged with one exeption.
Crypto - primary knowledge
difficulty : very easy
given values :
n = 144595784022187052238125262458232959109987136704231245881870735843030914418780422519197073054193003090872912033596512666042758783502695953159051463566278382720140120749528617388336646147072604310690631290350467553484062369903150007357049541933018919332888376075574412714397536728967816658337874664379646535347
e = 65537
c = 15114190905253542247495696649766224943647565245575793033722173362381895081574269185793855569028304967185492350704248662115269163914175084627211079781200695659317523835901228170250632843476020488370822347715086086989906717932813405479321939826364601353394090531331666739056025477042690259429336665430591623215
with ‘c’ beeing the message to decrypt
after reading the python code we understand that using 2 integers (n & e) the string m has been encrypted using the pow() math function
final code :
70810169710870607138579841519067639407045943514923980034716372388149402958694556292813866757327463621571327781524875159250427298200470290349260098816979513961424877205916891032682169108584143589722447303744878213639281455359132608063067801151889933261971455431441482052704077974781781967066974095696154090883
i checked and this value is false
next try :
154494104126246428636989946273736411011334723383700225366857664731705373903436582850185452949938557
is the result
now we need to reverse the bytes_to_long() function to understand the output and get the FLAG
final code :
it worked !
Crypto - Dynastic
difficulty: very easy
given message
DJF_CTA_SWYH_NPDKK_MBZ_QPHTIGPMZY_KRZSQE?!_ZL_CN_PGLIMCU_YU_KJODME_RYGZXL
the code basically switches each character,
- If the character is not alphabetic, it remains unchanged
- If the character is alphabetic, it maps the character to an index using to_identity_map, adds the index i to it, and then maps it back to a character using from_identity_map
it is pretty easy to reverse using the source code :
final code :
it worked !
Crypto - Makeshift
difficulty : Very Easy
Obfuscated Flag
!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB
this basically switches characters’ places based on this part of the code’s sequence :
for i in range(0, len(flag), 3):
new_flag += flag[i+1]
new_flag += flag[i+2]
new_flag += flag[i]
reversing this is very easy we just have to reverse that same sequence
final code :
it worked !
Crypto - Iced Tea
difficulty: Easy
Given Values
Key : 850c1413787c389e0b34437a6828a1b2
Ciphertext : b36c62d96d9daaa90634242e1e6c76556d020de35f7a3b248ed71351cc3f3da97d4d8fd0ebc5c06a655eb57f2b250dcb2b39c8b2000297f635ce4a44110ec66596c50624d6ab582b2fd92228a21ad9eece4729e589aba644393f57736a0b870308ff00d778214f238056b8cf5721a843
final code :
it worked !
Crypto - Blunt #notflagged
difficulty: Easy
Given Values
p = 0xdd6cc28d
g = 0x83e21c05
A = 0xcfabb6dd
B = 0xc4a21ba9
ciphertext = b'\x94\x99\x01\xd1\xad\x95\xe0\x13\xb3\xacZj{\x97|z\x1a(&\xe8\x01\xe4Y\x08\xc4\xbeN\xcd\xb2*\xe6{'
it is AES CBC encryption method
in order to decrypt this we first need to get the encryption key
using the same code that was given to us with the data :
key code :
the key was not right (my bad i could-have just extracted it directly inside the given code)
actual key : b'6\xa7\xe4N$\x13[x$\xf0\xf3\x16\x94\x18\x0c\x9c'
data :
AES Key: b'6\xa7\xe4N$\x13[x$\xf0\xf3\x16\x94\x18\x0c\x9c'
iv = b'\xc1V2\xe7\xed\xc7@8\xf9\\\xef\x80\xd7\x80L*'
ciphertext = b'\x94\x99\x01\xd1\xad\x95\xe0\x13\xb3\xacZj{\x97|z\x1a(&\xe8\x01\xe4Y\x08\xc4\xbeN\xcd\xb2*\xe6{'
someone else flagged it
Web - KORP Terminal
difficulty: Very Easy
It is a web login page, when incorrect it returns a 401 in a JSON format.
using this login bypass wordlist and the hydra tool:
the form returns 401 error message which makes hydra return this error:
i still fuzzed it with the errors and managed to get this error message from the site:
we now know its a mariaDB server
lets run sqlmap
sqlmap -r request --dbs --batch --ignore-code 401
it worked !
Pwn - Writing on the walls
difficulty: easy
we also got the executable.
after decompiling the binary we find :
the password is w3tpass (space is a character), is read fully (8 char)
but the user input is read up to 7 char
after using ltrace tool on the local bin :
entered : w3tpas\n
compared : "w3tpas\3tpass ", "\3tpass "
we can overwrite the comparision we just need to find a perfect input that’ll make them match
when i entered a long string only of spaces :
we need to remove the first inputed space while keeping the rest and it shall work
after sending a payload of only nullbytes \0 i was able to get the flag.
echo -e '\0\0\0\0\0\0\0\0\0\0\0' | nc 94.237.63.46 43527
forgot to screen the actual flag mb
Hardware - BunnyPass #annoying
difficulty : easy
This challenge was just a click everywhere type of challenge, no real goal nor path to folow just a admin:admin service login and searching for the flag
once logged in we needed to go to queues
when we go to the queues, select the factory_idle status and check for message status, you need to select ACK messages and look for the last one.
HTB{th3_hunt3d_b3c0m3s_th3_hunt3r}
Hardware - Rids
source code :
we need to read the memory of the W25Q128 chip.
after some research i find that the command for that is 0x03
lets craft a JSON payload since the code reads JSON.
after decoding as ASCII characters : HTB{m3m02135_57023_53c2375_f02_3v32y0n3_70_533!@}