BunnyPass Writeup - Cyber Apocalypse 2024

Last update: March 23, 2024

1 Introduction
2 Key Techniques
3 Mapping the application interactively
4 Vulnerability analysis - default credentials
5 Obtaining the flag
6 Conclusion

→ 1 Introduction

This writeup covers the BunnyPass Hardware challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge involved gaining access to a RabbitMQ Management UI using default credentials.

The description of the challenge is shown below.

→ 2 Key Techniques

The key techniques employed in this writeup are:

Researching default credentials for the RabbitMQ Management UI
Manual enumeration of a web application

→ 3 Mapping the application interactively

The target website was opened in the Firefox browser, proxied via mitmproxy. The website displayed a login form for the RabbitMQ Management UI.

→ 4 Vulnerability analysis - default credentials

From the challenge description, default credentials will provide access to the site. The product documentation indicated that default credentials of guest:guest should work for the management UI. These successfully granted access. This is an instance of common weakness CWE-1392: Use of Default Credentials.

RabbitMQ login successful using default guest:guest credentials — RabbitMQ login successful using default `guest:guest` credentials

→ 5 Obtaining the flag

The UI was manually enumerated. The flag was found in the last message on the factory_idle message queue.

Flag found within a message on the factory_idle message queue — Flag found within a message on the `factory_idle` message queue

→ 6 Conclusion

The flag was submitted and the challenge was marked as pwned