forbytten blogs

Flag Command Writeup - Cyber Apocalypse 2024

Last update:

1 Introduction

This writeup covers the Flag Command Web challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge was a black box web application challenge.

The description of the challenge is shown below.

Flag Command description

2 Key techniques

The key techniques employed in this writeup are:

3 Mapping the application

3.1 Mapping the application interactively

The target website was opened in the Firefox browser, proxied via mitmproxy. The website displayed a terminal-like prompt.

The website displays a terminal-like prompt

3.2 Mapping the application via client side source code review

In mitmproxy, a couple of key responses were observed:

  1. GET /api/options returned a JSON response containing a ‘secret’ option:

    /api/options contained a secret option
  2. The JavaScript code in /static/js/terminal/main.js tests whether the current step in the options contains the currentCommand or the currentCommand equals the secret option. If it does, it POSTs the currentCommand to the /api/monitor endpoint as JSON {"command":currentCommand}.

    main.js will post the currentCommand to the /api/monitor if it contains the secret option

4 Obtaining the flag

  1. The secret option was POSTed to the /api/monitor endpoint:

    Secret option POSTed to the /api/monitor endpoint
  2. The response contained the flag:

    Flag returned in the response

5 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned