HackTheBox Cyber Apocalypse 2024: Web Challenge Walkthroughs

Рет қаралды 6,327

Күн бұрын

Video walkthrough for the first 7 web challenges from ‪@HackTheBox‬ Cyber Apocalypse CTF 2024 (Hacker Royale); Flag Command, TimeKORP, KORP Terminal, Labyrinth Linguist, Locktalk, SerialFlow and Testimonial. The challenges involved API testing, command injection, SQL injection (SQLi), server-side template injection (SSTI), 403 bypass (haproxy), JWT attacks, Memcached injection, python pickle deserialization, gRPC hacking and path traversal! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #HackTheBox #HTB #CyberApocalypse #CyberApocalypse24 #CTF #CaptureTheFlag #Pentesting #OffSec #WebSec #AppSec
Write-ups: crypto-cat.gitbook.io/ctf-wri...
Looking for more HTB CA '24 walkthroughs? Check out ‪@SloppyJoePirates‬ video: • HTB Cyber Apocalypse 2...
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat/CTF
GitBook: crypto-cat.gitbook.io
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
KZfaq: / cryptocat23
Twitch: / cryptocat23
↢HackTheBox Cyber Apocalypse: Hacker Royale↣
ctf.hackthebox.com/event/deta...
ctftime.org/event/2255
/ discord
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
0:00 Start
0:19 Flag Command
1:39 TimeKORP
6:15 KORP Terminal
9:46 Labyrinth Linguist
14:52 Locktalk
25:30 SerialFlow
33:36 Testimonial
43:00 End

Пікірлер: 54

@funnymemes2440 11 күн бұрын

Your videos are always amazing. Whenever I watch you I learn something new. Thank you for this.

@_CryptoCat 11 күн бұрын

Thank you! 🥰

@philogex 3 ай бұрын

very nice writeups. i hope you had as much fun as i had. htb is always a treat in my opinion

@_CryptoCat 3 ай бұрын

Thanks 🥰 I did! I don't play HTB as much as I used to but when I do, I always learn some new things 🧠

@anshulguptaiitr949 26 күн бұрын

nice explanations!

@_CryptoCat 19 күн бұрын

Thank you! 💜

@fgfgfg4 3 ай бұрын

Finally I’ve been waiting for someone to make a video. Thank you

@_CryptoCat 3 ай бұрын

👊

@Leas124 3 ай бұрын

Very good explanation! Nice work! 👏❤

@_CryptoCat 3 ай бұрын

🙏🥰

@presequel 3 ай бұрын

jees nice! i was stuck with Testimonial for forever....i thought, hey its an easy box so looks like an ssti with some sort of filtering, ok i got that.. but to overwrite the file was not something i came up as a beginner. tricky box! nice vid :)

@_CryptoCat 3 ай бұрын

"easy box"? No.. It is "easy hackthebox" (aka hard 😂) Thanks 🙏🥰

@HAGSLAB 3 ай бұрын

Testimonial took me forever, managed to solve it 20 mins before the end after going back to it a second time. Hade the right idea all along, but had so many issues.

@_CryptoCat 3 ай бұрын

@@HAGSLAB Clutch! 🏅

@jozsefszabados1183 3 ай бұрын

Thank you!!!!

@_CryptoCat 3 ай бұрын

Welcome! 💜

@meowpirates 3 ай бұрын

good content man!

@_CryptoCat 3 ай бұрын

Thank you! 🙏🥰

@g30rgyth3d4rk 3 ай бұрын

Amazing Walk through 🔥🔥 great work 💯💯

@_CryptoCat 3 ай бұрын

Thanks bro! I read some of your bug bounty writeups, great work yourself! 👊

@HackTheMatric 3 ай бұрын

hii sir Also make guide video on the ctf challanges Misc Reversing Forensics Crypto Pwn Blockchain Hardware

@_CryptoCat 3 ай бұрын

I didn't solve them, sorry! Check out SloppyJoePirates video though, he solved a lot! I linked in the description 😀

@HackTheMatric 3 ай бұрын

@@_CryptoCat Thanks.

@spaulbrv 3 ай бұрын

Nice explanations. For Testimonial what I did was I added an endpoint in main.go for command execution. A webshell basically. This works because it's launching the app with "air" which is a live reloader for Go apps. Then I triggered the reload by uploading a .tpl file because that's one of the file extensions air was looking for. It's in the .air.toml config file.

@_CryptoCat 3 ай бұрын

Oh damn! Completely missed all of that lol. I was looking at Go reverse shells but I thought I would need to compile it first. When you say you added an endpoint in main.go, you replaced the file with your shell or did you copy the existing code, append your endpoint to it and then submit the the lot as testimonial? Did you make a writeup?

@HAGSLAB 3 ай бұрын

@@_CryptoCat Testimonial got on my nerves. Had to go back to it a second time on another day and finally solved it 20 mins before the CTF ended. Making the exploit locally in Docker was important because it gives error messages and it's also a lot faster to reset when the Go program crashes. However, my first Docker (on a different machine) did not pick up on the file changes when I found the file write vuln. This threw me off massively.

@quarterpipe 3 ай бұрын

@@_CryptoCat I effectively did it all in Go. I copied the client.go and modified it to do what i wanted it to do. I also just sent the payload as a multiline string from inside client.go overwriting index.templ. I had to look up what the Air functionality was which you could see from inside the docker container where it said it was 'watching directories' and i tested it once i had my client.go working. Good fun! and thanks for the writeup

@trunglongng4237 3 ай бұрын

A bit silly question. You're not using Parrot on a VM, right?

@_CryptoCat 3 ай бұрын

I am indeed! I use VMs habitually. In fact, I make a snapshot at the beginning of every CTF and then revert to it after the event ends (or every time my desktop gets too messy during the comp) 😁

@_hackwell 3 ай бұрын

Nice! did mainly rev and pwn. Still haven't pwned maze_of_mist and still working but can't find a way... Do you plan to make a video on it?

@_CryptoCat 3 ай бұрын

Didn't get that one sorry! I looked at pwn for about 10 min then went back to web 😅 Haven't done much pwn over the last year tbh as I want to get some web certs and eventually do some bug bounty 😁

@_hackwell 3 ай бұрын

@@_CryptoCat That makes sense

@cdchanger5 3 ай бұрын

Ive noticed burp suite to be used for many challenges, is burp necessary for most challenges and is there a series or video to learn burp more in depth?

@_CryptoCat 3 ай бұрын

It's definitely not necessary! Most of what you can do in burp you can also do in your browser devtools, or you could just write your own python script or something. There's other proxy tools as well, e.g. OWASP ZAP or a new, popular alternative to burp called "Caido". I'd definitely recommend checking Caido out, I would use it if I didn't already have a burp pro license. Regarding videos, you can probably find a lot online.. I made one a few years ago that was quite in-depth: kzfaq.info/get/bejne/aJqUiLRisdzToHk.html -- I'm also starting a new series atm on Portswigger's Gin and Juice shop so the first ep has a bit of a burp crash course: kzfaq.info/get/bejne/fLaqoqeQ07u1iYk.html 🙂

@cdchanger5 3 ай бұрын

@@_CryptoCat I’ll check those out! Thanks!!

@binaryrun 3 ай бұрын

genuinely thought sqlmap was not allowed

@_CryptoCat 3 ай бұрын

Some CTFs do say don't use automated tools but generally if there's dedicated instances, you are good 🙂

@HAGSLAB 3 ай бұрын

@@_CryptoCat I was a bit worried about throwing sqlmap at it as well, but I didn't feel scripting it all out 😆

@Sh4d0w0x01 3 ай бұрын

Your content is really good 🎉 And you are the only KZfaqr who replied to me on discord ❤❤

@_CryptoCat 3 ай бұрын

Thank you! Really appreciated 😊 Of course, I try to reply where I can 👍

@ronnie_365 3 ай бұрын

Can zap proxy do such active scans?

@_CryptoCat 3 ай бұрын

It's been a while since I used ZAP but I think it does have a vuln scanner. I wouldn't expect it to be anywhere near as powerful as burp tbh but would be interested to know if it can also flag these issues!

@ronnie_365 3 ай бұрын

@@_CryptoCat I will give a try cause burp is pricey for beginners,.thanks for the reply

@_CryptoCat 3 ай бұрын

@@ronnie_365 No problem! Yeh, burp isn't worth it really unless you are pen-testing or doing bug bounty professionally. You can get a trial for free though, I used mine ages ago to do the portswigger labs that require burp collaborator.

@Wongt8 3 ай бұрын

SerialFlow... So I had everything right but it is when putting in burp. I had like error of the server I never figure it out. And also that curl was not in the docker so it is normal that I have never seen something :c

@_CryptoCat 3 ай бұрын

curl not being on the box had me stuck for an embarrassingly long time 😅