Ctf on s4yhii's blog

Cyber Apocalypse 2025 - 6x Web Challenges Writeup

Tue, 25 Mar 2025 08:00:00 -0500

I participated as a member of team CibersecUNI. This time i managed to solve all 6/6 challenges in the web category.

Whispers of the Moonbeam

Observando las funciones, nos dan una pista que se puede inyectar comandos con ;.

Usando el comando gossip, puedo listar los archivos, se visualiza el archivo flag.txt, y con un simple ; puedo concatenar el comando cat para leer la flag.

gossip; cat flag.txt

Obtenemos la flag. 🎉 HTB{Sh4d0w_3x3cut10n_1n_Th3_M00nb34m_T4v3rn_78cb9b70be3bf077e608865b967b5ab1}

Cross Site Scripting (XSS)

Wed, 18 May 2022 12:00:00 -0400

Cross-site scripting known as XSS is a web vulnerability in which malicious scripts are injected int benign and trusted websites. XSS occur when an attacker send malicious code in any user input fields in a browser to a different end-user.

Mechanisms

In an XSS attack the attacker inject script in HTML code so you’ll have to know javascript and HTML syntax, wbe uses scripts to control client-side application logic and make the website interactive, for example this script generates Hello! pop-up on the web page:

Cyber Apocalypse 2023 2x Web Challenges Writeup

Wed, 18 May 2022 12:00:00 -0400

Kryptos Support

Checking the web page of this challenge gives a form to send an issue and an admin will review that issue.

So its interesting, maybe the admin will click in that issue and we can inject some kind of payload, like an stored xss, these approach is similar to the bankrobber box in htb.

So we can craft the payload to steal the cookie of the admin or the user who will review out ticket.