HackTheBox announced a CTF to be held on 19 April 2021 which lasted five days from Monday, 19 April 2021 12:00 UTC — Friday 23 April 2021 UTC.
It was a jeopardy style CTF it had a bunch of categories in it raging from PWN,Web,Hardware,Forensics and Miscellaneous category.
I was able to solve 2 challenges from web and other from miscellaneous category the rest of the challenges were solved by my teammates although I helped in one of the challenges from web category but mostly I did the end part so the 2 challenges that I did were
Input as a Service
On connecting with the port it shows a python2 shell , giving it an input it shows an error
But if we supply a string it won’t break
On googling around to import a python module I found a techique to import a module using
___import___ as the input is accepting only string so this will be accepting as string
And we’ll get the flag
We can also look at the source
With this we solved the challenge !!
First download the files given in the challenge
Looking at the source code we can see that
../ is replaced by
We can see that there is a flag but it’s not the real so we need to by pass filters to get the
It doesn’t show , so go one directory back
Here we have a LFI
And we got the flag !