HackTheBox Cyber Apocalypse 2021

HackTheBox announced a CTF to be held on 19 April 2021 which lasted five days from Monday, 19 April 2021 12:00 UTC — Friday 23 April 2021 UTC.
It was a jeopardy style CTF it had a bunch of categories in it raging from PWN,Web,Hardware,Forensics and Miscellaneous category.

I was able to solve 2 challenges from web and other from miscellaneous category the rest of the challenges were solved by my teammates although I helped in one of the challenges from web category but mostly I did the end part so the 2 challenges that I did were


Input as a Service

On connecting with the port it shows a python2 shell , giving it an input it shows an error

But if we supply a string it won’t break

On googling around to import a python module I found a techique to import a module using ___import___ as the input is accepting only string so this will be accepting as string

And we’ll get the flag

We can also look at the source

With this we solved the challenge !!



First download the files given in the challenge

Looking at the source code we can see that ../ is replaced by

We can see that there is a flag but it’s not the real so we need to by pass filters to get the flag

It doesn’t show , so go one directory back

Here we have a LFI

And we got the flag !

BS CS undergraduate | CTF Player