HTB Flag Command Write‐up - 570n3p057/570n3p057 GitHub Wiki
- Creator: Xclow3n
- Category: Web
- Difficaulty: Very Easy
- Challenge Description:
Embark on the "Dimensional Escape Quest" where you wake up in a mysterious forest maze thats not quite of this world. Navigate singing squirrels, mischievous nymphs, and grumpy wizards in a whimsical labyrinth that may lead to otherworldly surprises. Will you conquer the enchanted maze or find yourself lost in a different dimension of magical challenges? The journey unfolds in this mystical escape!
- Tools Used: OWASP-Zap proxy, Browser Inspect tool
-
After starting the instance you will be provided an IP.
-
Open Zap or Burp Suite, then open the browser tool within Zap
-
Visit the site [http://{target_ip:port}]
-
Type "START" and press enter
-
You will be provided 4 options, type in your choice then press enter
. -
Based on your option, you will be provided a response, either it will move on to another prompt, or it will fail and you will need to restart the 'game'.
-
Instead of stepping through each option, and hitting dead ends, lets look at the Zap proxy traffic.
-
As the page loads, there are some interesting directories and calls. /static/terminal/, and /api/options
-
Looking through the javascript, and css there are some interesting script to pay attention to...specificy in the main.js.
async function CheckMessage() {
fetchingResponse = true;
currentCommand = commandHistory[commandHistory.length - 1];
if (availableOptions[currentStep].includes(currentCommand) || availableOptions['secret'].includes(currentCommand)) {
await fetch('/api/monitor', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({ 'command': currentCommand })
})
.then((res) => res.json())
.then(async (data) => {
console.log(data)
await displayLineInTerminal({ text: data.message });
if(data.message.includes('Game over')) {
playerLost();
fetchingResponse = false;
return;
}
if(data.message.includes('HTB{')) {
playerWon();
fetchingResponse = false;
return;
}
if (currentCommand == 'HEAD NORTH') {
currentStep = '2';
}
else if (currentCommand == 'FOLLOW A MYSTERIOUS PATH') {
currentStep = '3'
}
else if (currentCommand == 'SET UP CAMP') {
currentStep = '4'
}
let lineBreak = document.createElement("br");
beforeDiv.parentNode.insertBefore(lineBreak, beforeDiv);
displayLineInTerminal({ text: '<span class="command">You have 4 options!</span>' })
displayLinesInTerminal({ lines: availableOptions[currentStep] })
fetchingResponse = false;
});
}
else {
displayLineInTerminal({ text: "You do realise its not a park where you can just play around and move around pick from options how are hard it is for you????" });
fetchingResponse = false;
}
}
- Looking through the above function take note of the if/else if section...the first 3 successfull commands are provided.
- When getting to the 4th command, it is not listed...
- Now lets look through the other interesting call /api/options
HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.11.8
Date: Sun, 02 Jun 2024 23:14:54 GMT
Content-Type: application/json
Content-Length: 637
Connection: close
{
"allPossibleCommands": {
"1": [
"HEAD NORTH",
"HEAD WEST",
"HEAD EAST",
"HEAD SOUTH"
],
"2": [
"GO DEEPER INTO THE FOREST",
"FOLLOW A MYSTERIOUS PATH",
"CLIMB A TREE",
"TURN BACK"
],
"3": [
"EXPLORE A CAVE",
"CROSS A RICKETY BRIDGE",
"FOLLOW A GLOWING BUTTERFLY",
"SET UP CAMP"
],
"4": [
"ENTER A MAGICAL PORTAL",
"SWIM ACROSS A MYSTERIOUS LAKE",
"FOLLOW A SINGING SQUIRREL",
"BUILD A RAFT AND SAIL DOWNSTREAM"
],
"secret": [
"Blip-blop, in a pickle with a hiccup! Shmiggity-shmack"
]
}
}
-
The script above shows the same 3 steps as the main.js script, with one exception, "secret".
-
Let us try entering the line under "secret" for the 4th option...
-
Bingo, there we have it!