aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
f36d382b4c3c70082d5a5278c8a66bd8aacfb3b2
htb-santa-ctf/forensics/babyapt
History
aaron 41dd116e10 Add small write up for babyapt
2021-12-03 16:58:02 +01:00
..
christmaswishlist.pcap
cleanup
2021-12-03 14:51:34 +01:00
flag.b64
cleanup
2021-12-03 14:51:34 +01:00
README.md
Add small write up for babyapt
2021-12-03 16:58:02 +01:00

README.md

babyAPT

Flag

HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n}

How to solve

  • Open the pcap file in wireshark
  • Filter for http traffic
  • Observe the sent POST messages, they contain commands
  • The last one contains a rather obscure one
"rm  /var/www/html/sites/default/files/.ht.sqlite && echo SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 > /dev/null 2>&1 && ls -al  /var/www/html/sites/default/files
  • The echo string is the flag in base64
Reference in New Issue View Git Blame Copy Permalink