Payload:
Dark Runes isn't just a box—it’s a story. You stumble upon an ancient, arcane web server that speaks in cryptic symbols. Your mission? Decode the runes, bypass forbidden gates, and summon the root flag. Every quest begins with a whisper. You scan the target:
SSH as admin with same password.
It reads a file, XOR-decrypts it with a hardcoded key, then executes the output as a shell command if it starts with RUNECMD: . Create a malicious rune file:
% with a=request a % endwith % uid=33(www-data) gid=33(www-data) groups=33(www-data) htb dark runes
Try re-creating the rune_decoder binary and see if you can find a different way to escalate without touching the root flag.
May your shell never drop, and your hashes always crack. 🔥 Payload: Dark Runes isn't just a box—it’s a story
Root flag acquired. 🏴☠️ | Phase | Technique | |-------|------------| | Web | Base64 rune encoding, token reuse, SSTI (Jinja2) | | Shell | Python reverse shell, PostgreSQL access | | Priv Esc | Custom binary analysis, XOR encryption bypass, sudo abuse | 🧙 Final Rune Reading Dark Runes is a love letter to CTF players who enjoy creative encoding, sneaky template injection, and low-level binary trickery. It rewards patience and curiosity—traits of a true digital rune mage.
As an Amazon Associate I earn from qualifying purchases. Amazon and the Amazon logo are trademarks of Amazon.com, Inc, or its affiliates.