📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	Cyber Apocalypse CTF - 2025	Event Link
🔰 Category	Web	🌐
💎 Points	1000	Out of 1000 total
⭐ Difficulty	🟢 Easy	Personal Rating: 1/10
👤 Author	Unknown	Profile
🎮 Solves (At the time of flag submission)	34	solve rate
📅 Date	21-03-2025	Cyber Apocalypse CTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

In the heart of Valeria’s bustling capital, the Moonbeam Tavern stands as a lively hub of whispers, wagers, and illicit dealings. Beneath the laughter of drunken patrons and the clinking of tankards, it is said that the tavern harbors more than just ale and merriment—it is a covert meeting ground for spies, thieves, and those loyal to Malakar’s cause. The Fellowship has learned that within the hidden backrooms of the Moonbeam Tavern, a crucial piece of information is being traded—the location of the Shadow Veil Cartographer, an informant who possesses a long-lost map detailing Malakar’s stronghold defenses. If the fellowship is to stand any chance of breaching the Obsidian Citadel, they must obtain this map before it falls into enemy hands.

🎯 Challenge Files & Infrastructure

Provided Files

1	Files: None

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

By clicking on “Enter Tavern,” I was redirected to the following page:

where it was possible to execute commands. If we pay attention, there is a message at the bottom of the page: Tip: Use ↑↓ for history, Tab for completion, ; for command injection. From this, we can already infer what it’s about…

🔬 Vulnerability Analysis

Potential Vulnerabilities

• OS Command Injection

🎯 Solution Path

Exploitation Steps

Initial setup

First, I used the help command to list all the available commands:

Then I tried the gossip command:

and apparently, it lists directories, very similar to ls… In fact, when I sent gossip a:

I got, as we can see, the error message Command failed: ls a, ls: a: No such file or directory. So, it is indeed executing ls. Let’s move on to the next phase.

Exploitation

Now, as suggested, I simply added ; at the end of the command, which in bash is used as a command separator. This means that if we want to execute multiple commands inline, we just need to write command1;command2. That said, I sent gossip;cat flag.txt, and by doing so, I read the contents of the flag.txt file, thus obtaining the flag.

Flag capture

🛠️ Exploitation Process

Approach

The automatic exploit sends a POST request to the /api/command endpoint (I found this by looking at the request made when sending a command), sending the payload command;cat flag.txt. Once the response is received, it extracts the flag using a regex.

•  Exploit

🚩 Flag Capture

Flag

HTB{Sh4d0w_3x3cut10n_1n_Th3_M00nb34m_T4v3rn_962c3fd0bdd17b2ae33bfeb7144d7d34}

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit

💡 Key Learnings

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📊 Final Statistics

Created: 21-03-2025 • Last Modified: 21-03-2025 *Author: mH4ck3r0n3 • Team: QnQSec