// k3ng
  • 👋
  • 2025
    • Cyber Jawara National 2024
      • Whale
      • Grayscale
      • Log4Shell
  • 2024
    • HTB University CTF 2024: Binary Badlands
      • Apolo
      • Freedom
      • Frontier Exposed
      • Wanter Alive
      • Armaxis
    • TSA Cyber Champion 2024
      • 101 - Forensics
      • eavesdropped
      • 101 - Web Exploitation
    • Cyber Jawara International 2024
      • prepare the tools
      • Sleeper
      • P2PWannabe
    • CTF Hology 7.0
      • give me
      • Books Gallery
    • TCP1P CTF 2024
      • doxxed
      • Lost Progress
    • Gemastik 2024 Finals
      • kode-viewer
Powered by GitBook
On this page
  • Challenge Description
  • Flags
  • Enumeration
  • Initial Access
  • Privilege Escalation
  1. 2024
  2. HTB University CTF 2024: Binary Badlands

Apolo

Last updated 4 months ago

Challenge Description

In the lawless expanse of the Frontier Cluster, Apolo serves as a beacon of security, working to safeguard the Frontier Cluster's assets from bounty hunters.

Flags

User flag: HTB{llm_ex9l01t_4_RC3}

Root flag: HTB{cl0n3_rc3_f1l3}

Enumeration

We are only given an IP address since this is a red-teaming type challenge. The first thing to do is enumeration using nmap.

After enumeration, we can see that port 22 and 80 is open. That means we have an SSH server and an HTTP server in this challenge. And we also found the hostname for the IP address (apolo.htb). We need configure our hosts file to redirect the hostname to our given IP.

When accessing the HTTP server, we are greeted with a static website. I got stuck here for a while until I saw a hyperlink to ai.apolo.htb.

After setting the new hostname to the same IP and accessing it, we are redirected to a FlowiseAI website, but we are stuck on the login dialog.

Initial Access

After adding that rule, we can freely access the website. We can find a MongoDB credential on the credentials page.

The username and password on the MongoDB URL can be used to login to SSH. Then we can get the user flag inside the user.txtfile.

Privilege Escalation

To find ways to escalate privileges, I tried to see what sudo access the current user has with sudo -l.

And the results are this user can use sudo for the rclonecommand. This command is usually used to transfer data from cloud storage providers. I also got stuck in this for quite a while since I assumed that the data must come from a cloud storage.

After doing the steps in the PoC, I can access the root flag in /root/root.txtand solve the challenge.

After searching for vulnerabilities, I found out about , where we can bypass the authentication by capitalizing the api/v1 part of the URL. To redirect every request that uses the api/v1, I used Burp Suite to replace every api/v1to API/V1, therefore bypassing the authentication.

But after some research, there is a . The rclonecommand will change the permissions of the target of the link instead of the link itself, making it possible to change permissions of files owned by root. I basically just followed the PoC but instead of targeting the /etc/shadow/file, I targeted the entire /rootdirectory.

this authentication bypass exploit
vulnerability when moving symlinks