Flag Command

Writeup for Flag Command (Web) - HackTheBox Cyber Apocalypse CTF (2024) 💜

Video Walkthrough

Description

Embark on the "Dimensional Escape Quest" where you wake up in a mysterious forest maze that's not quite of this world. Navigate singing squirrels, mischievous nymphs, and grumpy wizards in a whimsical labyrinth that may lead to otherworldly surprises. Will you conquer the enchanted maze or find yourself lost in a different dimension of magical challenges? The journey unfolds in this mystical escape!

Solution

We load the webpage and find a terminal, enter a random string.

'hi' command not found. For a list of commands, type 'help'

OK, let's do it.

>> help

start Start the game
clear Clear the game screen
audio Toggle audio on/off
restart Restart the game
info Show info about the game

If we start the game, we can select one of 4 options. I choose to HEAD NORTH.

>> start

YOU WAKE UP IN A FOREST.

You have 4 options!
HEAD NORTH
HEAD SOUTH
HEAD EAST
HEAD WEST

>> HEAD NORTH

Venturing forth with the grace of a three-legged cat, you head North. Turns out, your sense of direction is as bad as your cooking - somehow, it actually works out this time. You stumble into a clearing, finding a small, cozy-looking tavern with "The Sloshed Squirrel" swinging on the signpost. Congratulations, you've avoided immediate death by boredom and possibly by beasties. For now...

You have 4 options!
GO DEEPER INTO THE FOREST
FOLLOW A MYSTERIOUS PATH
CLIMB A TREE
TURN BACK

We get another 4 options. At this point, let's check the web traffic in burp. There's a call to /api/options and in it are some possible commands. Notice we have a secret option.

{
    "allPossibleCommands": {
        "1": ["HEAD NORTH", "HEAD WEST", "HEAD EAST", "HEAD SOUTH"],
        "2": [
            "GO DEEPER INTO THE FOREST",
            "FOLLOW A MYSTERIOUS PATH",
            "CLIMB A TREE",
            "TURN BACK"
        ],
        "3": [
            "EXPLORE A CAVE",
            "CROSS A RICKETY BRIDGE",
            "FOLLOW A GLOWING BUTTERFLY",
            "SET UP CAMP"
        ],
        "4": [
            "ENTER A MAGICAL PORTAL",
            "SWIM ACROSS A MYSTERIOUS LAKE",
            "FOLLOW A SINGING SQUIRREL",
            "BUILD A RAFT AND SAIL DOWNSTREAM"
        ],
        "secret": ["Blip-blop, in a pickle with a hiccup! Shmiggity-shmack"]
    }
}

Let's send the secret message and receive the flag!

>> Blip-blop, in a pickle with a hiccup! Shmiggity-shmack

HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}

Note: I didn't actually solve it like this. Instead I checked the JS before playing the game and saw this function.

const fetchOptions = () => {
    fetch("/api/options")
        .then((data) => data.json())
        .then((res) => {
            availableOptions = res.allPossibleCommands;
        })
        .catch(() => {
            availableOptions = undefined;
        });
};

Subsequently, I made a GET request to this endpoint and discovered the secret option 😁

Flag: HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}

PreviousWeb NextTimeKORP

Last updated 3 months ago