haxez

Hack The Box – Passman

Posted on January 21, 2025January 21, 2025 by haxez

Passman was the fourth web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to haxez where today I will be explaining how I hacked the Passman challenge during Cyber Apocalypse 2023. This challenge like all the other challenges had a description which went as follows.

Pandora discovered the presence of a mole within the ministry. To proceed with caution, she must obtain the master control password for the ministry, which is stored in a password manager. Can you hack into the password manager?

Enumerating The Passman Application

Upon browsing to the application I was presented with a login page. I attempted to use common credentials like ‘admin:admin’ and ‘admin:password’ but was unsuccessful. Fortunately, the application did offer a registration form.

After registering a new user for the application and logging in, I was greeted with a web-based password manager. Therefore, I started poking at the add password functionality. There were a number of forms for the user to fill out but upon clicking save, it would save the record to your account.

Deadends

Admittedly, I wasn’t familiar with the technology that needed to be exploited in order to solve the challenge. This took me down a lot of pathways for long periods of time without getting anywhere. I tried performing SQL injections, Server Side Template Injections, Cross Site Scripting, XML Entity Injection but couldn’t make any progress. It was then that I noticed Graphql in the sitemap in Burp. I have never used Graphql before so I needed to bring myself up to speed quite quickly.

GraphQL Playground

I played around with GraphQL queries for a bit thinking I could perform a query to get the admin password. I failed miserably but then I stumbled upon IppSec’s Cereal video which helped me to understand GraphQL in more detail. Also, GraphQL Playground allowed me to identify mutations that I didn’t know existed. I tried to construct the payload manually using GraphQL playground but I couldn’t get the structure right. I was past tired by this point and just wanted to solve the challenge.

Back To Burp

It dawned on me that the correct syntax for mutations was sitting in my Burp history. I grabbed the registered user POST request and sent it to the repeater. I then modified the mutation to update the admin username and password to ‘admin:admin’. Unfortunately, the first time I sent this request it came back with an error saying I wasn’t authenticated. However, I used my cookie from an authenticated session to send the request again and it worked.

Capturing The Passman Flag

I was then able to log in to the application as the admin user and capture the flag. The flag was just sitting there as a password entry waiting for me to steal it.

HTB{1d0r5_4r3_s1mpl3_4nd_1mp4ctful!!}

Hack The Box – Drobots

Posted on January 21, 2025January 21, 2025 by haxez

Drobots was the third web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to haxez where in this post I will write up how I hacked Drobots. Like all the CTF challenges, Drobots had a description which read as follows.

Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?

The Drobots Application

First, I loaded the application and was greeted with a login page. Unfortunately, there wasn’t much more to the application than that. I ran a few tools against it to try to identify any hidden areas and what technologies were being used.

Below, you can see the output of the tool Whatweb which can be used to identify the technology stack. For example, it was able to identify that the web application was utilising HTML5, Python, and Jquery. That gave us an idea of what exploits we could try.

┌──(kali㉿kali)-[~]
└─$ sudo whatweb http://161.35.168.118:30447                                              
http://161.35.168.118:30447 [200 OK] Bootstrap, Country[UNITED STATES][US], HTML5, HTTPServer[Werkzeug/2.2.3 Python/3.8.16], IP[161.35.168.118], JQuery, PasswordField, Python[3.8.16], Script, Title[Drobots], Werkzeug[2.2.3]

I also ran Ferric Oxide which I hadn’t used before. I’m definitely going to be adding it to my list of essential tools just for the easy Burp integration. Unfortunately, it didn’t find much but look how great the output is.

SQL Injection

I already had a good idea of what this challenge wanted us to do. To clarify, the only page we could find was a login page. It was highly likely that this was an SQL injection challenge. In order to test for SQL injection, I captured a login request with Burp and saved that request to a file. Next, I used SQL map with the ‘-r’ argument to specify the flag.

┌──(kali㉿kali)-[~/HTB/Drobots]
└─$ sudo sqlmap -r request --dbs

SQLMap was able to identify the database names and that one of the databases was named ‘drobots’. So the next step was to get the tables from this database. As you can see from the output below, there was only one table called users. I then asked SQLMap to dump the contents of the user’s table.

┌──(kali㉿kali)-[~/HTB/Drobots]
└─$ sudo sqlmap -r request -D drobots -T users --dump

Drobots Application Access

The next step in the challenge was actually quite funny and stopped me in my tracks for a bit. SQLMap automatically attempted to crack the Admin user’s “hash” but was unsuccessful. Furthermore, submitting the “hash” to crackstation.net or trying to crack it myself was unsuccessful. Yes, I have put the word hash in quotes because it wasn’t a hash at all.

In fact, it was the admin user’s password. Unencrypted or encoded, just sat there waiting for anybody to steal it. I was able to login with the username admin and the string retrieved from the SQL injection. Upon logging in to the application, the flag was right there at the top of the table.

HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!}

Drobots Review

This was a fun application that reinforced SQL injections skills and got you to think slightly outside of the box. The password trick was a bit mean and I guarantee it was 100% intended. I’m sure there were many people it didn’t fool but I’m sure a lot of people got stuck at this stage for a while. Anyway, I enjoyed this challenge.

Hack The Box – Gunhead

Posted on January 21, 2025January 21, 2025 by haxez

Gunhead was the second web hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be talking about the web hacking challenge Gunhead. Notably, this challenge is a great step up from the first challenge and like the other challenges here is the description.

During Pandora’s training, the Gunhead AI combat robot had been tampered with and was now malfunctioning, causing it to become uncontrollable. With the situation escalating rapidly, Pandora used her hacking skills to infiltrate the managing system of Gunhead and urgently needs to take it down.

Enumerating The Gunhead Application

The Gunhead application had a bit more functionality than the first application. It appeared to be an interface for a weapons control system. There were a number of interactable icons on the right side of the page. The first option showed us the status of the bot, the second told us its needs and the third appeared to be a command window.

Command Window

The command window had a help option. Obviously, running ‘/HELP’ in the terminal showed us that we had a number of commands that we could run. These commands included ‘/CLEAR’ to clear the current terminal, ‘/STORAGE’ to list the current storage space and ‘/PING’ which lets us ping a target.

Looking at the source it seems that ‘/STORAGE’ command is printing prewritten information. However, the ‘/PING’ command appears to be directly invoking systems commands. If we can find a way to tack on additional commands then perhaps we can enumerate the filesystem and find and cat the flag.

Command Injection

By running the ping command with an IP address and a semicolon, we can add our own commands on to the end such as the list command. For example, if we were to run ‘/PING 10.10.10.10; LS -LASH;’ then we would see the output of the list command. Unfortunately no ‘flag.txt’ file here.

If we continue enumerating the filesystem we can see that the flag file is in the ‘/’ directory. Consequently, all we should need to do now is cat the file.

Gunhead Capture The Flag

As shown below, we were able to capture the flag.txt file by appending the ‘cat’ command. Next, all we need to do now is copy the flag and submit and we’re done.

HTB{4lw4y5_54n1t1z3_u53r_1nput!!!}

Gunhead Review

The Gunhead web hacking challenge was a lot of fun and a good place to start learning about command injection. I remember that the Mr Robot lab had a similar vulnerability. Anyway, there isn’t much more to say about the challenge than that. It was well-designed and had fun visuals. I like challenges with strong themes as it helps to immerse you.

Hack The Box – Trapped Source

Posted on January 21, 2025January 21, 2025 by haxez

Trapped Source is the first Web challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where today I will write about my experience with the Trapped Source challenge. As with all the other challenges, the description for the Trapped Source challenge was as follows.

Intergalactic Ministry of Spies tested Pandora’s movement and intelligence abilities. She found herself locked in a room with no apparent means of escape. Her task was to unlock the door and make her way out. Can you help her in opening the door?

Now the question is, how do I write 300 words about a challenge that requires you to view page source? I have to write 300 words so that Yoast SEO doesn’t complain about not writing 300 words. Therefore, I’m going to write about how I have to write 300 words just to satisfy the SEO gods.

The Trapped Source Application

Once we spawn the docker container, we can head to the IP and port in our browser. I loved the presentation of the application, the pixelated font on the keypad and the colour design was great. Other than that, there wasn’t much to the application. As you can see from the image below, the challenge is to input the correct pin.

So how do we solve this challenge? how do we find the correct pin in order to get the flag? Perhaps we could brute force it. However, based on the name of the challenge I’m going to go out on a limb and say we should view the source. I’m sorry if this sounds patronising but I need to pad out this write-up.

The Source Of The Solution

Right-clicking the page to view the page source or inspecting it will show you the code being rendered by your browser. Unfortunately, it seems that our website developer included the secret pin in the javascript. There are lessons to be learned here about secure coding practices and client-side coding but that’s for a later date.

Trapped Source Flag Captured

After punching in the pin we get our flag. You can type it out but if you expand the source code a bit more, you will see the flag which you can copy and paste. I.m not even sure if you needed to put the pin in to solve it. It doesn’t make sense that you would need to. If its all client side then the flag should be client-side too, I just didn’t bother to check.

HTB{V13w_50urc3_c4n_b3_u53ful!!!}

Trapped Source Review

The Trapped Source challenge was fun and a well-designed challenge for the first web challenge. I’m glad that it wasn’t just a case of view source and win (although it might have been). It seems the creators of the challenge had fun making it. I had fun solving it and hopefully, you’re having fun reading about it. Anyway, that’s all for this challenge.

Hack The Box – Debug

Posted on January 21, 2025 by haxez

Debug was the third hardware hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag Competition. Hello world, welcome to Haxez, this challenge was a lot of fun and wasn’t too difficult provided you had the right extensions installed. The description for debug was as follows.

Your team has recovered a satellite dish that was used for transmitting the location of the relic, but it seems to be malfunctioning. There seems to be some interference affecting its connection to the satellite system, but there are no indications of what it could be. Perhaps the debugging interface could provide some insight, but they are unable to decode the serial signal captured during the device’s booting sequence. Can you help to decode the signal and find the source of the interference?

Debug With Logic 2

As with the first challenge, we needed to open the files with Logic 2. However, the answer wasn’t right in front of us like last time. I had previously used Logic 2 before during the Try Hack Me Advent Of Cyber. However, that challenge told us what analyzer we needed to use and the exact settings needed. I thought it would be best to start with Async Serial but I had no idea what the baud rate would be. There are ways to calculate the baud rate manually but thankfully there is also an extension.

Configuring The Analyzer

Once the extension was installed, I shift clicked from one high point of the signal to the other. This then provided an estimation of the baud rate. I added a new Aysnc Serial analyzer for the RX channel and gave it the correct baud rate.

Debug The Signal

Finally, the data window started producing text. I must admit that I thought this was cool. It reminded me of the film Aliens for some reason. Something to do with the ASCII art and the satellite dish I think. Anyway, a lot of text was spat out and I have to salute whoever made this because they didn’t need to put this level of detail into it. Hidden in this transmission was the flag and all you had to do was assemble it.

HTB{547311173_n37w02k_c0mp20m153d}

Debug Review

This was a really fun challenge but I have to be honest, I found it easier than the first challenge. With this challenge, I felt that I knew what I had to do immediately. The first challenge completely threw me off for a long time. I really appreciate the level of detail that went into the transmission. It made me smile. Anyway, that’s all for the hardware challenges. I couldn’t solve secret code and from the write-ups, I’ve read, it didn’t look easy.

Hack The Box – Critical Flight

Posted on January 21, 2025January 21, 2025 by haxez

Critical Flight was the second hardware hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez, in this post I’m going to be discussing my experience solving the Critical Flight hardware hacking challenge. All challenges have a description and you can find Critical Flight’s below.

Your team has assigned you to a mission to investigate the production files of Printed Circuit Boards for irregularities. This is in response to the deployment of nonfunctional DIY drones that keep falling out of the sky. The team had used a slightly modified version of an open-source flight controller in order to save time, but it appears that someone had sabotaged the design before production. Can you help identify any suspicious alterations made to the boards?

Opening Critical Flight Files

I have no previous experience with GBR files. Honestly, it took me far too long to find something that would open them. In the end, I found an application called GerberLogix. The application allowed me to open all the files at once and was very simple to use. It does seem dated but it got the job done for the task at hand.

Critical Flight GerberLogix

As you can see from the image below, when opening the files they are combined. It’s like layers in photoshop or gimp and each layer was coloured differently. There wasn’t much else for me to do so I started selecting and unselecting different layers.

Revealing The Flag

After playing with the layers for a bit I eventually found a flag. However, no matter how I structured it, the flag wasn’t accepted. I initially thought that someone had made a mistake and forgot to add the end squiggly bracket but I should have known better. These folks don’t make mistakes.

Pulling Back The Layers

After tinkering with the layers a bit more, I finally noticed the second part of the flag. Of course, they didn’t forget to close the flag. These are hackers we’re talking about, syntax is incredibly important. As you can see below, there were two parts to the flag and we needed to combine them to solve the challenge.

HTB{533_7h3_1nn32_w02k1n95_0f_313c720n1c5#$@}

Critical Flight Review

This challenge was great in my opinion, it didn’t require too much tinkering. Once I found an application to open the files it was simple. I did try opening the files with GIMP as I read somwhere that they were brush files. That didn’t work out too well. Anyway, not much more to say about it. Fun challenge.

Hack The Box – Timed Transmission

Posted on January 21, 2025January 21, 2025 by haxez

Timed Transmission was the first hardware challenge of the Hack The Box Cyber Apocalypse 2023 CTF event. Hello world, welcome to Haxez. In this post, I’m going to describe my experience solving the Time Transmission hardware challenge. All the challenges in this CTF have a great description following the theme of the competition. The introduction to the challenge was as follows.

“As part of your initialization sequence, your team loaded various tools into your system, but you still need to learn how to use them effectively. They have tasked you with the challenge of finding the appropriate tool to open a file containing strange serial signals. Can you rise to the challenge and find the right tool?”

Timed Transmission Files

After reading the description, we can download the challenge files which are achieved in a zip file. Extracting the zip files revealed a file named ‘Captured_Signals.sal’. There was also a ‘_MACOSX’ file which I presume contained the Mac OS equivalent files.

Our first challenge was to identify how to open these files. Performing a google search for ‘.sol’ files solved that question pretty quickly. Unfortunately, that was only the beginning of the challenge. Admittedly, I spent far longer on this challenge than I should have. Furthermore, the answer was under my nose the whole time, I just couldn’t see it.

Saleae Logic 2

The provided files could be opened with a program called Logic 2 from Saleae. Logic 2 allows the user to capture and analyse signals. Upon opening the file, the answer is right in front of you. The different message fragments make up the flag. Unfortunately, and embarrassingly, I didn’t see it. I spent hours trying to analyse the different channels with various different analyzers.

So provided you didn’t immediately zoom and mess with the signal, this should have been easy to solve. Unfortunately, I did mess with the signal and even went as far as extracting the individual channels from the file and looking through those. I wasted a lot of time.

HTB{b391N_tH3_HArdWAr3_QU3St}

Timed Transmission Review

I didn’t enjoy this challenge for the wrong reasons. It should have been a fun introduction to hardware hacking but I went and overcomplicated it. However, the challenge itself is fun and I like how the creators were able to make the signals spell out the flag.

Hack The Box – Infiltration

Posted on January 21, 2025January 21, 2025 by haxez

Hello world, welcome to Haxez. Today I’m looking at the Infiltration OSINT challenge on Hack The Box. The challenge asks the following:

“Can you find something to help you break into the company ‘Evil Corp LLC’. Recon social media sites to see if you can find any useful information.”

Ok, the first thing I did was head straight to google and search for Evil Corp LL in quotation marks. This ensures that we only get exact matches in our results. This technique is known as Google Dorking, although this is a pretty basic search operator.

Links To The Answer

The first result appears to be a Linkedin page which actually has a flag on it. We are Infiltration masters with our first Google search. Unfortunately, it seems that someone is playing games as this flag does not work when submitted. I wasn’t sure what to make of this but we will come back to it later.

I started looking through the employees and found Brian Delany whose job title at Evil Corp LLC is a hacker. Interestingly, his profile had a base64 encoded string. I decided to decode it using CyberChef which produced the following:

“There are people out there that will lie, steal and cheat to hide their own imperfections and to…

This gave me an idea, normally Hack The Box flags have a phrase but the fake flag on the Evil Corp LLC profile didn’t. if we take the string to CyberChef and ask it to bake it for us, we get some words of encouragement. Ok, this isn’t our flag. Time to move on.

I poked around on Linked in for a while longer but didn’t find much. I went back to Google and the second result was an Instagram page.

Infiltration of Instagram

I currently work as a penetration tester. One thing I’ve picked up is that before performing a Red Team engagement, it’s a good idea to look at the employee’s social media profiles. If you can spot a badge then you might be able to create a replica which could help get by security. The laptop and badge on this profile immediately caught my attention (Thanks Rich).

Unfortunately, you need to be registered to view the pictures properly. It’s 2023, who uses Instagram these days? It’s all about TikTok now, isn’t it? I’m kidding of course, I do have an Instagram account and visited her account on my phone. From there I was able to zoom in on the badge and find the flag.

Conclusion

These OSINT challenges are a lot of fun. I don’t see any active ones though so I think Hack The Box has moved away from them. It’s a shame honestly because it’s been a good break from smashing my face into box after box. So far, these challenges haven’t require too much effort other than poking around on the web. I will be doing more of them for sure.

Hack The Box – Easy Phish

Posted on January 21, 2025January 21, 2025 by haxez

Hello world, welcome to Haxez. Today I’m going to be looking at the retired Easy Phish OSINT challenge from Hack The Box. The challenge description explains:

“Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?”

Based on the information provided, it seems like this will have something to do with enumerating the DNS records on the domain.

Enumeration

In order to solve this challenge we need to understand how to look up the DNS records associated with a domain. Furthermore, we will need to know which records to query. Once we know that, we should be able to retrieve the flag from the DNS records of the domain. First, we can use NS lookup. Unfortunately, we only get the A record associated with the domain.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup secure-startup.com
Server:                     192.168.80.2
Address:   192.168.80.2#53
Non-authoritative answer:
Name:      secure-startup.com
Address: 34.102.136.180

Since we know we’re looking for a flag we could try to brute force subdomains, perhaps the flag is a subdomain. However, a more likely approach would be to look at the TXT records as TXT records can contain text and are likely going to be the hiding place of our flag.

First, I start off by performing a nslookup where the query type is set to TXT. This appears to give us the flag, well part of it anyway. As you can see below we have a partial flag claiming that SPF is dead and is always second.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup -q=txt secure-startup.com
Server:                     192.168.80.2
Address:   192.168.80.2#53
Non-authoritative answer:
secure-startup.com   text = "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Second to what? DMARC probably. SPF only checks the “envelope from” address, which can be easily circumvented by attackers who spoof the visible “from” address. DMARC, on the other hand, checks both the “envelope from” and visible “from” addresses to prevent unauthorized use of domain names. It also provides a mechanism for domain owners to receive reports on email authentication failures. DMARC is considered to be a more effective solution for email authentication than SPF alone.

Solving Hack The Box Easy Phish

So, we can now change our query to query the subdomain _dmarc for a TXT record. This value would usually contain information about the configuration of the mail server but in this case, it has the second half of the flag.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup -q=TXT _dmarc.secure-startup.com
Server:                     192.168.80.2
Address:   192.168.80.2#53
Non-authoritative answer:
_dmarc.secure-startup.com       text = "v=DMARC1;p=none;_F1ddl3_2_DMARC}"

Put them together and pow, we have the flag.

Hack The Box – Weak RSA

Posted on January 21, 2025January 21, 2025 by haxez

Hello world and welcome to haxez, today I will attempt to solve the Weak RSA crypto challenge on Hack The Box. Please note that I got the solution from https://technicalciso.com/. I’m not even going to pretend to know the specifics behind how this all works. I know what encryption is. Furthermore, I know the various types of encryption including RSA. I also know how public and private key pairs work. However, I don’t know how you would break it. I’ve broken SSH keys before using John The Ripper but that’s about it.

Weak RSA Set Up

This challenge requires you to download some files and decrypt the flag so that it can be submitted to Hack The Box. First, we need to do is download the files and extract them. The password for the zip file is ‘hackthebox’. Next, looking at the files we notice that we have a flag.enc file and a key.pub file. I assume that the flag.enc was encrypted using the key.pub file.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $unzip Weak\ RSA.zip 
Archive:  Weak RSA.zip
[Weak RSA.zip] flag.enc password: 
  inflating: flag.enc                
  inflating: key.pub       

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $ls -laSh
total 30K
drwxrwxrwx 1 root root 12K Mar 10 12:31  ..
-rwxrwxrwx 1 root root 826 Mar 10 12:34 'Weak RSA.zip'
-rwxrwxrwx 1 root root 447 May 15  2017  key.pub
-rwxrwxrwx 1 root root 129 Jul  3  2017  flag.enc
drwxrwxrwx 1 root root   0 Mar 10 12:35  .

File Explanation

Previously, I mentioned public and private key pairs. This is the same type of cryptographic function when you SSH to a server with a private key. Your public key will be stored on the server and then you specify your private key. Next, the server does the maths and if it’s all good then you can access the server. The same theory can be applied to PGP. Someone encrypts a document to your public key which allows you to decrypt the document with your private key.

So, we have a flag.enc (enc probably means encrypted right?), and we have a key.pub. The key.pub is probably the public key used to encrypt the file. The problem is, RSA is an asymmetric cryptosystem. You can encrypt it with your public key but you can’t decrypt it with your public key. If you could, then it would be symmetric encryption where one key is used for both encrypting and decrypting. So, what do we do?

Cracking The Weak RSA Encryption

Turns out, there is a reason why it is a good idea to use long passwords. When it comes to encryption, size does matter. If something has been encrypted with a short encryption key, it may be possible to break it. Shorter likely means fewer sums to do right? That makes sense logically surely. I could be completely wrong, but this is my understanding of it. If the flag was encrypted using a short RSA private key then we might be able to deduce the private key from the public key and then decrypt the file. However, we need a tool.

git clone https://github.com/RsaCtfTool/RsaCtfTool.git
sudo apt-get install libgmp3-dev libmpc-dev
cd RsaCtfTool
pip3 install -r "requirements.txt"
./RsaCtfTool.py

Once installed, we can then point the tool to our public key and politely ask it to produce the private key.

┌─[joe@parrot]─[/opt/RsaCtfTool]
└──╼ $./RsaCtfTool.py --publickey /mnt/hgfs/MOUNT/WeakRSA/key.pub --private
[] Testing key /mnt/hgfs/MOUNT/WeakRSA/key.pub. attack initialized… [] Performing factordb attack on /mnt/hgfs/MOUNT/WeakRSA/key.pub.
[*] Attack success with factordb method !
Results for /mnt/hgfs/MOUNT/WeakRSA/key.pub:
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQMwO3kPsUnaNAbUlaubn7ip4pNEXjvUOxjvLwUhtybr6Ng4undL
tSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy23CZuOl3WIsLiRKSVYyqBc9d8rxj
NMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3RQP/6p5hv1PYcWmErEeDewKBgGEX
xgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpDqlqqOFD8JA5UFK0roQkOjhLWSVu8
c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ4gYo6Ax+U7q6TOWhQpiBHnC0ojE8
kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8srlb/NAiBhwngxi+Cbie3YBogNzGJV
h10vAgw+i7cQqiiwEiPFNQJBAYXzr5r2KkHVjGcZNCLRAoXrzJjVhb7knZE5oEYo
nEI+h2gQSt1bavv3YVxhcisTVuNrlgQo58eGb4c9dtY2blMCQQIX2W9IbtJ26KzZ
C/5HPsVqgxWtuP5hN8OLf3ohhojr1NigJwc6o68dtKScaEQ5A33vmNpuWqKucecT
0HEVxuE5AiBhwngxi+Cbie3YBogNzGJVh10vAgw+i7cQqiiwEiPFNQIgYcJ4MYvg
m4nt2AaIDcxiVYddLwIMPou3EKoosBIjxTUCQQCnqbJMPEQHpg5lI6MQi8ixFRqo
+KwoBrwYfZlGEwZxdK2Ms0jgeta5jFFS11Fwk5+GyimnRzVcEbADJno/8BKe
-----END RSA PRIVATE KEY-----

Score.

Decrypting The File

Now we can use the private key to decrypt the flag and submit the flag to hack the box and win the challenge. Apparently, there is a way to do this with RsaCtfTool but I couldn’t work it out. It wouldn’t output the flag or create a new file. So I will use OpenSSL to decrypt the flag using the private key that RsaCtfTool just magically found for us.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $openssl rsautl -in flag.enc -out flag.txt -decrypt -inkey priv.key
┌─[joe@parrot]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $ls
flag.enc flag.txt key.pub priv.key RsaCtfTool.py 'Weak RSA.zip'
┌─[joe@parrot]─[/mnt/hgfs/MOUNT/WeakRSA]
└──╼ $cat flag.txt
HTB{sxxxx_Wxxxxrs_xxxxck}

And there you have it, submit the flag and you are done.