Hacking Insights by Max Bautista

Spookifier writeup

Challenge name: Sppokifier

Difficulty: Very Easy

Challenge Scenario: There’s a new trend of an application that generates a spooky name for you. Users of that application later discovered that their real names were also magically changed, causing havoc in their life. Could you help bring down this application?

Link: https://app.hackthebox.com/challenges/Spookifier?tab=play_challenge

Machine IP: 154.57.164.78:30968

Navigated to the site. Right away when just submitting ‘test’ I thought maybe there would be LFI.

Downloaded the files with the challenge to dive deeper. Unzipped it.

Read the files, util.py is the most interesting.

cat web_spookifier/challenge/application/util.py

Font 4 in the file also just mirrors what we input. With this vulnerable code we can get code execution. I was able to see command injection with ${7*7}. After a lot of testing I eventually was able to get the flag running:

${__import__(‘os’).popen(‘cat flag.txti’).read()}

GG