Skip to content

HackTheBox Cyber Apocalypse CTF 2024: Flag Command

TL;DR

  • Web-based text adventure backed by a simple API.
  • Client fetches all valid commands from /api/options.
  • API response includes a hidden secret command not exposed in the UI.
  • Sending the secret command directly returns the flag.

Video Walkthrough

Flag Command walkthrough

Description

Embark on the "Dimensional Escape Quest" where you wake up in a mysterious forest maze that's not quite of this world. Navigate singing squirrels, mischievous nymphs, and grumpy wizards in a whimsical labyrinth that may lead to otherworldly surprises. Will you conquer the enchanted maze or find yourself lost in a different dimension of magical challenges? The journey unfolds in this mystical escape!

Solution

We load the webpage and find a terminal, enter a random string.

'hi' command not found. For a list of commands, type 'help'

OK, let's do it.

>> help

start Start the game
clear Clear the game screen
audio Toggle audio on/off
restart Restart the game
info Show info about the game

If we start the game, we can select one of 4 options. I choose to HEAD NORTH.

>> start

YOU WAKE UP IN A FOREST.

You have 4 options!
HEAD NORTH
HEAD SOUTH
HEAD EAST
HEAD WEST

>> HEAD NORTH

Venturing forth with the grace of a three-legged cat, you head North. Turns out, your sense of direction is as bad as your cooking - somehow, it actually works out this time. You stumble into a clearing, finding a small, cozy-looking tavern with "The Sloshed Squirrel" swinging on the signpost. Congratulations, you've avoided immediate death by boredom and possibly by beasties. For now...

You have 4 options!
GO DEEPER INTO THE FOREST
FOLLOW A MYSTERIOUS PATH
CLIMB A TREE
TURN BACK

We get another 4 options. At this point, let's check the web traffic in burp. There's a call to /api/options and in it are some possible commands. Notice we have a secret option.

{
    "allPossibleCommands": {
        "1": ["HEAD NORTH", "HEAD WEST", "HEAD EAST", "HEAD SOUTH"],
        "2": ["GO DEEPER INTO THE FOREST", "FOLLOW A MYSTERIOUS PATH", "CLIMB A TREE", "TURN BACK"],
        "3": ["EXPLORE A CAVE", "CROSS A RICKETY BRIDGE", "FOLLOW A GLOWING BUTTERFLY", "SET UP CAMP"],
        "4": ["ENTER A MAGICAL PORTAL", "SWIM ACROSS A MYSTERIOUS LAKE", "FOLLOW A SINGING SQUIRREL", "BUILD A RAFT AND SAIL DOWNSTREAM"],
        "secret": ["Blip-blop, in a pickle with a hiccup! Shmiggity-shmack"]
    }
}

Let's send the secret message and receive the flag!

>> Blip-blop, in a pickle with a hiccup! Shmiggity-shmack

HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}

Note: I didn't actually solve it like this. Instead I checked the JS before playing the game and saw this function.

const fetchOptions = () => {
    fetch("/api/options")
        .then((data) => data.json())
        .then((res) => {
            availableOptions = res.allPossibleCommands;
        })
        .catch(() => {
            availableOptions = undefined;
        });
};

Subsequently, I made a GET request to this endpoint and discovered the secret option 😁

Flag: HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}