Flag Command

22^nd April 2022

Difficulty: Very Easy

Prepared By: w3th4nds

Challenge Author(s): Xclow3n

Today, let’s engage with the Hack The Box online category wargame, Flag Command! By choosing the Web category in the challenge filter of Hack The Box Labs, you can find Flag Command. In terms of difficulty, it is rated as extremely easy.

Hacking Challenges Typically, you do not need to set up a VPN to access the Box; you can simply launch an instance and head directly to your objective.

Once the instance is activated, open a new tab in your browser and enter the IP address that is displayed. Upon your initial visit to the website, you will encounter a page that resembles a Linux terminal, but it is not

At the bottom, it prompts you to type ‘start’ to begin the game:

Upon typing ‘start’, you are given four choices. Unsure of which one to pick, I took a risk and chose HEAD NORTH.

This brought me to another group of four options. Using the same trial and error approach as before, I successfully advanced to the third stage. (HEAD NORTH — FOLLOW A MYSTERIOUS PATH — SET UP CAMP)

Unfortunately, at the fourth question, none of the four choices were correct. Regardless of what I entered, I consistently received a Game Over.

I opted to examine the page’s source code.

By hitting F12, the Developer Tool launches, and I examined the Debugger tab. The site includes three JavaScript files (commands.js, main.js, game.js). The file that caught my attention the most was main.js, and within it, this function appeared to be especially useful:

The if statement within the function indicates two conditions. If the input corresponds to one of the options for the current question or if the answer is ‘secret’, the subsequent code is executed. Below is a segment of the code that is executed when the if condition is satisfied

Subsequently, I examined the requests captured in Burp Suite to identify the resources that were being accessed. The most intriguing details were found in the request and response from /api/options

This JSON data encompasses all available answer choices. It features not only the options displayed during the game but also the ‘secret’ option located in main.js.

Let’s attempt to input the ‘secret’ option for the initial question.

Furthermore, it is clear that when a command is issued, the browser simultaneously sends a request to /api/monitor, allowing us to transmit the secret directly through this request.

And there you go, the flag has been discovered!

This challenge wasn’t overly complex, but it did necessitate a bit of perseverance and fundamental JavaScript skills. It was a rather intriguing experience!