67 - The "APIs: Handle with care, code with flair" Solution

This is the solution FOR "APIs: Handle with care, code with flair" for the (ISC)² Hawaii Chapter CTF. # solution runbook 1) create private key extracted from the "og.binary" ctf challenge 2) use the priavte key to ssh to the server ssh -i /home/anon/.ssh/id_rsa root@172.17.0.3 (swap the ip with the domain and port endpoint for ssh) 3) look around. run history cmd, run ps -ef to see running process, look around find interesting directories, find / -name "*.py", etc. 4) test the curl with the hash found in script: curl -X POST -H "Content-Type: application/json" -d '{"password": "ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f"}' __domain__/check_password 5) run ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f through sha256 converter 6) try the curl cmd again, this time pass the unhashed password in: curl -X POST -H "Content-Type: application/json" -d '{"password": "password123"}' __domain__/check_password 7) flag: isc2hiCTF{ripple advice bird above...hope struggle faint enhance}