Htb Dark Runes ((link)) -

Land in /var/www/darkrunes . Find config.py with PostgreSQL creds: db_user: rune_walker , db_pass: s3cr3t_run3s . Access DB:

User flag: user.txt in /home/admin . Run sudo -l → (root) NOPASSWD: /usr/local/bin/rune_decoder /var/runes/* htb dark runes

rune_decoder is a SUID binary that decodes "rune files" (binary format). Analyze with strings and ltrace : Land in /var/www/darkrunes

Payload:

Dark Runes isn't just a box—it’s a story. You stumble upon an ancient, arcane web server that speaks in cryptic symbols. Your mission? Decode the runes, bypass forbidden gates, and summon the root flag. Every quest begins with a whisper. You scan the target: bypass forbidden gates

psql -U rune_walker -h localhost darkrunes -W Dump tables → users table has a row for admin with a (bcrypt). Crack with John or hashcat → admin:darkrun3s2023!