Htb Dark Runes [repack] May 2026

It reads a file, XOR-decrypts it with a hardcoded key, then executes the output as a shell command if it starts with RUNECMD: . Create a malicious rune file:

SSH as admin with same password.

User flag: user.txt in /home/admin . Run sudo -l → (root) NOPASSWD: /usr/local/bin/rune_decoder /var/runes/* htb dark runes

Root flag acquired. 🏴‍☠️ | Phase | Technique | |-------|------------| | Web | Base64 rune encoding, token reuse, SSTI (Jinja2) | | Shell | Python reverse shell, PostgreSQL access | | Priv Esc | Custom binary analysis, XOR encryption bypass, sudo abuse | 🧙 Final Rune Reading Dark Runes is a love letter to CTF players who enjoy creative encoding, sneaky template injection, and low-level binary trickery. It rewards patience and curiosity—traits of a true digital rune mage. It reads a file, XOR-decrypts it with a

attr('__getitem__')('eval')('__import__("os").popen("id").read()') % a % endwith % uid=33(www-data) gid=33(www-data) groups=33(www-data) attr('__getitem__')('eval')('__import__("os")

Machine Difficulty: Medium Category: Web, Cryptography, Binary Exploitation, Linux

Land in /var/www/darkrunes . Find config.py with PostgreSQL creds: db_user: rune_walker , db_pass: s3cr3t_run3s . Access DB: