HTB Cyber Apocalypse CTF 2025: Tales from Eldoria - Web - Whispers of the Moonbeam

Writeup: Whispers of the Moonbeam Challenge

Objective: Read the contents of the flag.txt file in the web terminal.

Initial Exploration:

The challenge presented a web terminal with a limited set of commands: help, gossip, observe, examine, clear, and start (though start didn't seem to work). The goal was to find the flag, which was likely located in the flag.txt file present in the directory listing.

We tried common command injection techniques using the semicolon (;) as hinted in the challenge description, but it was blocked with an "Invalid command" error.

The examine command seemed promising as it was the only one that took an argument. However, it appeared to always execute the whoami command from BusyBox, and any argument provided to examine was passed to whoami, which resulted in an error as whoami in this version does not accept arguments.

The gossip command provided flavor text, and observe listed running processes, neither of which seemed to directly lead to the flag.

An image to describe post

The Breakthrough:

Despite the initial failures with the semicolon, the hint about command injection lingered. We reconsidered other common command separators and tried the pipe symbol (|).

The input examine | cat flag.txt was submitted.

The Result:

An image to describe post

examine | cat flag.txt
🪞 In the dim tavern light, you notice...

HTB{Sh4d0w_3x3cut10n_1n_Th3_M00nb34m_T4v3rn_b96ffe834caf405d6a9cd7ba21603e1b}

This command successfully printed the contents of flag.txt, revealing the flag.

Explanation:

The challenge likely had some input processing that checked for the initial command. While it might have blocked the semicolon at this stage, it seems it did not properly handle the pipe symbol (|) when it appeared after a valid command (examine).

The input examine | cat flag.txt was likely processed in a way that the examine part was initially recognized as a valid command. However, the presence of the pipe allowed for command chaining. The output of examine (which normally seems to be the result of whoami) was then piped as input to the cat flag.txt command.

While the output started with the flavor text associated with examine, the subsequent execution of cat flag.txt printed the contents of the flag file.

Flag:

HTB{Sh4d0w_3x3cut10n_1n_Th3_M00nb34m_T4v3rn_b96ffe834caf405d6a9cd7ba21603e1b}