Htb Dark Runes Updated -

It reads a file, XOR-decrypts it with a hardcoded key, then executes the output as a shell command if it starts with RUNECMD: . Create a malicious rune file:

attr('__getitem__')('__builtins__') a % endwith % uid=33(www-data) gid=33(www-data) groups=33(www-data) htb dark runes

rune_decoder is a SUID binary that decodes "rune files" (binary format). Analyze with strings and ltrace : It reads a file, XOR-decrypts it with a

SSH as admin with same password.