Screencrack

Technical Walkthrough

Writeup

Challenge

• Name: Screencrack
• Category: Web
• Difficulty: Medium
• Mode: hybrid

Summary

Screencrack is a Laravel screenshot/source-fetching service. The solved path was:

1. Abuse /api/get-html as SSRF.
2. Bypass the literal local-IP check with a domain that resolves to loopback.
3. Use gopher SSRF to push a crafted Laravel queue job into Redis.
4. Let the queue worker unserialize App\Jobs\rmFile.
5. Abuse FileQueue::deleteFile() command injection through the unquoted rm call to copy /flag into a web-readable /src/*.txt file.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

Relevant files:

• files/extracted/challenge/routes/api.php: exposes POST /api/getss and POST /api/get-html.
• files/extracted/challenge/app/Http/Controllers/SiteShotController.php: validates only the literal URL host and misses DNS-to-loopback cases.
• files/extracted/challenge/app/Services/SiteShotService.php: cURLs the supplied URL and stores successful source responses under /www/public/src.
• files/extracted/challenge/app/Message/FileQueue.php: builds public paths and calls system() in deleteFile().
• files/extracted/config/redis.conf: Redis listens on TCP port 6379.
• files/extracted/config/job-runner.sh: starts php artisan queue:work --queue=default.
• files/extracted/challenge/.env: sets <secret redacted>=redis.

Analysis

The URL validator rejects literal private IPv4 hosts, but accepts a valid domain if DNS exists. <TARGET>.nip.io passes the domain check and resolves to loopback, so the backend cURL can reach internal services.

Local reproduction established the queue format and exploitability:

• analysis/local-queue-payload-example.jsonl captured a normal Laravel Redis queue job.
• analysis/local-malicious-worker-once.txt proved a crafted Redis job reaches App\Jobs\rmFile.
• analysis/local-gopher-worker-once.txt proved the job can be injected through the app’s SSRF using gopher.
• analysis/local-rmstyle-fixed-worker-once.txt proved the final solver-generated serialized payload is valid.

Two important corrections came from testing:

• /www/public/src is absent at container start, so the solver first makes a harmless successful source request to create it.
• PHP serialized class names must contain single namespace separators. Earlier solver payloads emitted doubled separators and Laravel rejected them during unserialize().

Public research check:

• https://github.com/pythagoras-19/htb-screencrack-solution

That source was advisory only; the final chain was validated locally and then against the live target.

Solve

The reproducible solver is solve/solve.py. It:

1. Generates a random public output filename.
2. Primes /www/public/src by asking /api/get-html to fetch http://<TARGET>.nip.io:80/.
3. Builds a Laravel queue payload for App\Jobs\rmFile.
4. Puts the command injection in fileQueue->uuid, using the unquoted rm sink.
5. Encodes Redis LPUSH commands into a gopher URL.
6. Sends the gopher URL to /api/get-html.
7. Polls /src/<random>.txt until the flag appears.

Tracked execution:

python3 scripts/challenge_exec.py Web/Screencrack -- python3 Web/Screencrack/solve/solve.py \
  --base-url http://<TARGET>:31569 \
  --output Web/Screencrack/analysis/flag-candidate.txt \
  --transcript Web/Screencrack/analysis/remote-solve-transcript.txt \
  --poll-seconds 720 \
  --poll-interval 5

The harness then captured the candidate into loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Source-backed Web challenges should be locally reproduced before remote iteration; the serializer bug would have been hard to see from the remote alone.
• SSRF filters that check only the literal hostname are vulnerable to DNS-to-loopback bypasses.
• Laravel Redis queue payloads are sensitive to exact PHP serialization bytes, especially namespace separators and string lengths.
• A successful exploit chain can still fail on filesystem state; here /www/public/src had to be created first through the normal app path.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Screencrack
• Category: Web
• Difficulty: Medium
• Mode: hybrid
• Remote instance: <TARGET>:31569
• Start time: 2026-06-12T14:16:47Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

-

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Web
• Challenge: Screencrack
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches