BlackCat Hacks

CTF's are a great way to learn, and that is exactly what I have been doing. I have been learning about HTTP Host Header Manipulation, Virtual Hosts, and HTTP downgrading. Let's talk about what I've learned! Virtual Hosts are an ubiquitous and awesome way to have multiple websites assigned to one IP address which includes a unique domain name for each virtual host. The way this is distinguished between is using the Host header. This Host header is like an identifier for the different virtual hosts that belong to one IP. As one might expect, this can be used to bypass otherwise blocked web servers, and hack websites.  Our first culprit would be with the classic localhost (or 127.0.0.1). There is a potential that if a web server uses localhost as a way to route their internal web servers then this can be used as a way to access the back end web server, when one shouldn't. It might look something like this: GET /admin HTTP/2.0 Host: Localhost Of course this can be used to a...

 Hello Comrade....    We captured a message of the foreign gov trying to communicate about attacking us... one of our techs got this specific and interesting messaging... see if you can decode this:    RkxBR3tSVVNTSUFOX0FTU0VUfQ== =========================================================================== UPDATE: This was a part of CTF I participated in, back in April. Arkansec's CTF that was at Sparkcon 2025 where I placed 3rd! Part of the CTF was BOYCTF ( https://github.com/ShyftXero/byoctf_discord ) You can read about it here a really cool system created by my friend Shyft. Basically it's like a BYOB (Bring your own Beer), but you are bringing your own flags. In a normal CTF game, you are dependent on the challenge makers to create challenges, the ones who created the CTF. With BYOCTF you get to, as the CTF player, make your own challenges. And really, that's a huge part of winning and a huge part of why I got 3rd. A very unique addition to any CTF game. Than...