Drobots was the third web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to haxez where in this post I will write up how I hacked Drobots. Like all the CTF challenges, Drobots had a description which read as follows.
Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?
The Drobots Application
First, I loaded the application and was greeted with a login page. Unfortunately, there wasn’t much more to the application than that. I ran a few tools against it to try to identify any hidden areas and what technologies were being used.
Below, you can see the output of the tool Whatweb which can be used to identify the technology stack. For example, it was able to identify that the web application was utilising HTML5, Python, and Jquery. That gave us an idea of what exploits we could try.
┌──(kali㉿kali)-[~] └─$ sudo whatweb http://184.108.40.206:30447 http://220.127.116.11:30447 [200 OK] Bootstrap, Country[UNITED STATES][US], HTML5, HTTPServer[Werkzeug/2.2.3 Python/3.8.16], IP[18.104.22.168], JQuery, PasswordField, Python[3.8.16], Script, Title[Drobots], Werkzeug[2.2.3]
I also ran Ferric Oxide which I hadn’t used before. I’m definitely going to be adding it to my list of essential tools just for the easy Burp integration. Unfortunately, it didn’t find much but look how great the output is.
I already had a good idea of what this challenge wanted us to do. To clarify, the only page we could find was a login page. It was highly likely that this was an SQL injection challenge. In order to test for SQL injection, I captured a login request with Burp and saved that request to a file. Next, I used SQL map with the ‘-r’ argument to specify the flag.
┌──(kali㉿kali)-[~/HTB/Drobots] └─$ sudo sqlmap -r request --dbs
SQLMap was able to identify the database names and that one of the databases was named ‘drobots’. So the next step was to get the tables from this database. As you can see from the output below, there was only one table called users. I then asked SQLMap to dump the contents of the user’s table.
┌──(kali㉿kali)-[~/HTB/Drobots] └─$ sudo sqlmap -r request -D drobots -T users --dump
Drobots Application Access
The next step in the challenge was actually quite funny and stopped me in my tracks for a bit. SQLMap automatically attempted to crack the Admin user’s “hash” but was unsuccessful. Furthermore, submitting the “hash” to crackstation.net or trying to crack it myself was unsuccessful. Yes, I have put the word hash in quotes because it wasn’t a hash at all.
In fact, it was the admin user’s password. Unencrypted or encoded, just sat there waiting for anybody to steal it. I was able to login with the username admin and the string retrieved from the SQL injection. Upon logging in to the application, the flag was right there at the top of the table.
This was a fun application that reinforced SQL injections skills and got you to think slightly outside of the box. The password trick was a bit mean and I guarantee it was 100% intended. I’m sure there were many people it didn’t fool but I’m sure a lot of people got stuck at this stage for a while. Anyway, I enjoyed this challenge.