Orbital was the 5th web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be explaining how I hacked the Orbital web challenge during Cyber Apocalypse. The description for this challenge was as follows.
In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities – a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?
The Orbital web application reminded me of the Drobot application. While very pretty, there wasn’t much to it. Upon landing on the application, I was presented with a login page. However, we had no option to register. I ran some tools against the application to discover what type of stack we were looking at. I also attempted to discover content but didn’t find much.
Expect To Inject
With little to work with in terms of an attack surface, I attempted to log in with dummy credentials. I found the post request in Burp and saved the request to a file. I then fed the request to SQLMap which identified it as a MySQL Database Management System. Furthermore, it found three databases. There was a Test database, the Information Schema and the Orbital database. Needless to say, I went through the motions of identifying the tables and then proceeded to dump the contents of the user table. SQLMap successfully cracked the admin password too (ichliebedich).
┌──(kali㉿kali)-[~/HTB/Orbital] └─$ sudo sqlmap -r request -D orbital -T users --dump
Authenticated Orbital Strike
With the admin username and password, I logged in to the application and was presented with some statistics. I played around with this page for a while as there is an export option at the bottom which lets the user export files. I initially tried to intercept this request and change the name of the file to flag.txt. Unfortunately, that didn’t work so it was time to look at the downloadable files.
It turns out my instincts were correct. In order to capture the flag you need to intercept the export request and change the filename. However, the creator of this challenge renamed the flag. Granted, they were kind enough to give us the files so that we could learn what the flag was called but come on! I almost had it without checking. Anyway, the filename was signal_sleuth_firmware and could be accessed by performing a directory traversal via the export function.
This was a fun and fairly simple box. It was nice to have multiple stages in order to capture the flag. Most of the challenges until now have been one exploit to get the flag. Whereas we needed to break through the authentication and then perform the directory traversal or local file inclusion. I enjoyed it.