webhard

OmniWatch

hackthebox

Task: Obtain admin access to a multi-service web application with Varnish cache, Zig HTTP backend, Flask controller, and a Chromium bot. Solution: Chain CRLF injection in http.zig to inject CacheKey header for Varnish cache poisoning with XSS, steal moderator JWT via bot timing, use LFI to read JWT secret, forge admin JWT, and use stacked SQL injection to insert signature.

$ ls tags/ techniques/

sqli lfi race_condition jwt xss crlf_injection cache_poisoning varnish zig

lfi_path_traversaljwt_forgeryreflected_xsscrlf_header_injectionvarnish_cache_poisoningcookie_stealingstacked_sqlibot_timing_attack

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]