$ cat writeup.md…
$ cat writeup.md…
HackTheBox
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
| Property | Value |
|---|---|
| Event | HackTheBox |
| Category | Web |
| Difficulty | Hard |
| Flag | HTB{h3110_41w4y5_i_s3e_y0u4nd_1m_w4tch1ng_8fc99d8ee3ac893c30b18787f09ceda6} |
The crew has uncovered the IP address of a web interface used by the mercenary group called "Gunners" to track and spy on their enemies. To locate an elusive black market dealer for a critical trade, the team must hack into this gunners network and retrieve the last known location of a caravan that was recently ambushed in the wasteland.
The challenge consists of multiple services working together:
┌─────────────────────────────────────────────────────┐
│ Varnish Cache │
│ (cache.vcl configuration) │
└─────────────────┬───────────────────┬───────────────┘
│ │
┌─────────────────▼─────────┐ ┌───────▼───────────────┐
│ Controller Service │ │ Oracle Service │
│ (Python/Flask :3000) │ │ (Zig/http.zig :4000) │
│ │ │ │
│ - Authentication │ │ - Device location API │
│ - Device management │ │ - CRLF vulnerable │
│ - Firmware updates (LFI) │ │ │
│ - Admin panel │ │ │
└─────────────────┬──────────┘ └───────────────────────┘
│
┌─────────────────▼──────────┐
│ MySQL DB │
│ │
│ - Users table │
│ - Signatures table │
│ - Devices table │
└────────────────────────────┘
┌────────────────────────────┐
│ Chromium Bot │
│ (runs every 30 seconds) │
│ │
│ 1. Visit login page │
│ 2. Wait 3 seconds │
│ 3. Login as moderator │
│ 4. Wait 3 seconds │
│ 5. Visit /oracle/json/{id} │
└────────────────────────────┘
The Oracle service is built with Zig's http.zig library. Route parameters are URL-decoded and reflected in response headers without proper sanitization.
...
$ grep --similar