webfreehard

OmniWatch

HackTheBox

$ ls tags/ techniques/

sqli lfi race_condition jwt xss crlf_injection cache_poisoning varnish zig

lfi_path_traversaljwt_forgeryreflected_xsscrlf_header_injectionvarnish_cache_poisoningcookie_stealingstacked_sqlibot_timing_attack

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

OmniWatch - HackTheBox

Challenge Info

Property	Value
Event	HackTheBox
Category	Web
Difficulty	Hard
Flag	`HTB{h3110_41w4y5_i_s3e_y0u4nd_1m_w4tch1ng_8fc99d8ee3ac893c30b18787f09ceda6}`

Description

The crew has uncovered the IP address of a web interface used by the mercenary group called "Gunners" to track and spy on their enemies. To locate an elusive black market dealer for a critical trade, the team must hack into this gunners network and retrieve the last known location of a caravan that was recently ambushed in the wasteland.

Architecture Overview

The challenge consists of multiple services working together:

                    ┌─────────────────────────────────────────────────────┐
                    │                   Varnish Cache                      │
                    │              (cache.vcl configuration)               │
                    └─────────────────┬───────────────────┬───────────────┘
                                      │                   │
                    ┌─────────────────▼─────────┐ ┌───────▼───────────────┐
                    │     Controller Service     │ │    Oracle Service     │
                    │   (Python/Flask :3000)     │ │  (Zig/http.zig :4000) │
                    │                            │ │                       │
                    │ - Authentication           │ │ - Device location API │
                    │ - Device management        │ │ - CRLF vulnerable     │
                    │ - Firmware updates (LFI)   │ │                       │
                    │ - Admin panel              │ │                       │
                    └─────────────────┬──────────┘ └───────────────────────┘
                                      │
                    ┌─────────────────▼──────────┐
                    │         MySQL DB           │
                    │                            │
                    │ - Users table              │
                    │ - Signatures table         │
                    │ - Devices table            │
                    └────────────────────────────┘
                    
                    ┌────────────────────────────┐
                    │      Chromium Bot          │
                    │  (runs every 30 seconds)   │
                    │                            │
                    │ 1. Visit login page        │
                    │ 2. Wait 3 seconds          │
                    │ 3. Login as moderator      │
                    │ 4. Wait 3 seconds          │
                    │ 5. Visit /oracle/json/{id} │
                    └────────────────────────────┘

Vulnerability Analysis

1. CRLF Injection in http.zig (CVE-like)

The Oracle service is built with Zig's http.zig library. Route parameters are URL-decoded and reflected in response headers without proper sanitization.

...

$ grep --similar

Similar writeups

[web][free]OmniWatch (session replay)— HackTheBox
[web][free]Conversor (Full Box)— hackthebox
[web][free]Prison Pipeline— hackthebox_business_ctf_2024
[forensics][free]oBfsC4t10n2— hackthebox
[hardware][free]Silicon Data Sleuthing— HackTheBox