OmniWatch - HackTheBox

This is a detailed solution reconstructed from the OpenCode session OmniWatch hackthebox challenge and its actual exploitation on a live instance.

Important: the exploitation chain is identical to the old writeup, but the final hash inside the flag is different for this instance.

Description

The crew has uncovered the IP address of a web interface used by the mercenary group called "Gunners" to track and spy on their enemies. To locate an elusive black market dealer for a critical trade, the team must hack into this gunners network and retrieve the last known location of a caravan that was recently ambushed in the wasteland.

English summary: the target is a Varnish-fronted application with a Zig oracle service, a Flask controller, and a headless moderator bot. The goal is to chain multiple bugs to reach the admin panel and recover the flag.

Analysis

Result

Flag:

HTB{h3110_41w4y5_i_s3e_y0u4nd_1m_w4tch1ng_5dd9416e302bfbdfc0f31d1acdc94f2d}

Chain:

1. CRLF injection in the Zig oracle via deviceId
2. Varnish cache poisoning by injecting CacheKey: enable
3. Reflected XSS via mode
4. Theft of the moderator JWT from the headless bot
5. LFI via /controller/firmware to read /app/jwt_secret.txt
6. Administrator JWT forgery
7. Stacked SQLi to add the forged signature into signatures
8. Visit /controller/admin and recover the flag

---

Quick reconnaissance

The first thing that stands out:

curl -I http://TARGET/

Response:

HTTP/1.1 301 Moved Permanently
Server: Varnish
Location: /controller

So the application is behind Varnish, which immediately suggests cache poisoning, key confusion, or other unkeyed-input issues.

Next, inspect /oracle:

curl -sv http://TARGET/oracle/json/1

This returns useful headers:

HTTP/1.1 200 OK
Content-Type: application/json
DeviceId: 1
Cache-Control: public, max-age=0
X-Cache: MISS

Two things matter immediately here:

...