Skip to main content

Watchtower Of Mists

Event: HackTheBoo 2025 by HackTheBox
Category: FORENSICS
Difficulty: Easy

Challenge Description

The tower's lens, once clear for stargazing, was now veiled in thick mist. Merrin, a determined forensic investigator, climbed the spiraling stairs of Egrath's Hollow. She found her notes strangely rearranged, marked with unknown signs. The telescope had been deliberately turned downward, focused on the burial grounds. The tower had been occupied after a targeted attack. Not a speck of dust lay on the glass, something unseen had been watching. What it witnessed changed everything. Can you help Merrin piece together what happened in the Watchtower of Mists?

Solution

Flag 1 - Langflow Version

  1. Open capture.pcap with wireshark

    alt text

  2. Use find packet and set the parameter to packet details and string, use keyword 'langflow'

    alt text

  3. Click find and repeat until we find this

    alt text

  4. The answer is 1.2.0

Flag 2 - CVE Identification

  1. Open browser and go to exploit-db.com

    alt text

  2. Search for title: langflow

    alt text

  3. Click on Langflow 1.2.x - Remote Code Execution (RCE) and check the CVE section

    alt text

  4. The answer is CVE-2025-3248

Flag 3 - API Endpoint

  1. Go to wireshark again, change find keyword to '/api'

    alt text

  2. Click find and repeat until we find a packet with suspicious command (obfuscated with encoding)

    alt text

  3. The answer is /api/v1/validate/code

Flag 4 - Attacker IP Address

  1. Check the packet used for Flag 3, we have the source address of the attacker in the same packet

    alt text

    alt text

  2. The answer is 188.114.96.12

Flag 5 - Reverse Shell Port

  1. With the same packet, right click -> follow -> HTTP stream

    alt text

  2. We can see all of the encoded command sent

    alt text

    alt text

  3. Open Cyberchef, paste the encoded command, and click the magic wand.

    alt text

  4. It will automatically set from Base64, but it is not enough as it is still encoded. Click the magic wand once again and we can see the command being run is whoami.

    alt text

    alt text

  5. Now repeat with the rest of the encoded command. We can see command id, env, and last another encoded string being passed to bashrc.

    alt text

    alt text

    alt text

  6. Now copy that last encoded string, paste to the cyberchef input, and disable the Zlib Inflate. There you will a command used by the attacker for persistence reverse shell.

    alt text

  7. The answer is port 7852

Flag 6 - Hostname

  1. Go back to wireshark packet follow HTTP stream window which we open for previous flag. Check for the output returned by the server which is in blue in this image.

    alt text

    alt text

  2. We are gonna focus on this one which have the hostname included.

    alt text

  3. The answer is aisrv01

Flag 7 - PostgreSQL Password

  1. Check the same output used for the previous flag and you will find the postgresql password there.

    alt text

    alt text

  2. The answer is LnGFlWPassword2025