Category: Challenges

Unique is a retired very easy hardware challenge created by diogt on Hack The Box. At the time of writing this post, the challenge was released 841 days ago. This challenge requires basic knowledge of signal analysis with Logic 2. Hello world, welcome to Haxez where today I will be explaining how I solved Unique on hack The Box. The challenge is introduced with the following explanation.

“We found a car but we are unable to identify if it’s the exact one that we have been searching for. The serial network of the car seems intact so we tapped into it and collected some packets. Can you help us find the VIN of the car that is transmitted repeatedly over the network?”

With this information in mind, I think it is safe to assume that the file contains a capture. This capture is likely from some kind of automotive technology such as CAN bus.

CAN Bus

For the uninitiated, cars use a network called a can bus to communicate between the various car systems. Controller Area Network is a network protocol designed for communication between electronic control units in vehicles. Furthermore, It enables real-time data exchange among various components. CAN bus uses a multi-master, broadcast-based architecture with prioritized messages, ensuring robustness, fault tolerance, and scalability.

Unique Files

After downloading the zip archive and extracting it, I was presented with a .sal file. From previous challenges, I knew that this file was likely associated with Logic 2. However, if you search .sal, the first result will likely take you to a forum explaining what they are. As a result, I downloaded Logic 2 as I had since uninstalled it. Once installed, I opened Logic 2 and opened the capture file.

Analyzing Unique Signals

Logic 2 is a great application that I’m embarrassingly I’m a novice user of. I’ve used it a few times and have a basic understanding of how to analyze captures. However, without guidance, I wouldn’t have a clue what to do. I hope that is reassuring for those who are reading this and are in the same boat. Anyway, as mentioned, the signal is likely from a CAN bus. Fortunately, Logic 2 has a built-in CAN analyzer. Once the capture is imported, you should see the signal channels displayed in the main working area. On the right-hand side, you should see an analyzers tab.

CAN Bus Bit Rate

This is where you might run into issues as the CAN analyzer will ask you for a bit rate. Obviously, this can be quickly resolved with a quick Google search. As you can see from the screenshot below, the correct bit rate for CAN is 125kbps. However, the analyzer asks for the bits per second. Well, I used Google to perform this conversion too which resulted in 125000.

With this information, I populated the settings on the CAN analyzer and made sure channel 0 was selected.

Finding The Unique CAN Bus VIN Flag

Unfortunately, there isn’t an easy way to find the flag. You can search the data for the open curly bracket but you will get a lot of results. Fortunately for me, the flag caught my eye as I’m familiar with the flag format. Even more unfortunately, the flag is slightly messed up with repeating junk data. You can see from the screenshot below that the string CRCEIdCtrl has been inserted multiple times. I don’t know what this data is used for, I might research it after this writeup. However, removing that data will give you the following flag.

HTB{v1n_c42_h4ck1n9_15_1337!*0^}

Wander is an easy hardware challenge created by MrR3boot on Hack The Box. It’s part of the Intro To Printer Exploitation track. As I’ve just completed Gawk, I thought I’d give it a go. The description of the challenge explains that someone is trying to print documents. However, their uncle has password protected their printer with a pin. They’ve identified a webserver running on the printer but have come to us for help. Hello world, welcome to Haxez where today I will explain how I hacked Wander.

Wander Enumeration

Granted, there isn’t much to enumerate on these challenges. It’s a Docker container with a single port to attack. With that said, after spawning the container and connecting to the lab VPN, I navigated to the provided IP in my browser. Once the page loaded, there was some information about the printer and then several links. With the exception of the Job Controls link, none of the links worked. The input box on the Job Controls page had template text saying @PJL INFO ID.

Printer Job Language

In order to become more familiar with our future AI overlords, I asked ChatGPT what PJL commands were. While I feel like using ChatGPT is cheating, let’s be honest, It’s better than Google at providing quick explanations for specific topics. ChatGPT explained the following, PJL stands for Printer Job Language. It is a language used to control various aspects of printing jobs in printers that support the Printer Control Language (PCL) or PostScript. PJL commands are typically used to set printer-specific parameters, manage printer resources, and control printing processes.

The syntax for PRET that I used on the Gawk challenge is starting to make sense. ChatGPT was also kind enough to provide a few examples of PJL commands. I ran the info status command and sure enough, the printer returned its status. Next, I thought I would try asking for help and ran @PJL HELP but unfortunately, that didn’t work.

@PJL INFO STATUS

Wandering The File System

After performing a few Google searches for Printer Job Language examples, I stumbled upon a HP PDF document. The document provided some good examples of the various commands including the FSDIRLIST command and syntax used for browsing the file system. Honestly, I hate the syntax and the format of the results it returns. It doesn’t seem intuitive at all. I asked the printer to list out the contents of what I thought was the root directory. As a result, the printer returned a number of directories including PostScript, saveDevice, and webServer.

@PJL FSDIRLIST NAME="0:" ENTRY=1

Reviewing the syntax, I thought that the NAME=”0:” value would have listed the root directory of the system. However, that wasn’t the case as I had to navigate up a directory before I could find the file required for the challenge. As you can see below, I moved up a directory to what seemed to be the root directory of the system.

@PJL FSDIRLIST NAME="0:/../home" ENTRY=1

It seems that the initial directory I was in was the printer directory. Although I haven’t investigated further, logic tells me that “0:” symbolizes the default directory, not the root directory. While working on Gawk, I thought that “0:” symbolized the system disk, like “C:” would on Windows… guess not.

Capturing The Wander Flag

Anyway back to the task at hand, I navigated through the different directories until I found the flag. The location of the flag can be found in the /../home/default/readyjob directory. Once you input the PJL command to list out the contents, the flag will be there amongst the output.

@PJL FSDIRLIST NAME="0:/../home/default/readyjob" ENTRY=1

Wander Learnings

Following on from Gawk, this was another great challenge that introduced me to Printer Job Language. It helped make the syntax for PRET from the Gawk challenge make more sense. Even though I dislike the syntax of PJL, the challenge was still fun. It wasn’t too difficult once I understood the basics. I don’t have much more to say about it honestly other than to ask why PJL syntax is the way it is.

Gawk is an easy retired hardware challenge created by MrR3boot on Hack The Box. It is the first box in the Intro to Printer Exploitation track so I thought I would give it a go. The challenge description explains that the client has lost access to their computer. Furthermore, the client urgently needs a document that got stuck in their printer. They have asked whether we are able to recover the document. Hello world, welcome to Haxez where today I will attempt to hack Gawk.

Gawk Service Enumeration

First things first, I spawned the instance and connected to the Hack The Box VPN. I had absolutely no idea where to start. Unfortunately, at the time of writing, there weren’t any writeups for this challenge. I checked on the Academy for related material but came up short. I tried to Nmap the box and connect to the open port with NetCat but didn’t receive anything back. As a result, I headed to the forum where someone recommended looking for a Printer Exploit Framework.

After a quick Google search, I found PRET the Printer Exploitation Framework on GitHub. I’ve never used this tool before or attempted any printer exploitation. Therefore, my explanations and terminologies may be incorrect. I can only apologise in advance but we all have to start somewhere. I cloned the repository and read through the read me file. There were some requirements that I needed to install for Python 2.7 so I used pip2.7 to install them.

Next, I started playing with the tool. I ran the help argument to determine the correct syntax and after a few attempts, I was able to connect to the printer. I’m not sure yet whether the information that was printed back was correct but at least I was connected. Pret reported back that the printer was an HP LaserJet 4200.

python2.7 /opt/PRET/pret.py 134.209.180.248:30887 pjl

Printer Option Exploration

Once connected to the printer, I ran the help command to see what options were available. Stating the obvious but asking for help is always a good idea when you don’t know what to do. I’m not sure if it’s just me but pride (or something) can sometimes rule my emotions and decisions. If I feel like I should already know something then I will waste time going down rabbit holes trying to understand it. Eventually, I will find the answer but it would have been far quicker to have asked someone who already knows the answer.

Anyway, the help command reported back that I had a number of commands at my disposal. I ran the info command with the various sub-commands but didn’t learn much. After that, I listed the current working directory which reported back 0:/. Next, I used the ls command to see what was in the current working directory. As a result, I learned that there were 4 directories. Navigating through these directories I found the lost document in the 0:/saveDevice/SavedJobs/InProgress named HR_Policies.pdf. I checked the other directories but there were no other files.

The Gawk Document

I thought I was done but I should have known better. Attempting to open the PDF document resulted in an error that it couldn’t be read. I used the head tool to show me the first few lines of the document and sure enough, it didn’t look like a PDF. Then, I ran the file tool on the HR_Policies.pdf document and learned that it was an ASCII text document. Fortunately, I used the cat tool to view the entire contents of the document. My logic was that I thought the flag could be hiding somewhere inside it. However, I noticed that the file ended with two equal symbols.

Immediately, I recognized it as base64 and used cat to pipe the base64 to base64 decode. Once decoded, I appended the output to a new file called hr. Finally, I ran Ghostscript against the new file, and to my delight, I received the flag. I submitted the flag to Hack The Box and completed the challenge.

cat HR_Policies.pdf | base64 -d > hrdoc

ghostscript hrdoc

Gawk Learnings

I looked at this challenge a few weeks ago but didn’t get anywhere with it. Whether I was tired or just not in the mood, I gave up but promised I would come back to it later. I’m glad I did as this was a fun easy challenge. To me, challenges and boxes tend to seem impossible when I first look at them. For some reason, I always assume that it requires some secret forbidden knowledge to complete it. I love learning to use new tools but the thought of learning new tools can sometimes make me anxious.

This challenge was a perfect example of why you should just dive in and get on with it. Once you have a rough idea of what to do, the rest is fairly trivial. Granted, I barely scratched the surface of the capabilities of the whole framework but I feel confident moving forward on to the next challenge. Thanks for this challenge, it was genuinely fun and reminded me that sometimes I should just get stuck in and give it ago.

Didactic Octo Paddles was the sith web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. It was also the bane of my existence and my worst enemy. Hello world, welcome to Haxez where today I will be explaining how I eventually hacked Didactic Octo Paddles. All the challenges had a description fitting the theme of the CTF and this one was no different.

You have been hired by the Intergalactic Ministry of Spies to retrieve a powerful relic that is believed to be hidden within the small paddle shop, by the river. You must hack into the paddle shop’s system to obtain information on the relic’s location. Your ultimate challenge is to shut down the parasitic alien vessels and save humanity from certain destruction by retrieving the relic hidden within the Didactic Octo Paddles shop.

Application Adventure

This application broke me for all the wrong reasons. It was a great challenge and I learnt a lot from it but tiny mistakes made me waste so much time. Anyway upon navigating to the application, I was greeted with a purple login page. There was no apparent option to register so I immediately thought it was SQL injection again. It wasn’t

Blasting Didactic Octo Paddles

Using my new favourite web application file and directory discovery tool Ferric Oxide, I was able to discover a few endpoints. As you can see from the screenshot below there were endpoints for registration, administration and authentication. I guess the way in wasn’t via SQL injection after all. With this new knowledge, I headed to the registration section and registered a new user.

Didactic Octo Paddles Store

Upon registering and logging in I was met with a store page. I had a lot of fun wasting my time with this functionality. Initially, I thought I was being clever by changing the number of the item that you add to the cart. I thought I was clever by doing a lot of things. None of them made a difference. The objective of this challenge was to gain access to the admin area at ‘/admin’.

Cookies, Cookies, Cookies

After digging around the application a bit more and identifying the frameworks, I started learning about JWT tokens. I haven’t done much with them before as I don’t test many web applications. I then started playing with the JWT token with JWT_Tool. Unfortunately, I have a lot to learn with this tool and at the time I was tired so decided just to use Burp.

You can see from the screenshot below that I used the Burp extension JSON Web Tokens to set the “alg” to none and the “id” to 1. I then sent the request to the admin endpoint and I was authenticated. It’s a shame that I couldn’t get this to work with JWT_Tool. I could go through and manually change the values but I wanted it to catch the successful authentication through automated testing.

Server Side Template Injection

Hold on, we aren’t finished yet. We have access to the admin portal but no flag. However, the admin portal has a list of active users. I could walk you through the various stages of identifying SSTI such as creating a user with ‘{{ 2 * 404 }}’ in order to get Bob but let’s get on it. First, I went to HackTricks and search for SSTI and found the Node JS Render payloads. Next, I modified their payload to cat the flag.txt file.

{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat flag.txt').toString()")()}}

Finally, I registered a user with the above payload for their username and a standard string for their password. I then went back to burp and resent the request with the modified JWT token and as you can see below, we got the flag.

HTB{Pr3_C0MP111N6_W17H0U7_P4DD13804rD1N6_5K1115}

Didactic Octo Paddles Review

Looking back, I think this was a fairly simple challenge. However, this challenge absolutely broke me. I was up until the early hours of the morning trying to work this challenge out. This was entirely due to my lack of knowledge of JWT tokens and their quirks. I learnt a lot from it and now I want to master the JWT_Tool and Cookie-Monster tools. I’m starting to like working with parts of the MEAN stack. I’ve mostly only learnt about and tested LAMP-based applications so this is a whole new world for me to explore. Anyway, this is as far as I got with the web challenges. I completed some other challenges but I don’t know if I’m going to write those up.

Orbital was the 5th web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be explaining how I hacked the Orbital web challenge during Cyber Apocalypse. The description for this challenge was as follows.

In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities – a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?

Walking Orbital

The Orbital web application reminded me of the Drobot application. While very pretty, there wasn’t much to it. Upon landing on the application, I was presented with a login page. However, we had no option to register. I ran some tools against the application to discover what type of stack we were looking at. I also attempted to discover content but didn’t find much.

Expect To Inject

With little to work with in terms of an attack surface, I attempted to log in with dummy credentials. I found the post request in Burp and saved the request to a file. I then fed the request to SQLMap which identified it as a MySQL Database Management System. Furthermore, it found three databases. There was a Test database, the Information Schema and the Orbital database. Needless to say, I went through the motions of identifying the tables and then proceeded to dump the contents of the user table. SQLMap successfully cracked the admin password too (ichliebedich).

┌──(kali㉿kali)-[~/HTB/Orbital]
└─$ sudo sqlmap -r request -D orbital -T users --dump

Authenticated Orbital Strike

With the admin username and password, I logged in to the application and was presented with some statistics. I played around with this page for a while as there is an export option at the bottom which lets the user export files. I initially tried to intercept this request and change the name of the file to flag.txt. Unfortunately, that didn’t work so it was time to look at the downloadable files.

Thats Cheating

It turns out my instincts were correct. In order to capture the flag you need to intercept the export request and change the filename. However, the creator of this challenge renamed the flag. Granted, they were kind enough to give us the files so that we could learn what the flag was called but come on! I almost had it without checking. Anyway, the filename was signal_sleuth_firmware and could be accessed by performing a directory traversal via the export function.

HTB{T1m3_b4$3d_$ql1_4r3_fun!!!}

Orbital Review

This was a fun and fairly simple box. It was nice to have multiple stages in order to capture the flag. Most of the challenges until now have been one exploit to get the flag. Whereas we needed to break through the authentication and then perform the directory traversal or local file inclusion. I enjoyed it.

Drobots was the third web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to haxez where in this post I will write up how I hacked Drobots. Like all the CTF challenges, Drobots had a description which read as follows.

Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?

The Drobots Application

First, I loaded the application and was greeted with a login page. Unfortunately, there wasn’t much more to the application than that. I ran a few tools against it to try to identify any hidden areas and what technologies were being used.

Below, you can see the output of the tool Whatweb which can be used to identify the technology stack. For example, it was able to identify that the web application was utilising HTML5, Python, and Jquery. That gave us an idea of what exploits we could try.

┌──(kali㉿kali)-[~]
└─$ sudo whatweb http://161.35.168.118:30447                                              
http://161.35.168.118:30447 [200 OK] Bootstrap, Country[UNITED STATES][US], HTML5, HTTPServer[Werkzeug/2.2.3 Python/3.8.16], IP[161.35.168.118], JQuery, PasswordField, Python[3.8.16], Script, Title[Drobots], Werkzeug[2.2.3]

I also ran Ferric Oxide which I hadn’t used before. I’m definitely going to be adding it to my list of essential tools just for the easy Burp integration. Unfortunately, it didn’t find much but look how great the output is.

SQL Injection

I already had a good idea of what this challenge wanted us to do. To clarify, the only page we could find was a login page. It was highly likely that this was an SQL injection challenge. In order to test for SQL injection, I captured a login request with Burp and saved that request to a file. Next, I used SQL map with the ‘-r’ argument to specify the flag.

┌──(kali㉿kali)-[~/HTB/Drobots]
└─$ sudo sqlmap -r request --dbs

SQLMap was able to identify the database names and that one of the databases was named ‘drobots’. So the next step was to get the tables from this database. As you can see from the output below, there was only one table called users. I then asked SQLMap to dump the contents of the user’s table.

┌──(kali㉿kali)-[~/HTB/Drobots]
└─$ sudo sqlmap -r request -D drobots -T users --dump

Drobots Application Access

The next step in the challenge was actually quite funny and stopped me in my tracks for a bit. SQLMap automatically attempted to crack the Admin user’s “hash” but was unsuccessful. Furthermore, submitting the “hash” to crackstation.net or trying to crack it myself was unsuccessful. Yes, I have put the word hash in quotes because it wasn’t a hash at all.

In fact, it was the admin user’s password. Unencrypted or encoded, just sat there waiting for anybody to steal it. I was able to login with the username admin and the string retrieved from the SQL injection. Upon logging in to the application, the flag was right there at the top of the table.

HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!}

Drobots Review

This was a fun application that reinforced SQL injections skills and got you to think slightly outside of the box. The password trick was a bit mean and I guarantee it was 100% intended. I’m sure there were many people it didn’t fool but I’m sure a lot of people got stuck at this stage for a while. Anyway, I enjoyed this challenge.

Gunhead was the second web hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be talking about the web hacking challenge Gunhead. Notably, this challenge is a great step up from the first challenge and like the other challenges here is the description.

During Pandora’s training, the Gunhead AI combat robot had been tampered with and was now malfunctioning, causing it to become uncontrollable. With the situation escalating rapidly, Pandora used her hacking skills to infiltrate the managing system of Gunhead and urgently needs to take it down.

Enumerating The Gunhead Application

The Gunhead application had a bit more functionality than the first application. It appeared to be an interface for a weapons control system. There were a number of interactable icons on the right side of the page. The first option showed us the status of the bot, the second told us its needs and the third appeared to be a command window.

Command Window

The command window had a help option. Obviously, running ‘/HELP’ in the terminal showed us that we had a number of commands that we could run. These commands included ‘/CLEAR’ to clear the current terminal, ‘/STORAGE’ to list the current storage space and ‘/PING’ which lets us ping a target.

Looking at the source it seems that ‘/STORAGE’ command is printing prewritten information. However, the ‘/PING’ command appears to be directly invoking systems commands. If we can find a way to tack on additional commands then perhaps we can enumerate the filesystem and find and cat the flag.

Gunhead Command Injection

By running the ping command with an IP address and a semicolon, we can add our own commands on to the end such as the list command. For example, if we were to run ‘/PING 10.10.10.10; LS -LASH;’ then we would see the output of the list command. Unfortunately no ‘flag.txt’ file here.

If we continue enumerating the filesystem we can see that the flag file is in the ‘/’ directory. Consequently, all we should need to do now is cat the file.

Gunhead Capture The Flag

As shown below, we were able to capture the flag.txt file by appending the ‘cat’ command. Next, all we need to do now is copy the flag and submit and we’re done.

HTB{4lw4y5_54n1t1z3_u53r_1nput!!!}

Gunhead Review

The Gunhead web hacking challenge was a lot of fun and a good place to start learning about command injection. I remember that the Mr Robot lab had a similar vulnerability. Anyway, there isn’t much more to say about the challenge than that. It was well-designed and had fun visuals. I like challenges with strong themes as it helps to immerse you.

Trapped Source is the first Web challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where today I will write about my experience with the Trapped Source challenge. As with all the other challenges, the description for the Trapped Source challenge was as follows.

Intergalactic Ministry of Spies tested Pandora’s movement and intelligence abilities. She found herself locked in a room with no apparent means of escape. Her task was to unlock the door and make her way out. Can you help her in opening the door?

Now the question is, how do I write 300 words about a challenge that requires you to view page source? I have to write 300 words so that Yoast SEO doesn’t complain about not writing 300 words. Therefore, I’m going to write about how I have to write 300 words just to satisfy the SEO gods.

The Trapped Source Application

Once we spawn the docker container, we can head to the IP and port in our browser. I loved the presentation of the application, the pixelated font on the keypad and the colour design was great. Other than that, there wasn’t much to the application. As you can see from the image below, the challenge is to input the correct pin.

So how do we solve this challenge? how do we find the correct pin in order to get the flag? Perhaps we could brute force it. However, based on the name of the challenge I’m going to go out on a limb and say we should view the source. I’m sorry if this sounds patronising but I need to pad out this write-up.

The Source Of The Solution

Right-clicking the page to view the page source or inspecting it will show you the code being rendered by your browser. Unfortunately, it seems that our website developer included the secret pin in the javascript. There are lessons to be learned here about secure coding practices and client-side coding but that’s for a later date.

Trapped Source Flag Captured

After punching in the pin we get our flag. You can type it out but if you expand the source code a bit more, you will see the flag which you can copy and paste. I.m not even sure if you needed to put the pin in to solve it. It doesn’t make sense that you would need to. If its all client side then the flag should be client-side too, I just didn’t bother to check.

HTB{V13w_50urc3_c4n_b3_u53ful!!!}

Trapped Source Review

The Trapped Source challenge was fun and a well-designed challenge for the first web challenge. I’m glad that it wasn’t just a case of view source and win (although it might have been). It seems the creators of the challenge had fun making it. I had fun solving it and hopefully, you’re having fun reading about it. Anyway, that’s all for this challenge.

Debug was the third hardware hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag Competition. Hello world, welcome to Haxez, this challenge was a lot of fun and wasn’t too difficult provided you had the right extensions installed. The description for debug was as follows.

Your team has recovered a satellite dish that was used for transmitting the location of the relic, but it seems to be malfunctioning. There seems to be some interference affecting its connection to the satellite system, but there are no indications of what it could be. Perhaps the debugging interface could provide some insight, but they are unable to decode the serial signal captured during the device’s booting sequence. Can you help to decode the signal and find the source of the interference?

Debug With Logic 2

As with the first challenge, we needed to open the files with Logic 2. However, the answer wasn’t right in front of us like last time. I had previously used Logic 2 before during the Try Hack Me Advent Of Cyber. However, that challenge told us what analyzer we needed to use and the exact settings needed. I thought it would be best to start with Async Serial but I had no idea what the baud rate would be. There are ways to calculate the baud rate manually but thankfully there is also an extension.

Configuring The Analyzer

Once the extension was installed, I shift clicked from one high point of the signal to the other. This then provided an estimation of the baud rate. I added a new Aysnc Serial analyzer for the RX channel and gave it the correct baud rate.

Debug The Signal

Finally, the data window started producing text. I must admit that I thought this was cool. It reminded me of the film Aliens for some reason. Something to do with the ASCII art and the satellite dish I think. Anyway, a lot of text was spat out and I have to salute whoever made this because they didn’t need to put this level of detail into it. Hidden in this transmission was the flag and all you had to do was assemble it.

HTB{547311173_n37w02k_c0mp20m153d}

Debug Review

This was a really fun challenge but I have to be honest, I found it easier than the first challenge. With this challenge, I felt that I knew what I had to do immediately. The first challenge completely threw me off for a long time. I really appreciate the level of detail that went into the transmission. It made me smile. Anyway, that’s all for the hardware challenges. I couldn’t solve secret code and from the write-ups, I’ve read, it didn’t look easy.