Hardware 2⚓︎
Difficulty:
Objective⚓︎
Santa’s gone missing, and the only way to track him is by accessing the Wish List in his chest—modify the access_cards database to gain entry!
Silver⚓︎
Examining what's in our pwd:
ls -lah
total 156K
drwxrwxr-t 1 slh slh 4.0K Nov 13 14:44 .
drwxr-xr-x 1 root root 4.0K Nov 13 14:44 ..
-r--r--r-- 1 slh slh 518 Oct 16 23:52 .bash_history
-r--r--r-- 1 slh slh 3.9K Sep 23 20:02 .bashrc
-r--r--r-- 1 slh slh 807 Sep 23 20:02 .profile
-rw-r--r-- 1 root root 128K Nov 13 14:44 access_cards
Hmm, what were the previous commands run?
cat .bash_history
cd /var/www/html
ls -l
sudo nano index.html
cd ..
rm -rf repo
sudo apt update
sudo apt upgrade -y
ping 1.1.1.1
slh --help
slg --config
slh --passcode CandyCaneCrunch77 --set-access 1 --id 143
df -h
top
ps aux | grep apache
sudo systemctl restart apache2
history | grep ssh
clear
whoami
crontab -e
crontab -l
alias ll='ls -lah'
unalias ll
echo "Hello, World!"
cat /etc/passwd
sudo tail -f /var/log/syslog
mv archive.tar.gz /backup/
rm archive.tar.gz
find / -name "*.log"
grep "error" /var/log/apache2/error.log
man bash
Let's learn more about the program:
slh --help
usage: slh [-h] [--view-config] [--view-cards] [--view-card ID]
[--set-access ACCESS_LEVEL] [--id ID] [--passcode PASSCODE] [--new-card]
Santa's Little Helper - Access Card Maintenance Tool
options:
-h, --help show this help message and exit
--view-config View current configuration.
--view-cards View current values of all access cards.
--view-card ID View a single access card by ID.
--set-access ACCESS_LEVEL
Set access level of access card. Must be 0 (No Access) or 1 (Full
Access).
--id ID ID of card to modify.
--passcode PASSCODE Passcode to make changes.
--new-card Generate a new card ID.
Now that we know syntax, what can we learn about our objective?
slh --view-card 42
Details of card with ID: 42
(42, 'c06018b6-5e80-4395-ab71-ae5124560189', 0, 'ecb9de15a057305e5887502d46d434c9394f5ed7ef1a51d2930ad786b02f6ffd')
slh --passcode CandyCaneCrunch77 --set-access 1 --id 42
Gold⚓︎
There’s a tougher route [to change 42's permissions to full access] if you're up for the challenge to earn the Gold medal. It involves directly modifying the database and generating your own HMAC signature.
Which database type do we have?⚓︎
Jewel hints that we'll need to modify the database and with a quick look at which commands we have on the terminal, we can see sqlite3.
ll /usr/bin
Let's have a look at the Database⚓︎
sqlite3 access_cards
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
Check out the structure of the access_cards table⚓︎
.schema access_cards
CREATE TABLE access_cards (
id INTEGER PRIMARY KEY,
uuid TEXT,
access INTEGER,
sig TEXT
);
Any other tables?⚓︎
.tables
access_cards config
Great, how's the config table structured?⚓︎
.schema config
CREATE TABLE config (
id INTEGER PRIMARY KEY,
config_key TEXT UNIQUE,
config_value TEXT
);
What's in the config table?⚓︎
sqlite> SELECT * FROM config;
1|hmac_secret|9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e
2|hmac_message_format|{access}{uuid}
3|admin_password|3a40ae3f3fd57b2a4513cca783609589dbe51ce5e69739a33141c5717c20c9c1
4|app_version|1.0
Based on the length of the hash signatures that we viewed earlier (64), we know the algorithm is very likely 256 so now we can pull up CyberChef, plug in our hmac_secret key (format: UTF-8 since nothing else was specified). I will say that I wanted to verify the existing hash to confirm that I had the right format and this did not work - the hashes did not match from existing database entries were not able to be recreated. But I did eventually just create a new one using the format of access_level (1) and UUID (c06018b6-5e80-4395-ab71-ae5124560189)
Now insert that hash into the sig value for ID 42.⚓︎
UPDATE access_cards
SET sig = '135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096'
WHERE id = 42;
ecb9de15a057305e5887502d46d434c9394f5ed7ef1a51d2930ad786b02f6ffd