Now that we have the UART connected we can use the attached terminal to modify the access database. Card number 42 needs to have access level 1 instead of 0. We also get a hint that passwords are sometimes left out in the open.
Silver Medal
Loading into the terminal we are first met with an option to Startup system or go to U-Boot console. We can continue to option 1.
This will give us the command options for the SLH tool. It also tells us, as we should have guessed, that we’ll need a password before we can do anything. Completely by accident I pressed the up arrow and found that the bash history had not been cleared. Running history shows the following
Line 11 leaks the whole password and if we modify the id to 42 then the silver medal will be unlocked
Gold Medal
Talking to the elf again we will get our Gold Medal hint. There should be a way to change the access on the database level instead of the command line. We will also receive a hint that CyberChef has a great method for generating HMAC keys. Resetting the challenge and loading back into the terminal we can connect to the database with sqlite3 access_cards. We can then start with dumping the schema with .schema
Out of these it seems that config is the table to start with. We can dump the values easily with select * from config;
Jackpot. With this we have the hmac secret as well as the message format. The only piece we are missing is the UUID which can be grabbed by running select * from access_cards where id=42;
Now with all of these pieces combined we can go to our cyberchef window and plug the pieces in. The key is our hmac_secret, the key needs to be set to UTF-8, the hashing function should be SHA-256, and for a value we need to enter 1c06018b6-5e80-4395-ab71-ae5124560189. This all combined should generate a value of 135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096.
We can now update the value in the database and unlock the gold medal. This can be done by running update access_cards set access=1, sig="135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096" where id=42;
If done correctly the Access Granted message should pop up again and the gold medal should be unlocked.
Leave a Reply