This is another Terminal near Jewel Loggins.
Hardware Hacking 2
Silver Medal
This one isn't as page source involved as Hardware Hacking 1.
The Terminal shows a boot screen. It's possible to get both silver and gold without interacting with option 2 U-Boot Console.
After booting into option 1, Startup System (Default), There's a message of the day (motd) that shows the instructions for an executable called SLH (Santa's Little Helper). Jewel Loggins gives hints that says the goal is to add an access of 1 for the card with the id of 42. He states that you'll need a password to do so and hints that passwords may be in plain sight. Pressing the up arrow when first logging into commands shows commands that the player didn't type. There's a file in the home directory of users that saves the bash history called .bash_history. It's hidden, so to see it, ls -la must be done. Either pressing up arrow enough, or cat .bash_history, will show a command that simply needs to be manipulated to get the Silver Medal.
Command in Bash History:
slh --passcode CandyCaneCrunch77 --set-access 1 --id 143
Manipulate it to the following to get the Silver Medal:
slh --passcode CandyCaneCrunch77 --set-access 1 --id 42
slh --passcode CandyCaneCrunch77 --set-access 1 --id 42
Gold Medal
Jewel Loggins hints that to get the Gold Medal, the db needs to be manipulated directory instead of using slh. If ls -la is typed to see the bash history, players will notice another file called access_cards. Running file -i on that file shows that it is a sqlite3 database. Looking in /bin or /usr/bin, or simply knowing sqlite3 exists in many distributions of Linux, players will find that they can view and manipulate the db with this application.
sqlite3 access_cards
.tables
Looking at the tables shows the following tables in the access_cards db.
access_cards config
pragma table_info(access_cards)
# access_cards table columns:
id uuid access sid
pragma table_info(config)
#config table columns
id config_key config_value
select * from config;
# the second entry in the config table has an hmac_secret and has a value of 9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e
# the second entry in the config table has an hmac_secret and has a value of 9ed1515819dec61fd361d5fdabb57f41ecce1a5fe1fe263b98c0d6943b9b232e
#The SHA256 hash seems to be the word pizza, but the hash is the key itself, not pizza
# the third entry in the config table has an hmac_message_format with a value of {access}{uuid}
# the third entry in the config table has an hmac_message_format with a value of {access}{uuid}
select id,uuid,access,sig from access_cards where id=42;
#id|uuid|access|sig
#id|uuid|access|sig
42|c06018b6-5e80-4395-ab71-ae5124560189|0|ecb9de15a057305e5887502d46d434c9394f5ed7ef1a51d2930ad786b02f6ffd
Jewel Loggins also hints that an hmac needs to be created and gives a hint that cyberchef can be used to create an hmac signature.
The hmac_secret is called a key in Cyberchef. The key encoding should be UTF8. The hashing function should be SHA256. The key/secret itself gives a clue to the hashing type because its length is 64 characters (letters/numbers). Looking this up gives more than one type of hash possibility, however, hmac in Cyberchef is limited to relatively few options, so finding the correct one isn't that bad.
The db gives the format of the input. The access that is needed is 1. Then the uuid of the card with an id of 42 should be appended to that. The input should look like this:
1c06018b6-5e80-4395-ab71-ae5124560189
Make sure there are no spaces in the key or input in Cyberchef because a space can drastically change the hash.
The correct hash is:
135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096
Next, the database needs to be manipulated. In the Hardware Hacking 2 Terminal:
#If the player logged out of the Terminal
Select Option 1 Startup System Default Boot again
sqlite3 access_cards
update access_cards set access=1, sig="135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096" where id=42;
An Access Granted message should appear and the player should be awarded the Gold Medal. Sometimes it takes a moment to appear because there's a script running that checks the signature change, and it takes time for it to run again.
No comments:
Post a Comment