The starting point for this challenge is a flight-booking website. The goal is to book a particular flight from VNE to CTF on May 21. The catch is that apparently there are no seats available on that flight. 😕
#!/usr/bin/env python | |
import requests | |
import sys | |
import argparse | |
import os | |
import sqlite3 | |
import traceback | |
import re | |
# disable insecurerequestwarning |
-
Port
31227
-> Basic Auth, no luck withadmin/admin, ...
& useradmin
+ rockyou.txt -
Port
32544
-> AMQP, requires auth, no luck withguest/guest
& useradmin
+rockyou.txt -
Ports change with restart of Docker-container + Services of other challanges are running on the same IP but different port ...
-
The authentication form tells us, this is a AppWeb Embedded Server
- Found common vuln for app web: https://lab.wallalarm.com
- Found working exploit for user
admin
at https://vulners.com:
-
Given is a data-stream to an SH1306-OLED display
-
SH1306 is slightly different to well known SSD1306, differences in Protocol
-
Basic explanation of SSD1306 display: lastminuteengineers.com
-
SSD1306 datasheet: adafruit.com
-
SH1306 seems to only support page addressing mode. This can also be seen on the data stream itself - 128 Bytes are transmitted in one go = 128 Lines*8 Rows at 1 bit 'color-depth' (black/white)
-
Correct Settings for
Saleae Logic
can be determined from the capture itself or the shematic given by HTB: -
After exporting the
Saleae Logic
analyser result as.csv
, the protocol can be reversed/display can be emulated and the pixel-stream can be saved to an image file