Hack The Box :: PlayerTwo
#twirp #protobuf #totp #firmwareinjection #MQTT #mosquitto #heapexp #tcachepoisoning #libc2.29 #doublefree #nullbyteoverflow
PlayerTwo is an Insane Linux box created by MrR3boot and b14ckh34rt. It was released on December 14th, 2019 and was retired on June 27th, 2020. The users rated the difficulty 7.7/10 and gave the box an appreciation score of 4.4/5.
TL;DR
We start by enumerating a VHOST on port 80 that gives us access to a login page. We discover as well an API endpoint totp. But we can’t use it without credentials. On port 8545 we find an Twirp API instance. We find the .proto definition that describes the API calls we can do. From there, we retrieve a set of users and passwords to authenticate through the login page discovered. After logging in, we are asked for a One-Time-Password (OTP) that we do not have. The OTP screen leaks the fact that we can use either an SMS code or a backup code to log in. We use this information to enumerate the totp API and get a backup code. We access the product page with some documentation and a firmware binary that we can download. We have as well access to a…
