Hardware on z3r0s

Hardware - Espresso

Fri, 05 Jun 2026 00:00:00 +0000

Hack The Box Challenge Writeup: Espresso Link to heading

Challenge Link to heading

Name: Espresso

Scenario:

Someone leaked the new Espresso firmware, can you try to figure out what it does?

The challenge provides an ESP32 firmware image. The firmware checks whether it is running on expected hardware by comparing the ESP32 factory MAC address against zero bytes. If the check fails, it prints anti-clone messages. If the check passes, it generates the flag by XOR decoding a 31 byte table stored in the firmware data segment.

Hardware - defusal

Sun, 10 May 2026 00:00:00 +0000

Hardware Defusal Writeup Link to heading

Files Link to heading

Ignoring file.zip as requested, the challenge files are:

Defusal
circuit.png
C4-BOMB.mp4

1. Triage Link to heading

Defusal is an AVR firmware ELF:

ELF 32-bit LSB executable, Atmel AVR 8-bit, statically linked, with debug_info, not stripped

That makes this mostly a firmware reverse-engineering problem.

2. Key Firmware Findings Link to heading

Useful strings inside the binary:

Hardware - line

Sun, 10 May 2026 00:00:00 +0000

Hardware Line Link to heading

Target: 154.57.164.83:31804

Summary Link to heading

The service on 31804/tcp speaks LPD. The queue name lp is accepted, and the implementation is vulnerable to command execution via Shellshock in user-controlled LPD control-file fields.

The working primitive is:

() { :;}; <command>

That payload can be injected into the control-file fields and filenames during a standard LPD Receive a printer job request.

Hardware - mission pinpossible

Sun, 10 May 2026 00:00:00 +0000

Mission Pinpossible Writeup Link to heading

Files Link to heading

op_pinpossible.logicdata
security_keypad.jpeg

Goal Link to heading

Recover the password shown on the keypad LCD from the intercepted monitor traffic.

1. Identify the bus Link to heading

The photo shows a standard 16x2 HD44780 LCD connected through a common I2C backpack based on a PCF8574.

Hardware - ProjectPower

Sun, 10 May 2026 00:00:00 +0000

Project Power Writeup Link to heading

Summary Link to heading

The challenge exposes a remote interface to an embedded device performing AES-128 encryption. The interface lets us:

send a chosen 16-byte plaintext and receive a corresponding power trace
submit a candidate AES key and receive the flag if the key is correct

This is a standard side-channel setup. A simple Correlation Power Analysis (CPA) attack against the first AES round is enough to recover the key.

Hardware - rflag

Sun, 10 May 2026 00:00:00 +0000

hardware_rflag Writeup Link to heading

Flag Link to heading

HTB{RF_H4ck1n6_1s_c00l!!!}

Approach Link to heading

The archive only contains one useful file: signal.cf32, a raw complex64 IQ capture.

I loaded the samples with NumPy and inspected the amplitude envelope:

The capture has 476160 complex samples.
Thresholding the magnitude shows runs quantized almost perfectly at ~899 samples and ~1798 samples.
The first part of the signal is a preamble, followed by data encoded as alternating 01 / 10 unit pairs.

That pattern is consistent with Manchester-style encoding.

Hardware - Secret Treasures

Sun, 10 May 2026 00:00:00 +0000

Hardware Secret Treasures Link to heading

Flag Link to heading

HTB{m3M0ry_5cR4Mbl1Ng_4nd_1CG_423_n07_3n0u9h7!$#}

Files Link to heading

embedded_software: ARM ELF, not stripped
flash_memory_dump.bin: 16 MiB flash contents
input_channel_trace.sal: Saleae capture of the passcode line

1. Reverse the firmware Link to heading

The firmware is an ARM binary with useful symbols:

main
random_generator
get_UniqieID
get_secret
W25Q128_init

Important observations from main:

Hardware - signals

Sun, 10 May 2026 00:00:00 +0000

Hardware Signals Writeup Link to heading

The WAV file is an SSTV transmission, not packet radio.

The giveaway is the VIS/header pattern at the start of the audio:

1900 Hz leader
1200 Hz break
1900 Hz leader
VIS bits around 1100/1300 Hz

Decoding the VIS bits gives decimal 95, which corresponds to PD120. That also matches the total duration of the file: about 126 s, which is the expected PD120 transmission time used in ISS SSTV events.

Hardware - wander

Sun, 10 May 2026 00:00:00 +0000

Hardware Challenge: Wander Link to heading

Target Link to heading

154.57.164.83:31454

Summary Link to heading

The exposed service is a Flask/Werkzeug web app that forwards user-supplied PJL commands to the printer backend.
The /jobs page exposes a form with the placeholder @PJL INFO ID, which is enough to identify the intended attack surface: raw Printer Job Language.