VeryEasy on z3r0shttps://z3r0s6.github.io/tags/veryeasy/Recent content in VeryEasy on z3r0sHugoenFri, 05 Jun 2026 00:00:00 +0000Hardware - Espressohttps://z3r0s6.github.io/challenges/hardware-espresso/Fri, 05 Jun 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/hardware-espresso/<h1 id="hack-the-box-challenge-writeup-espresso"> Hack The Box Challenge Writeup: Espresso <a class="heading-link" href="#hack-the-box-challenge-writeup-espresso"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge"> Challenge <a class="heading-link" href="#challenge"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Name: Espresso</p> <p>Scenario:</p> <blockquote> <p>Someone leaked the new Espresso firmware, can you try to figure out what it does?</p> </blockquote> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>The challenge provides an ESP32 firmware image. The firmware checks whether it is running on expected hardware by comparing the ESP32 factory MAC address against zero bytes. If the check fails, it prints anti-clone messages. If the check passes, it generates the flag by XOR decoding a 31 byte table stored in the firmware data segment.</p>Heraldhttps://z3r0s6.github.io/machines/herald/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/herald/<p>Nmap Scan</p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#ff7b72;font-weight:bold">[</span>12ms<span style="color:#ff7b72;font-weight:bold">][</span>127<span style="color:#ff7b72;font-weight:bold">][</span>~/herald<span style="color:#ff7b72;font-weight:bold">]</span>$ nmap -sCV 10.0.12.3 </span></span><span style="display:flex;"><span>Starting Nmap 7.98 <span style="color:#ff7b72;font-weight:bold">(</span> https://nmap.org <span style="color:#ff7b72;font-weight:bold">)</span> at 2026-04-13 17:45 -0400 </span></span><span style="display:flex;"><span>Stats: 0:00:50 elapsed; <span style="color:#a5d6ff">0</span> hosts completed <span style="color:#ff7b72;font-weight:bold">(</span><span style="color:#a5d6ff">1</span> up<span style="color:#ff7b72;font-weight:bold">)</span>, <span style="color:#a5d6ff">1</span> undergoing Script Scan </span></span><span style="display:flex;"><span>NSE Timing: About 99.95% <span style="color:#ff7b72">done</span>; ETC: 17:46 <span style="color:#ff7b72;font-weight:bold">(</span>0:00:00 remaining<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>Nmap scan report <span style="color:#ff7b72">for</span> herald.htb <span style="color:#ff7b72;font-weight:bold">(</span>10.0.12.3<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>Host is up <span style="color:#ff7b72;font-weight:bold">(</span>0.00091s latency<span style="color:#ff7b72;font-weight:bold">)</span>. </span></span><span style="display:flex;"><span>Not shown: <span style="color:#a5d6ff">986</span> filtered tcp ports <span style="color:#ff7b72;font-weight:bold">(</span>no-response<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>PORT STATE SERVICE VERSION </span></span><span style="display:flex;"><span>53/tcp open domain Simple DNS Plus </span></span><span style="display:flex;"><span>88/tcp open kerberos-sec Microsoft Windows Kerberos <span style="color:#ff7b72;font-weight:bold">(</span>server time: 2026-04-13 21:45:30Z<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>135/tcp open msrpc Microsoft Windows RPC </span></span><span style="display:flex;"><span>139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span style="display:flex;"><span>389/tcp open ldap Microsoft Windows Active Directory LDAP <span style="color:#ff7b72;font-weight:bold">(</span>Domain: herald.htb, Site: Default-First-Site-Name<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>445/tcp open microsoft-ds? </span></span><span style="display:flex;"><span>464/tcp open kpasswd5? </span></span><span style="display:flex;"><span>593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span style="display:flex;"><span>636/tcp open tcpwrapped </span></span><span style="display:flex;"><span>1433/tcp open ms-sql-s Microsoft SQL Server <span style="color:#a5d6ff">2019</span> 15.00.2000.00; RTM </span></span><span style="display:flex;"><span>| ms-sql-info: </span></span><span style="display:flex;"><span>| 10.0.12.3:1433: </span></span><span style="display:flex;"><span>| Version: </span></span><span style="display:flex;"><span>| name: Microsoft SQL Server <span style="color:#a5d6ff">2019</span> RTM </span></span><span style="display:flex;"><span>| number: 15.00.2000.00 </span></span><span style="display:flex;"><span>| Product: Microsoft SQL Server <span style="color:#a5d6ff">2019</span> </span></span><span style="display:flex;"><span>| Service pack level: RTM </span></span><span style="display:flex;"><span>| Post-SP patches applied: false </span></span><span style="display:flex;"><span>|_ TCP port: <span style="color:#a5d6ff">1433</span> </span></span><span style="display:flex;"><span>|_ssl-date: 2026-04-13T21:46:08+00:00; -3s from scanner time. </span></span><span style="display:flex;"><span>| ssl-cert: Subject: <span style="color:#79c0ff">commonName</span><span style="color:#ff7b72;font-weight:bold">=</span>SSL_Self_Signed_Fallback </span></span><span style="display:flex;"><span>| Not valid before: 2026-04-13T21:42:38 </span></span><span style="display:flex;"><span>|_Not valid after: 2056-04-13T21:42:38 </span></span><span style="display:flex;"><span>| ms-sql-ntlm-info: </span></span><span style="display:flex;"><span>| 10.0.12.3:1433: </span></span><span style="display:flex;"><span>| Target_Name: HERALD </span></span><span style="display:flex;"><span>| NetBIOS_Domain_Name: HERALD </span></span><span style="display:flex;"><span>| NetBIOS_Computer_Name: DC01 </span></span><span style="display:flex;"><span>| DNS_Domain_Name: herald.htb </span></span><span style="display:flex;"><span>| DNS_Computer_Name: DC01.herald.htb </span></span><span style="display:flex;"><span>| DNS_Tree_Name: herald.htb </span></span><span style="display:flex;"><span>|_ Product_Version: 10.0.17763 </span></span><span style="display:flex;"><span>3268/tcp open ldap Microsoft Windows Active Directory LDAP <span style="color:#ff7b72;font-weight:bold">(</span>Domain: herald.htb, Site: Default-First-Site-Name<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>3269/tcp open tcpwrapped </span></span><span style="display:flex;"><span>5357/tcp open http Microsoft HTTPAPI httpd 2.0 <span style="color:#ff7b72;font-weight:bold">(</span>SSDP/UPnP<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>|_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span style="display:flex;"><span>|_http-title: Service Unavailable </span></span><span style="display:flex;"><span>5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span style="color:#ff7b72;font-weight:bold">(</span>SSDP/UPnP<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>|_http-title: Not Found </span></span><span style="display:flex;"><span>|_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span style="display:flex;"><span>MAC Address: 08:00:27:0F:D0:78 <span style="color:#ff7b72;font-weight:bold">(</span>Oracle VirtualBox virtual NIC<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span>Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Host script results: </span></span><span style="display:flex;"><span>| smb2-security-mode: </span></span><span style="display:flex;"><span>| 3.1.1: </span></span><span style="display:flex;"><span>|_ Message signing enabled and required </span></span><span style="display:flex;"><span>|_clock-skew: mean: 0s, deviation: 3s, median: 1s </span></span><span style="display:flex;"><span>| smb2-time: </span></span><span style="display:flex;"><span>| date: 2026-04-13T21:45:35 </span></span><span style="display:flex;"><span>|_ start_date: N/A </span></span><span style="display:flex;"><span>|_nbstat: NetBIOS name: DC01, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:0f:d0:78 <span style="color:#ff7b72;font-weight:bold">(</span>Oracle VirtualBox virtual NIC<span style="color:#ff7b72;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span style="display:flex;"><span>Nmap <span style="color:#ff7b72">done</span>: <span style="color:#a5d6ff">1</span> IP address <span style="color:#ff7b72;font-weight:bold">(</span><span style="color:#a5d6ff">1</span> host up<span style="color:#ff7b72;font-weight:bold">)</span> scanned in 61.04 seconds </span></span></code></pre></div><p>add in etc/hosts</p>