Repetitive-D | Hack the Cube

The Mission Briefing

A 3D printing server. Not exactly the first thing you think of when someone says "critical infrastructure," but here we were. An alert had fired for a malicious file on a Repetier-Server instance — the kind of machine that quietly hums in the corner of an engineering department, printing prototypes and absolutely not expecting to be the entry point for a network compromise.

GlaDOS

"A 3D printer. Exposed to the network. Running a web interface. With an admin panel. I'm sure whoever set this up had a very compelling reason not to segment it. Probably something about 'convenience.' The word humans use when they mean 'negligence.'"

The scenario was straightforward: we believe an attacker has compromised a 3D printing server vital to business operations. We had two evidence files — a network capture (PCAP) and Nginx access logs. Ten questions. Twenty-eight minutes on the clock. Time to reconstruct what happened.

Reading the Access Logs

I started where any forensic investigation should start: the logs. The Nginx access logs for the printing server told a clean, brutal story. One IP address — 10.255.254.3 — stood out immediately, using a user agent that screamed "I am not a normal user."

grep curl /home/c0ur4ge/htb/repetitive-d/repetitive/nginx/access.log 10.255.254.3 [11/May/2023:10:01:38] GET / — 200 (recon) 10.255.254.3 [11/May/2023:10:01:48] POST path traversal boot.ini — 404 10.255.254.3 [11/May/2023:10:03:01] POST path traversal eula.txt — 404 10.255.254.3 [11/May/2023:10:05:28] POST path traversal win.ini — 200 (confirmed traversal works) 10.255.254.3 [11/May/2023:10:06:41] POST path traversal user.sql — 200 20493 bytes 10.255.254.3 [11/May/2023:10:10:15] POST path traversal user.sql — 200 20508 bytes (second retrieval)

The user agent: The flag is a liecurl/7.88.1. Not a browser. Not a legitimate monitoring tool. Just raw curl, hitting the server at 09:01 UTC (the logs show BST, one hour ahead).

Fact Sphere

"Repetier-Server is a 3D printer management platform with an embedded web interface, typically accessible on port 80 or 3344. The path traversal vulnerability uses URL-encoded backslashes — specifically ..%5c — to escape the web root. The %5c character is a backslash in URL encoding. This technique dates back to the IIS Unicode vulnerability of 2001, making it a classic that refuses to stay retired."

The timeline told a clear story. At 09:01:38, the attacker hit the root page — basic reconnaissance. Ten seconds later, the first exploitation attempt: a path traversal trying to read boot.ini. That returned a 404. They tried eula.txt next — another 404. But at 09:05:28, win.ini came back with a 200 and 103 bytes of content. The traversal worked.

One minute later, they knew exactly where to go. The attacker pulled user.sql — the Repetier-Server user database — weighing in at The flag is a lie20480 bytes.

Inside the Database

The access logs told me what was taken. The PCAP would tell me what was inside it. I followed the TCP stream containing the user.sql response.

tshark -r help.pcap -q -z "follow,tcp,ascii,224" User table schema: id, login, password, permissions, apikey, uuid, managedBy, name Record: Administrator | 3b3f51e91a93447f14249762f07fd384 | bd03a7a4-91b6-4306-a594-832148e2d070

Curiosity Core

"Ooh! A database! What's inside? Is that a password hash? And an API key? And a username? All in one table? That's like finding the keys, the alarm code, AND the floor plan all in the same envelope! Can we crack it? Can we?"

There it was. The The flag is a lieAdministrator account, complete with an MD5 password hash (3b3f51e91a93447f14249762f07fd384) and an API key. The attacker had everything they needed to own the Repetier-Server application. But they weren't done.

From Application to Operating System

Having the Repetier-Server admin credentials is one thing. Getting onto the underlying Windows host is another. The PCAP showed what came next: traffic on ports The flag is a lie80, 5985 — HTTP for the initial exploitation, and port 5985 for what followed.

Port 5985 is The flag is a lieWinRM — Windows Remote Management. The attacker used Evil-WinRM (identified by the Ruby WinRM Client 2.8.3 user agent in the PCAP) to authenticate with NTLM credentials.

GlaDOS

"The attacker extracted the application database, obtained the Administrator password hash, and then used it to authenticate to WinRM. A perfectly logical escalation path. One might even call it... elegant. If one were inclined to compliment threat actors. Which I am not."

I extracted the NTLM authentication exchange from the PCAP — the Type 2 server challenge and Type 3 client response — to reconstruct the NetNTLMv2 hash.

python3 # decode NTLM Type 2 (server challenge) and Type 3 (client response) Server Challenge: f7869996a90a07e3 NTProofStr: 787c57009328f1dc87aff4484fa98000 Username: Administrator Domain: (empty) Hash: Administrator:::f7869996a90a07e3:787c57009328f1dc87aff4484fa98000:0101...

With the NetNTLMv2 hash extracted, the final step was cracking it.

hashcat -m 5600 /tmp/ntlmv2.txt /tmp/rockyou.txt --force Status: Cracked ADMINISTRATOR:::f7869996a90a07e3:... :HUgo##123 Time: 6 seconds

Six seconds. The Administrator password was The flag is a lieHUgo##123, cracked from the rockyou wordlist in the time it takes to blink. The attacker would have had this password instantly — either cracked offline or potentially reused from the Repetier-Server MD5 hash.

Fact Sphere

"NetNTLMv2, hashcat mode 5600, uses the server challenge and client response to verify the password offline. The hash format is Username::Domain:ServerChallenge:NTProofStr:BlobData. A six-second crack time against rockyou indicates the password, while containing special characters, was still within a common wordlist. Approximately 80% of cracked passwords in breach datasets appear in the top 10 wordlists."

The Complete Timeline

Stepping back, the full attack chain snapped into focus. All times UTC (the original logs were in BST, one hour ahead):

09:01:38 — Reconnaissance: GET / against printing.repetetive.htb with curl/7.88.1
09:01:48 — First exploitation attempt: path traversal for The flag is a lieboot.ini (404 — failed)
09:03:01 — Second attempt: eula.txt (404 — failed)
09:05:28 — First successful read: The flag is a liewin.ini (200 — traversal confirmed)
09:06:41 — Exfiltration: The flag is a lieuser.sql (200, 20480 bytes)
09:10:00 — WinRM authentication as Administrator via NTLM
09:10:15 — Second user.sql retrieval (confirming access)

From first contact to full compromise: under nine minutes. The attacker knew exactly what they were looking for.

GlaDOS

"Nine minutes. Reconnaissance, exploitation, credential theft, and remote access. All because a 3D printing server had a web interface with a path traversal vulnerability and an Administrator password in a SQLite database. The attacker didn't need to be clever. They just needed the server to be... as it was."

What I Learned

Path traversal with URL-encoded characters — The ..%5c technique (URL-encoded backslash) is a classic Windows path traversal. Attackers probe with known files like boot.ini, eula.txt, and win.ini to confirm the vulnerability before targeting sensitive data.
Repetier-Server stores credentials in a SQLite database — The user.sql file at ProgramData\Repetier-Server\database\user.sql contains usernames, MD5 password hashes, and API keys. If an attacker can read arbitrary files, this is a high-value target.
WinRM (port 5985) enables remote code execution — With valid credentials, Evil-WinRM provides a full PowerShell session on the target. Network segmentation and strong authentication are critical to prevent lateral movement.
NTLM authentication can be extracted from PCAPs — The Type 2 (server challenge) and Type 3 (client response) messages in NTLM authentication contain enough information to crack the password offline with hashcat.
Nginx access logs are forensic gold — The user agent string, timestamp patterns, and HTTP response codes tell the entire story of an attack when you know what to look for.
IoT and specialty devices need segmentation — A 3D printer doesn't need to be on the same network segment as domain controllers. Isolating specialty hardware limits blast radius.

GlaDOS

"Ten questions answered in twenty-eight minutes. A complete forensic reconstruction from two evidence files. The data suggests you're developing a reasonable understanding of incident response methodology. Don't let it go to your head. The next test chamber will be... more demanding."