All IoT Challenge Write Up - UofTCTF 2024

# Description Recently my team HCS (Heroes Cyber Security) as a official cyber security team from Institut Teknologi Sepuluh Nopember, participated on UofTCTF (University of Toronto Capture the Flag Team). We successfully managed to 7th place from 1225 teams, thank you for @daffainfo and @HalloBim. # Table of Content [toc] # Baby's First IoT Introduction > The following collections of challenges utilize the instructions provided below. For each flag, there will be a challenge to submit it. The flag format will NOT be UofTCTF{...}. The root IP is 35.225.17.48. > The flag for this introduction is {i_understand_the_mission} > Hint: If there is an issue with submitting an answer with a challenge, try including newlines and null characters. For example: printf 'answer\n\0' | nc 35.225.17.48 port ## Description We just given some instruction for every part IoT Challenge ## Solve ``` {i_understand_the_mission} ``` # Baby's First IoT Flag 1 > Part 1 - Here is an FCC ID, Q87-WRT54GV81, what is the frequency in MHz for Channel 6 for that device? Submit the answer to port 3895. ## Description We are given some FCC ID Q87-WRT54GV81, which is likely is a router number, and here the image of it ![FCC ID Q87-WRT54GV81](https://hackmd.io/_uploads/r1dJ5BftT.png) ## Solve We can just goes to chatGPT and asked them the MHz for Channel 6 like this ![chatGPT Channel 6](https://hackmd.io/_uploads/S1cB5rftp.png) It seems we got `2437` for the MHz, and next we can submit it to port 3895 ![flagpart1](https://hackmd.io/_uploads/rJeqqSGYp.png) ``` {FCC_ID_Recon} ``` # Baby's First IoT Flag 2 > Part 2 - What company makes the processor for this device? https://fccid.io/Q87-WRT54GV81/Internal-Photos/Internal-Photos-861588. Submit the answer to port 6318. ## Description We just given some link to a report for internal photos of a wireless component like this ![Wificomponent](https://hackmd.io/_uploads/SkBPjHMFp.png) And we need to find the company who's make the processor ## Solve To find the company who's has built the processor, i found some wiki for the router ![Broadcom](https://hackmd.io/_uploads/ry7ynSMtT.png) It seems the company is `Broadcom`, then we try submit it ![flagpart2](https://hackmd.io/_uploads/H1AXnHGFT.png) ``` {Processor_Recon} ``` # Baby's First IoT Flag 4 > Part 3 - Submit the command used in U-Boot to look at the system variables to port 1337 as a GET request ex. http://35.225.17.48:1337/{command}. This output is needed for another challenge. There is NO flag for this part. > Part 4 – Submit the full command you would use in U-Boot to set the proper environment variable to a /bin/sh process upon boot to get the flag on the webserver at port 7777. Do not include the ‘bootcmd’ command. It will be in the format of "something something=${something} something=something" Submit the answer on port 9123. ## Description As you can see the part 3 and part 4 is merged to one challenge, and for the instruction you can do the part 3 first. Basic command for U-Boot `printenv` like this ![printenv](https://hackmd.io/_uploads/rJRNpHGFT.png) And for the part 4, for conclusion we just need trying to init a shell from the part 3 output ## Solve We read the description and we are prohibited to use `bootcmd` command, so the alternative is using `bootargs`, because we given some format hint is following like this `something something=${something} something=something`. To set the environment we can use `setenv` at the start, if you read again the output of part 3 there are already a variable that load some environment ![bootargs](https://hackmd.io/_uploads/HyXYyUfY6.png) Then we can make this `bootargs=$bootargs`, for init a shell we use `init=/bin/sh` so we merged up like this `setenv bootargs=${bootargs} init=/bin/sh` Submit the answer ![flagpart4](https://hackmd.io/_uploads/B1bYx8zK6.png) ``` {Uboot_Hacking} ``` # Baby's First IoT Flag 5 > Part 5 - At http://35.225.17.48:1234/firmware1.bin you will find the firmware. Extract the contents, find the hidden back door in the file that is the first process to run on Linux, connect to the backdoor, submit the password to get the flag. Submit the password to port 4545. ## Description We given some firmware file, and we need to find the backdoor password for the answer ## Solve First you need to extract the firmware and we got like this ![firmware](https://hackmd.io/_uploads/BkkH-IzFT.png) Simply we can using grep to find password like this `grep -ri "backdoor"` ![grep](https://hackmd.io/_uploads/ryrcWIfFp.png) And we found some interesting file let's just open it ![password](https://hackmd.io/_uploads/Sy86-IzKp.png) It seems the password was `IoTBackDoor`, and submit it ![flagpart5](https://hackmd.io/_uploads/S1uZzLzK6.png) ``` {Develper_BackDoor} ``` # Baby's First IoT Flag 6 > Part 6 - At http://35.225.17.48:7777/firmware2.bin you will find another firmware, submit the number of lines in the ‘ethertypes’ file multiplied by 74598 for the flag on port 8888. ## Description We given some binary file, but i think it's from matlab. We just need find the row exactly of ‘ethertypes’ and multiplied it by 74598 ## Solve Because when i trying to open it with matlab the rest of rows is not showing ![matlab](https://hackmd.io/_uploads/BJYq48MYp.png) Then i decided to generate multiple number from 74598 like this ```python=1 numbers = [i for i in range(1, 100)] for i in numbers: payload = (i * 74598) open('wordlist.txt', 'a').write(str(payload) + '\n') ``` After that we do bruteforce it like this ```python=1 from pwn import * host = '35.225.17.48' port = 8888 wordlist = open('wordlist.txt', 'r').readlines() for i in wordlist: try: r = remote(host, port) r.sendlineafter(b'74598? ',i) response = r.recvline().decode('utf-8') print(f"Inp: {i}, Res: {response}") r.close() except Exception as e: print(e) r.close() ``` ![flagpart6](https://hackmd.io/_uploads/rkPlKUGtp.png) ``` {Xor!=Encryption} ```