MITRE eCTF: The Ohio State University Attacking University of Massachusetts Amherst

Bug

Protected firmware and configuration are stored in chunks (~1 KB), which are each individually authenticated and encrypted. While the chunks have an authenticated index that ensures correct orderering, we can swap chunks from two different protected files as long as they have the same index.

Firmware Rollback

The first chunk of the protected firmware contains the release message and version number. To boot fw_v1, we can replace the first chunk of fw_v1 with the first chunk of fw_v2. The bootloader verifies this and boots it, giving us the flag.

Flight Abort

To get a flight abort, we need the device to boot with a corrupted configuration. Both cfg1 and cfg2 are protected properly so their chunks will be accepted by the device, but their contents are different. Thus we can replace a chunk in cfg1 with a chunk from cfg2 of the same size and the resulting content which gets stored on the device will form a corrupted configuration. Running an aircraft simulation with the device in this state gives us the abort flag.

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.