The time is 10:38 UTC+2 and we don’t have any more time to hack, so here we go with the write-up.
Datasheet is EEAAO
The objective was to find some information about the chips on the board using datasheets and populate the flag with the following information:
OCD{<ref_main_chip_9_first_caracters>:<family_name_architecture_arm_in_2_caracters>:<ref_A_chip_in_7_caracters>:<max_clock_frequency_in_kHz_A_chip>:<ref_C_chip_in_9_caracters>:<max_power_supply_in_V_C_chip>}
Example: OCD{AAAA:BBBB:CCCC:0000:DDDD:11.11}
I don’t want to spoil the answer but Google is king.
Mission Discover 0
This task was about finding the UART port on the board and connecting to it with an FTDI USB to UART converter.
The answer is supposed to be in the following format:
OCD{<PIN_TX>:<PIN_RX>:<baud_rate>:<configuration_bits>}
Example: OCD{A0:A1:9600:7N0}
We found the pins, guessed be baud rate and configuration bits based on… common sense? And we got the flag.
Mission Discover 1
Once we connected to the board using the UART port, we got to the following screen:
This task is about getting past the login screen. The username, root, is given in the description. The challenge is to find the password. Since the developer likes a lot of rock music, we thought of trying the rockyou password set on it.
Using the following script we found the password:
Once logged in we were presented with the flag:
PS: The board has some nasty behavior where it prefers only \r
and weird things happen when you send \r\n
as line terminators. We spent several hours on this issue.
Dumpling or Dumping
According to the developer, readout protection is not useful. Our task here is to prove him wrong. We did that by connecting the ST-LINK V2 programmer with the STM32F401 micro-controller using the SWD port.
st-flash
can then be used to dump the firmware as such:
And we got the flag!
Super Power Intelligence
In this task we have to fetch the “secret” from the “other” memory chip. We start by connecting a logic analyzer to the SPI bus:
We select the option to show the secret in the menu, which will fetch it from the memory over the SPI bus. The “secret”, which also happens to be the flag is displayed on the screen as seen in the previous picture but it is “anonymized”:
While the data is being fetched, we are sniffing the SPI bus with the logic analyzer and decode the SPI binary data into ASCII:
We can read the flag as seen above.
Intelligence 2 Customer
Some data is protected inside the board’s memories alongside the serial number. There is an option in the menu to read the serial number. This operation happens over the I2C bus.
We start by connecting the logic analyzer on the I2C port (and ground):
Then, we trigger the “Display serial” function from chip nr 1:
Lastly, we record and decode using the logic analyzer:
And we got the flag!
Remote Access Medium
The pin (“PIN verification” menu) is only known by our client, and they claim I can’t find it. That is weird, it is right there when I login over the UART port:
The developer says that removing the debug ports isn’t useful. Let’s prove him wrong…
Let’s assume that the source code provided by the challenge, that is the verify_cipher_flag()
function, is executed when we select item nr 4 in the main menu as seen in the picture above.
We connect with OpenOCD using the debug port so that we can examine the chip RAM:
And then we hook up GDB to the OpenOCD daemon:
We select option nr 4 over UART, which will execute verify_cipher_flag() and load the PIN into RAM:
We dump the RAM using GDB, and run strings on it to find the PIN. Here you need to do some research to find where the RAM on the STM32F401 resides, or you might end up dumping the firmware once again:
We got the PIN! Now we use the keypad on the device to type the PIN, and we get back the following on the UART connection:
Let’s decrypt it… Nah I’m kidding. Let’s dump the RAM once again:
Voila! Mr Hackerman strikes again!
Basic One Fail
In this challenge we have to exploit a stack overflow in order to get the next flag. Typing a very long username-password combination will trigger a “HARD FAULT”:
However, as time was limited, we didn’t complete this challenge.