swisskyrepo
/
swisskyrepo.github.io
mirror of https://github.com/swisskyrepo/swisskyrepo.github.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ph0wn - Bugfix img

pull/1/head
Swissky 2019-12-14 15:11:47 +01:00
parent b522353eb7
commit 2d4800d8e2
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
_posts/2019-12-14-Ph0wnCTF.md
View File

@ -18,19 +18,19 @@ There is a weather station in Biot, and there is an Android app for it. But some
First we ran the new MobSF application and drag'n dropped the APK file into it : `docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest`. After inspecting the source code we stumbled upon the following Java/Android at http://localhost:8000/ViewSource/?file=tux/android/biotmeteo/MainActivity.java&md5=1b6d26562ca11c2d0c13fae063c93cd9&type=apk indicating the flag was around.
```java
{% highlight java %}
this.j = (Button) findViewById(R.id.badWeatherBtn);
this.j.setText("Flag is not far :)");
```
{% endhighlight %}
We extracted the **biotmeteo.apk** as a zip file and started looking for the flag pattern `ph0wn{` recursively. We will find inside **biotmeteo\res\layout\main.xml**.
```java
{% highlight java %}
$ grep ph0 -r . --text
curvesButtonInfoTemp((tux.android.biotmeteo.AutoResizeTextViewRainWind
ph0wn{IsTheWeatherNiceT0night?}
BaHutLdityULIOLpL
```
{% endhighlight %}
**Flag** : ph0wn{IsTheWeatherNiceT0night?}
@ -58,14 +58,14 @@ The challenge wasn't hard but takes a lot of time and thorough effort to create
Since the NFC is used by the sensor, let's check it with our proxmark3. With these data in mind we can find more informations about the sensor, it seems to be a [FreeStyle Libre](https://play.google.com/store/apps/details?id=com.freestylelibre.app.fr&hl=en_US) sensors.
```powershell
{% highlight powershell %}
[usb] pm3 --> hf search
UID : E0 07 A0 00 02 A6 99 C0
TYPE : Texas Instrument France
[+] Valid ISO15693 tag found
```
{% endhighlight %}
On a StackOverflow post we find this goldmine :
@ -73,7 +73,7 @@ On a StackOverflow post we find this goldmine :
Now we know there is dump equivalent for NFC-V (ISO 15693), let's try it with the proxmark.
```powershell
{% highlight powershell %}
[usb] pm3 --> hf 15 dump f mydump
Reading memory from tag UID E0 07 A0 00 02 A6 99 C0
...................................................
@ -89,7 +89,7 @@ Reading memory from tag UID E0 07 A0 00 02 A6 99 C0
54/0x36 | 77 64 3A 31 | 0 | wd:1
55/0x37 | 34 30 31 20 | 0 | 401
56/0x38 | E2 B3 C3 1C | 0 | ....
```
{% endhighlight %}
Some data are cropped, we tried several applications on our Android device. [NFC TagInfo by NXP](https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=fr) was the right one, it allows us to scan the entire memory.
@ -97,16 +97,16 @@ Some data are cropped, we tried several applications on our Android device. [NFC
We get the following credential for the IP 10.210.17.66
```powershell
{% highlight java %}
id: pico
pwd: 19990401
```
{% endhighlight %}
![Ph0wnMedical.jpg]({{ site.baseurl }}/images/Ph0wn/Ph0wnMedical.jpg "Medical"){: .center-image }
![Ph0wnMedical.png]({{ site.baseurl }}/images/Ph0wn/Ph0wnMedical.png "Medical"){: .center-image }
From there we can download a PDF file containing a mention to `Examen réalisé par marquage de type “Ange Albertini” CCC2014 ou PoC||GTFO`. Ange Albertini gave a talk **Funky File Formats** on [NoLimitSecu](https://www.nolimitsecu.fr/ange-albertini-funky-file-formats/), we guess there is another file hidden in the PDF, running binwalk in extract mode will gave us **thezip/FLAG** containing the flag.
```powershell
{% highlight powershell %}
$ binwalk lab-results.pdf -e
DECIMAL HEXADECIMAL DESCRIPTION
@ -126,7 +126,7 @@ DECIMAL HEXADECIMAL DESCRIPTION
$ cat _lab-results.pdf.extracted/thezip/FLAG| grep -i Ph0
ph0wn{BeS@feAndTakeCare}
```
{% endhighlight %}
**Flag** : ph0wn{BeS@feAndTakeCare}
@ -144,7 +144,7 @@ Configuration:
A new docker instance is deployed for each team when they click on the challenge, this instance is binded to a random port of the server 10.210.17.34. Since there is no authentication to access the EcoCompteur we guessed we could access other contestants panel.
```powershell
{% highlight powershell %}
...
10040/tcp open unknown syn-ack
10050/tcp open zabbix-agent syn-ack
@ -166,11 +166,11 @@ A new docker instance is deployed for each team when they click on the challenge
10340/tcp open unknown syn-ack
10360/tcp open unknown syn-ack
...
```
{% endhighlight %}
We downloaded the usage for both **Conso 1** and **Conso 2**.
```powershell
{% highlight powershell %}
╭─user@crashmanjaro ~/CTF/Ph0wn/Domotics
╰─$ cat usage-last-24-hoursA.csv | cut -d "," -f3 | tr "\n" ","
"Power Usage",,103,47,54,99,32,32,97,48,48,32,46,103,49,110,99,48,110,46,49,50,49,47,49,58,102,119,47,32,48,48,50,104,58,102,47,110,99,116,48,102,48,99,99,99,99,99,99,99,99,99,99,116,48,32,
@ -178,14 +178,14 @@ We downloaded the usage for both **Conso 1** and **Conso 2**.
╭─user@crashmanjaro ~/CTF/Ph0wn/Domotics
╰─$ cat usage-last-24-hours.csv | cut -d "," -f3 | tr "\n" ","
"Power Usage",,119,110,32,102,108,97,103,32,97,116,32,104,116,116,112,58,47,47,49,48,46,50,49,48,46,49,55,46,54,54,58,50,48,48,48,48,47,110,49,99,101,102,102,102,102,102,102,102,102,102,102,112,104,48,%
```
{% endhighlight %}
We can clearly identify some ASCII char, let's display them using Javascript.
```javascript
{% highlight javascript %}
> console.log(String.fromCharCode(119,110,32,102,108,97,103,32,97,116,32,104,116,116,112,58,47,47,49,48,46,50,49,48,46,49,55,46,54,54,58,50,48,48,48,48,47,110,49,99,101,102,102,102,102,102,102,102,102,102,102,112,104,48));
> "wn flag at http://10.210.17.66:20000/n1ceffffffffffph0"
```
{% endhighlight %}
The URL was a little buggy, we grabbed the flag at http://10.210.17.34:20000/n1ceflag
@ -198,7 +198,7 @@ The URL was a little buggy, we grabbed the flag at http://10.210.17.34:20000/n1c
The Android application is running Cordova, basically all the code is in some Javascript file. Every Dragon ball of the game is mapped like this **int(1-7) - long(...)**. Based on the challenge name we know we have a Shamir Shared Secret. We can recover it with the following python script.
```python
{% highlight python %}
#!/usr/bin/python2
from secretsharing import points_to_secret_int
@ -211,6 +211,6 @@ shares = [(7, 862802222187581430605770397234230368197029499216895173347290564006
(1, 16977966888023650463948528650004025823243132426593812430821649423473014227191)]
print(hex(points_to_secret_int(shares))[2:-1].decode('hex'))
```
{% endhighlight %}
**Flag** : ph0wn{Sh4m1r_4nd_G0ku_P4rtyt1me}