From 2d4800d8e24c801fa8316599f7ec9a649f50ada5 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 14 Dec 2019 15:11:47 +0100
Subject: [PATCH] Ph0wn - Bugfix img

---
 _posts/2019-12-14-Ph0wnCTF.md | 42 +++++++++++++++++------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/_posts/2019-12-14-Ph0wnCTF.md b/_posts/2019-12-14-Ph0wnCTF.md
index 7c2ac9e..39f8b2c 100755
--- a/_posts/2019-12-14-Ph0wnCTF.md
+++ b/_posts/2019-12-14-Ph0wnCTF.md
@@ -18,19 +18,19 @@ There is a weather station in Biot, and there is an Android app for it. But some
 
 First we ran the new MobSF application and drag'n dropped the APK file into it : `docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest`. After inspecting the source code we stumbled upon the following Java/Android at http://localhost:8000/ViewSource/?file=tux/android/biotmeteo/MainActivity.java&md5=1b6d26562ca11c2d0c13fae063c93cd9&type=apk indicating the flag was around.
 
-```java
+{% highlight java %}
 this.j = (Button) findViewById(R.id.badWeatherBtn);
 this.j.setText("Flag is not far :)");
-```
+{% endhighlight %}
 
 We extracted the **biotmeteo.apk** as a zip file and started looking for the flag pattern `ph0wn{` recursively. We will find inside **biotmeteo\res\layout\main.xml**.
 
-```java
+{% highlight java %}
 $ grep ph0 -r . --text
 curvesButtonInfoTemp((tux.android.biotmeteo.AutoResizeTextViewRainWind
 ph0wn{IsTheWeatherNiceT0night?}
 BaHutLdityULIOLpL
-```
+{% endhighlight %}
 
 **Flag** : ph0wn{IsTheWeatherNiceT0night?}
 
@@ -58,14 +58,14 @@ The challenge wasn't hard but takes a lot of time and thorough effort to create
 
 Since the NFC is used by the sensor, let's check it with our proxmark3. With these data in mind we can find more informations about the sensor, it seems to be a [FreeStyle Libre](https://play.google.com/store/apps/details?id=com.freestylelibre.app.fr&hl=en_US) sensors.
 
-```powershell
+{% highlight powershell %}
 [usb] pm3 --> hf search
           
  UID  : E0 07 A0 00 02 A6 99 C0          
  TYPE : Texas Instrument France          
       
 [+] Valid ISO15693 tag  found
-```
+{% endhighlight %}
 
 On a StackOverflow post we find this goldmine : 
 
@@ -73,7 +73,7 @@ On a StackOverflow post we find this goldmine :
 
 Now we know there is dump equivalent for NFC-V (ISO 15693), let's try it with the proxmark.
 
-```powershell
+{% highlight powershell %}
 [usb] pm3 --> hf 15 dump f mydump           
 Reading memory from tag UID E0 07 A0 00 02 A6 99 C0           
 ...................................................
@@ -89,7 +89,7 @@ Reading memory from tag UID E0 07 A0 00 02 A6 99 C0
  54/0x36 | 77 64 3A 31  | 0 | wd:1          
  55/0x37 | 34 30 31 20  | 0 | 401           
  56/0x38 | E2 B3 C3 1C  | 0 | ....     
-```
+{% endhighlight %}
 
 Some data are cropped, we tried several applications on our Android device. [NFC TagInfo by NXP](https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=fr) was the right one, it allows us to scan the entire memory.
 
@@ -97,16 +97,16 @@ Some data are cropped, we tried several applications on our Android device. [NFC
 
 We get the following credential for the IP 10.210.17.66
 
-```powershell
+{% highlight java %}
 id: pico
 pwd: 19990401
-```
+{% endhighlight %}
 
-![Ph0wnMedical.jpg]({{ site.baseurl }}/images/Ph0wn/Ph0wnMedical.jpg "Medical"){: .center-image }
+![Ph0wnMedical.png]({{ site.baseurl }}/images/Ph0wn/Ph0wnMedical.png "Medical"){: .center-image }
 
 From there we can download a PDF file containing a mention to `Examen réalisé par marquage de type “Ange Albertini” CCC’2014 ou PoC||GTFO`. Ange Albertini gave a talk **Funky File Formats** on [NoLimitSecu](https://www.nolimitsecu.fr/ange-albertini-funky-file-formats/), we guess there is another file hidden in the PDF, running binwalk in extract mode will gave us **thezip/FLAG** containing the flag.
 
-```powershell
+{% highlight powershell %}
 $ binwalk lab-results.pdf  -e
 
 DECIMAL       HEXADECIMAL     DESCRIPTION
@@ -126,7 +126,7 @@ DECIMAL       HEXADECIMAL     DESCRIPTION
 
 $ cat _lab-results.pdf.extracted/thezip/FLAG| grep -i Ph0
 ph0wn{BeS@feAndTakeCare}
-```   
+{% endhighlight %}
 
 **Flag** : ph0wn{BeS@feAndTakeCare}
 
@@ -144,7 +144,7 @@ Configuration:
 
 A new docker instance is deployed for each team when they click on the challenge, this instance is binded to a random port of the server 10.210.17.34. Since there is no authentication to access the EcoCompteur we guessed we could access other contestants panel.
 
-```powershell
+{% highlight powershell %}
 ...
 10040/tcp open  unknown        syn-ack
 10050/tcp open  zabbix-agent   syn-ack
@@ -166,11 +166,11 @@ A new docker instance is deployed for each team when they click on the challenge
 10340/tcp open  unknown        syn-ack
 10360/tcp open  unknown        syn-ack
 ...
-```
+{% endhighlight %}
 
 We downloaded the usage for both **Conso 1** and **Conso 2**.
 
-```powershell
+{% highlight powershell %}
 ╭─user@crashmanjaro ~/CTF/Ph0wn/Domotics 
 ╰─$ cat usage-last-24-hoursA.csv | cut -d "," -f3 | tr  "\n" ","
 "Power Usage",,103,47,54,99,32,32,97,48,48,32,46,103,49,110,99,48,110,46,49,50,49,47,49,58,102,119,47,32,48,48,50,104,58,102,47,110,99,116,48,102,48,99,99,99,99,99,99,99,99,99,99,116,48,32,
@@ -178,14 +178,14 @@ We downloaded the usage for both **Conso 1** and **Conso 2**.
 ╭─user@crashmanjaro ~/CTF/Ph0wn/Domotics 
 ╰─$ cat usage-last-24-hours.csv | cut -d "," -f3 | tr  "\n" "," 
 "Power Usage",,119,110,32,102,108,97,103,32,97,116,32,104,116,116,112,58,47,47,49,48,46,50,49,48,46,49,55,46,54,54,58,50,48,48,48,48,47,110,49,99,101,102,102,102,102,102,102,102,102,102,102,112,104,48,% 
-```
+{% endhighlight %}
 
 We can clearly identify some ASCII char, let's display them using Javascript.
 
-```javascript
+{% highlight javascript %}
 > console.log(String.fromCharCode(119,110,32,102,108,97,103,32,97,116,32,104,116,116,112,58,47,47,49,48,46,50,49,48,46,49,55,46,54,54,58,50,48,48,48,48,47,110,49,99,101,102,102,102,102,102,102,102,102,102,102,112,104,48));
 > "wn flag at http://10.210.17.66:20000/n1ceffffffffffph0"
-```
+{% endhighlight %}
 
 The URL was a little buggy, we grabbed the flag at http://10.210.17.34:20000/n1ceflag
 
@@ -198,7 +198,7 @@ The URL was a little buggy, we grabbed the flag at http://10.210.17.34:20000/n1c
 
 The Android application is running Cordova, basically all the code is in some Javascript file. Every Dragon ball of the game is mapped like this **int(1-7) - long(...)**. Based on the challenge name we know we have a Shamir Shared Secret. We can recover it with the following python script. 
 
-```python
+{% highlight python %}
 #!/usr/bin/python2
 from secretsharing import points_to_secret_int
 
@@ -211,6 +211,6 @@ shares = [(7, 862802222187581430605770397234230368197029499216895173347290564006
 (1, 16977966888023650463948528650004025823243132426593812430821649423473014227191)]
 
 print(hex(points_to_secret_int(shares))[2:-1].decode('hex'))
-```
+{% endhighlight %}
 
 **Flag** : ph0wn{Sh4m1r_4nd_G0ku_P4rtyt1me}
\ No newline at end of file