 |
Security CTFs are an excellent resource to learn and practice the hacking skills in legal and controlled environment. We need to use our penetration testing and exploitation skills to find the hidden flags in vulnerable web applications and machines with variety of operating systems. People familiar with the security CTF must be knowing the popular sites like vulnhub.com, which allows to download the vulnerable OS image, run it in the virtual machine, exploit the vulnerabilities and find the flags hidden inside it. This post is about a different type of CTF where we need to break into a low end computing device running vulnerable image and find the hidden flag in it. Hardware CTFs are particularly interesting because it brings us more closer towards the hardware of a computing devices and helps to develop our understanding of how the computers work at a very low level. As discussed in my earlier post, it is very essential for a security professionals to have the sound knowledge of underlying hardware and its working. With the hardware CTFs, we try to exploit a very simplified version of our modern computers where all the complexities are abstracted but the underlying working remains same: we have code and data which resides in memory and are executed by CPU.
Riscure Hack me (RHme)
Riscure conducts a low level hardware CTF challenge that comes in form of Arduino Nano boards. Participants are asked to solve an entry level challenge and if successful, Riscure ships the Arduino Nano board with custom boot-loader to the participants. Participants have to flash the challenge onto the board, exploit the vulnerabilities and find the flag. The challenges require the skills like reverse engineering, software exploitation, cryptoanalisis, side channel injection analysis, fault injection and other techniques to discover the hidden flag in the embedded device.
Though the CTF is over now, the challenges are uploaded to github page. The challenges can be downloaded and flashed on to our own Arduino Nano board. To make this post simple, I have divided it into following sections:
- What is Arduino Nano
- How to flash challenge to the board
- How to interact with the board
- Solving a simple challange
What is Arduino Nano?
Arduino is a open source, computer hardware and software company, project and user community that designs and manufactures single board micro controllers. The project products are open-source and any one can create their own board using its prototype. Arduino Nano is one of the many such boards with the following specification:
Microcontroller
|
ATmega328
|
Architecture
|
AVR
|
Operating
Voltage
|
5 V
|
Flash Memory
|
32 KB of which
2 KB used by bootloader
|
SRAM
|
2 KB
|
Clock Speed
|
16 MHz
|
Analog I/O Pins
|
8
|
EEPROM
|
1 KB
|
DC Current per
I/O Pins
|
40 mA
(I/O Pins)
|
Input Voltage
|
7-12 V
|
Digital I/O
Pins
|
22
|
The clone version of Arduino Nano costs around ₹280 (~$4). It is very useful piece of hardware for learning electronics, creating prototypes and IoT devices.
Flashing Challenge to the board
Download Arduino IDE to flash images to the board. Download the challenge from the github repository. Used avrdude to flash challenge to the board. Identify the location of avrdude and avrdude.conf as they are required for flashing the image. To make the things look simpler, I have used alias to specify both the parameters mentioned above.alias avrdude="/opt/arduino-1.8.2/hardware/tools/avr/bin/avrdude
-C /opt/arduino-1.8.2/hardware/arduino/avr/bootloaders/gemma/avrdude.conf"
Identifying the port to which board is connected
Next task is to identity the port to which Arduino Nano is connected. Below are the steps to do so:
- Run ls /dev > file1
- Connect the board to the computer via USB
- Run ls /dev > file2
- Run diff file1 file2
- The required port will be similar to ttyUSB0
Now, open the downloaded challenge and navigate to Rhme-2016 -> challenges -> binaries -> avr_filesystem and run following in the terminal
avrdude -c arduino -p atmega328p -P /dev/ttyUSB0 -b57600 -u -V -U flash:w:avr_filesystem.hex
-p: Family of micro controller used. Here we are using Arduino Nano which has Atmega328p micro controller.
-P: The port to which the board is connected.
-b: Baud rate. It is the rate at which data is transferred. For Arduino Nano it is 57600 bits per second.
avr_filesystem.hex: It is the challenge image. A hex file is a file format which contains binary information in ASCII format.
Interacting with the board
Now the challenge is flashed, it is the time to check what is inside it. We will be interacting with the board using the serial communication. This can either be done using the built in serial monitor in Arduino IDE or using putty on windows, screen on linux and mac. Here we will be using Serial Monitor in Arduino IDE. Open the IDE and go to Tools -> Board and select Arduino Nano and Port as the one which was identified earlier. Now press Ctrl+Shift+M to open the serial monitor. I tried giving some input but didn't received any response. After some trial and error, I found "Both NL & CR" and "19200 baud" must be set to interact properly with the board. "Both NL & CR" means that we have to give New Line(\n) as well as Carriage Return (\r) to submit our input (unlike the normal scenario where 'Enter' i.e \n is enough). Now we can see the serial monitor showing some response.
 |
| Fig 1: List of files on the board |
Solving the Challenge
By reading the challenge description, we come to know that the challenge is about implementing the secure file system where only a legitimate user can access a file. Output of the serial monitor shows a Linux like file structure. From the challenge description, we can see multiple random tokens associated with different files.
To access any file, a token along with the file name must be provided in the following format
token#<filename>[:<filename>]
Multiple filename can also be provided by separating the filenames with colon ':' If we provide the input as
933d86ae930c9a5d6d3a334297d9e72852f05c57#cat.txt:finances.csv
the output is the content of two files: cat.txt and finances.csv
The objective of this CTF is possibly to get the content of passwd file (see Fig 1). But for that, an appropriate token associated with the passwd is required, which is not provided in the description.
 |
| Fig 2: List of sample tokens |
To access any file, a token along with the file name must be provided in the following format
token#<filename>[:<filename>]
Multiple filename can also be provided by separating the filenames with colon ':' If we provide the input as
933d86ae930c9a5d6d3a334297d9e72852f05c57#cat.txt:finances.csv
the output is the content of two files: cat.txt and finances.csv
 |
| Fig 3: Output |
Obtaining the token
By analyzing the different sample tokens (see Fig 2) we can see that the tokens are random and possibly associated with the filename. The token might be the Message Authentication Code of the respective filename. Message Authentication Codes (MAC) are vulnerable to Length Extension Attacks. This feature can be exploited to obtain the token for passwd file. For the lenght extension attack we require the following
- Original message
- Original Hash
- Custom message to append
- Key length
From the samples provided, we have
- Original message - cat.txt,
- Original hash - 96103df3b928d9edc5a103d690639c94628824f5
- Custom message to append - :passwd
Note: We can use cat.txt:passwd to get the content of both the files, so for performing the length extension attack, we are appending :passwd to the original message.
Since the length of the key is not known, I used python script to calculate the new hash and message by using keys of different length and passed the token and new message to the board. For the key length = 8, the attack was successful and I obtained the flag
So by using length extension attack, the security of filesystem was broken and we were able to read the content of the file successfully.
 |
| Fig 4: Getting the flag |
Hope this post was informational and you got the flavor of new type of security CTF. Do comment your suggestions about the post. I will be happy to receive the feedback. Also share if you find it useful.
Follow me on twitter @PiyushSaurabh07 to get the notifications of my new posts in future.
Happy Learning 😊
Great post... 😊
ReplyDelete