HITCON 2018 - EV3 Basic

MISC

General problem description

For this challenge we got a picture of a Lego Mindstorm EV3, which displays the flag partly (see below). Challenge

And we also got a pcap (OK, it was in the apple PackageLogger format) with captured Bluetooth transmission.

Solution

The pcap shows Bluetooth traffic, and wireshark finds furthermore identifies RFCOMM protocol. Some of them includes additional data parts.

Btrfcomm

If you dig around long enough on the internet you can find a wireshark dissector written for the Mindstorm EV3 communication protocol.

If we load this dissector we can easily identify the commands sent to the Mindstorm device. dissector

In the official Mindstorm source repository we can find what those parameters mean:

- CMD = TEXT
  -  \param  (DATA8)   COLOR    - Color [BG_COLOR..FG_COLOR]\n
  -  \param  (DATA16)  X        - X start cord [0..LCD_WIDTH]\n
  -  \param  (DATA16)  Y        - Y start cord [0..LCD_HEIGHT]\n
  -  \param  (DATA8)   STRING   - First character in string to draw\n

So now we know, that the second parameter is the column, the third one is the row and last but not least the fourth one is our character. Now we thought, nice we just export the packages and we can parse out the flag... Yeah first if you check the packages, the characters were not drown in the correct order, so you really need to use the coordinates, and unfortunately the dissector has some issues, and at least on my computer the parameters got not exported, so I just went through the packages noted the coordinates and the char in an Excel sheet and sorted them first after the rows and second after columns.

The flag was: hitcon{m1nd5t0rm_communication_and_firmware_developer_kit}


HITCON 2018 - EV3 Scanner

MISC

General problem description Similar to the previous challenge we got two images (see below) and a pcap. Solution Like before we use the found wireshark dissector to see what happens. However this time we find way more relevant packages than before. After some filtering we identified, that the base station sends only four different commands: OUTPUT_TIME_SPEED: go in a direction with a constant speed for given time OUTPUT_STEP_SYNC: turn given "ticks" long OUTPUT_STEP_SPEED: go in...

Read More
Hack.lu CTF 2018 - Rusty CodePad

Rust Safe Code Bypass

Description I heard Rust is a safe programming language. So I built this CodePad where you can compile and run safe Rust code. Initial Situation We had access to a web-terminal with a limited set of commands: $ help help - print this help clear - clear screen ls - list files cat - print file content rusty - compile rusty code version - print version Calling ls reveals a Rust project file structure and a file called flag.txt: $ ls flag.txt target src lib rusty.sh Cargo.toml Now, running...

Read More
Intro Meetup: Tool Overview

tools

Because we decided on the meetup date on relatively short notice, we'll give an overview of the tools we regularly use. If requested, we can go into detail into certain topics. Where: @FH4, TU Wien (Wiedner Hauptstraße 8-10, 1040 Wien, Yellow Area) When: Thursday, 18.10.2018, 18:30 (CEST) What: Tooling overview...

Read More
Google CTF Quals 2018 - Back To Basics

C64 BASIC Reversing

General problem description You won't find any assembly in this challenge, only C64 BASIC. Once you get the password, the flag is CTF{password}. P.S. The challenge has been tested on the VICE emulator. We got an old .prg file, which is a C64 program file. Parsing the file First we tried using parsers that exist in the wild, that would parse the file for us, but that proved to be not effective, as there were not many and...

Read More
Google CTF Quals 2018 - JS Safe

JavaScript Anti-Debug

General problem definition You stumbled upon someone's "JS Safe" on the web. It's a simple HTML file that can store secrets in the browser's localStorage. This means that you won't be able to extract any secret from it (the secrets are on the computer of the owner), but it looks like it was hand-crafted to work only with the password of the owner... The assignment was a Javascript file, which needs the Flag as input. Getting to...

Read More
Google CTF Quals 2018 - Shall We Play A Game?

Android APK Reversing

General problem description Win the game 1,000,000 times to get the flag. For this challenge we got an .apk file, which we should apperently run and win 1,000,000 times. We let the online Java-decompiler at http://www.javadecompilers.com/apk. Running the apk on an Android-Phone or emulator shows us the game: Tic Tac Toe. We also get a counter 0/1000000 on the bottom of the screen. Each win increases the counter by one. Naive approach by recompiling the app We used...

Read More
Recap: Google CTF

Recap Google CTF Challenges

We've been collaborating with LosFuzzys (https://hack.more.systems) for Google CTF and managed to solve a few challenges. This meetup, we'll go over some of those challenges. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 28.06.2018, 17:30 (CEST) What: Google CTF Recap...

Read More
Intro Meetup: Wargames

Wargames

Wargames by the OverTheWire Community (http://overthewire.org/wargames/) are a set of challenges to practice basic security concepts. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 21.06.2018, 17:30 (CEST) What: Wargames...

Read More
Intro Meetup: Frida

Dynamic Analysis with Frida

This meetup we will cover a basic introduction to Frida (https://www.frida.re/), a cross-platform dynamic instrumentation toolkit, and give a practical example of a past CTF challenge. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 14.06.2018, 17:30 (CEST) What: Intro to Frida Practical Example Challenge Frida and Android...

Read More
Intro Meetup: Exploitation

pwntools/exploit writing

As an introduction to the last internet security challenge, we will give a short overview to writing exploits with pwntools. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 07.06.2018, 17:30 (CEST) What: Intro to pwntools Exploit Writing...

Read More
Intro Meetup: Attack/Defense

FAUST CTF is coming

Next week, we will participate in FAUST CTF, an online attack-defense CTF. We will meet up at SBA Research and participate together. If you are curious about participating, what CTFs are or what's special about attack-defense CTFs, we are hosting this preparation meetup as part of our weekly CTF/Security meetup series. If you can't make it to the meetup, but still want to participate in the CTF, please contact us. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040...

Read More
Intro Meetup: Reversing

Intro to reversing: disassembly/side channels

Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 17.05.2018, 17:30 (CEST) What: Intro to Reverse Engineering, disassembly and software side channel attacks...

Read More
Monthly Meetup Monday

April Monthly Meetup! As always Open-to-All!

Where: @SBA Research (Favoritenstrasse 16, 1040 Wien, 1st Floor) When: Monday, 09.04.2018, 18:30 (CEST) What: Recap of past CTFs/challenges $YOUR_TOPIC_HERE$ and of course Socializing ;)...

Read More
UCSB iCTF 2017 - yacs

Yet another... cat service?!

yacs is a tool to store and later retrieve text snippets. If you store program source code there, it can even compile it for you! So handy. Of course, everything is protected using state-of-the-art user authorization and password hashing. It's a big C++ compiled binary which uses a local SQLite database file for data storage. Here's a normal create/list paste workflow: ___...

Read More
RuCTF Finals 2017

We participated in the RuCTF Finals 2017 and finished 12th.

Last Sunday we had the pleasure to participate in the RuCTF Finals 2017 in Yekaterinburg, Russia. After a long day of attacking other teams and defending our own services we managed to secure the 12th place out of 23 active teams. The services we had to work on were really interesting and quite diverse. But a really nice touch to the game was the actual hardware separation of services. Instead of providing a virtual machine...

Read More
Monthly Meetup Monday

First Meetup of 2017! As always Open-to-All!

Where: @SBA Research (Favoritenstrasse 16, 1040 Wien, 1st Floor) When: Monday, 09.01.2017, 18:30 (CET) What: Recap of past CTFs/challenges What to change in 2017? $YOUR_TOPIC_HERE$ and of course Socializing ;)...

Read More
EKOPARTY CTF 2016 - FBI 300

Bitcoin as OP_RETURN Dropbox

The description of the challenge was as follows: There has been some strange transactions on this blockchain! Let's do some research. After downloading and extracting the data (fbi300_64635d9aa64b20d0.7z) is was clear that we where looking at at a .bitcoin folder of a bitcoin-core client hat was started in regtest mode. As a first guess we used bitcoin-abe to read and analyze the blockchain. (https://github.com/bitcoin-abe/bitcoin-abe). Since bitcoin-abe looks out-of-the-box in the default bitcoin directory ($HOME/.bitcoin/blcoks/*) the only thing we...

Read More
Monthly Meetup

Another month, another meetup

We meet to discuss CTF's, writeups and other security related stuff. Whatever happened during the last month....

Read More
TrendMicroCTF 2016 - SCADA 300

SCADA APT's FTW

The description of the challenge was as follows: In this challenge you are presented with a PCAP that comes from a network infected by a well known SCADA related APT Threat (hint: pay attention to potential C&C) Identify the relevant packets related to the malware and attempt to find the flag in the normal format So first we had to download and unpack the relevant file. After fiddling around with wireshark we identified a suspiciously looking HTTP...

Read More
iCTF 2015

We participated in the iCTF 2015 and finished 8th.

Last Friday we participated in this year's iCTF. For the first time the services were not written by the organizers, but each team had to provide a service themselves in order to participate. Although this meant that there were fewer teams this year, still 30 teams took up the challenge in total. The organizers also got some angry comments for this setup, and they liked one of them so much that their unofficial theme...

Read More
hack.lu CTF

We participated in the hack.lu CTF and finished 45th.

The past two days we were busy hacking in the hack.lu CTF. The challenges by fluxfingers were superb as always, and we solved quite some of them. Kudos to the top three teams, what a photo finish! You can find the scoreboard here....

Read More
We_Want_Y0u!

We are looking for new hackers

This semester, we are looking for fresh blood to expand our team. If you think you have what it takes to deal with the challenges of interactive hacking challenges, live trouble-shooting for flaky Internet connections, defending online services which you have never seen before and the forensics skills to pinpoint exploits in a gbit connection, drop us an email at iwant2pwn@w0y.at Please include which security courses you have completed so far at TU...

Read More
New Homepage!

We have a new homepage. And yes, we are on Twitter, too ...

Since this week we now have a public website, which will be updated with news and writeups. We are now on Twitter too, which will be used for live coverage from actual contest. Next week is the hack.lu CTF, and we will participate....

Read More
Finished 3rd at iCTF2014

In this years iCTF2014-2015, themed "hacking at scale", we reached the 3rd place out of more than 80 participating universities.

Last Friday we participated in the ictf2014 and reached the 3rd place out of more than 80 participating universities. This years theme was "hacking at scale" with 42 services to pwn, most of which had been reused from previous iCTF's. We constantly improved our score during the CTF until we were at the second place about one hour before the end with only Team Bushwhackers in front of us. However, SpamAndHex did an incredible finish,...

Read More
  • 1
  • 2
Navigation