Write-up of Long Range 2 challenge, RealWorldCTF 2024. Official challenge prompt: Of late, whispers doth persist behind mine back. Yesterday, under the studio tower, a peculiar contraption was found by me. I am most intrigued to discover the content of their discourse. The challenge attachment contains two files: flash_dump (8.0MiB, sha256: 508d328f855d5398aab38cc93bc66bec91dffd2bfff3691c55b096a6d273d972) 486_375MHz-1MSps-1MHz.wav (293MiB, sha256: 1c60c7a45a4d1c279ca334339eecb51043b91b6714dda8382ecdcd3e7d4370f3) flash_dump forensics analysis $ file ./flash_dump ./flash_dump: DOS executable (COM), start instruction 0xe903023f bc983c40 $ binwalk ./flash_dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 88595 0x15A13 Neighborly text, "neighbors a simple (0 id) broadcast" 109607 0x1AC27 HTML document header [....

Write-up of Bandit Surfer challenge, SideQuest 4 of TryHackMe Advent of Cyber 2023. After completing day 20 of Advent of Cyber 2023, we notice a QRCode inside one of the calendar PNG image inside the Git repository. The QRCode links to https://tryhackme.com/room/surfingyetiiscomingtotown. Step 1: SQL injection into server-side request forgery After starting this new machine (at 10.10.190.103 in this write-up), we discover a web server on port 8000. This web service offers to download 3 SVG files. The service seems to use a server-side code to hint to the browser that it should download a file....

Quick guide to correctly setup Yubikey PIV applet to use age and SSH. Yubikey PIV applet factory reset Warning: This step will erase all the keys in the PIV applet on your Yubikey and restore default PIN, PUK and management key. It does not reset the other applets such as FIDO. Install Yubikey Manager CLI (ykman), then reset your PIV applet: $ ykman piv reset -f Resetting PIV data... Success! All PIV data have been cleared from the YubiKey. Your YubiKey now has the default PIN, PUK and Management Key: PIN: 123456 PUK: 12345678 Management Key: 010203040506070801020304050607080102030405060708 Initial setup and age key setup Now that the Yubikey PIV applet is back to factory settings, we want to make some configuration changes:...

Write-up of the Spacial TOTP challenge of Insomni'hack CTF 2023. Official description I sealed my master phassphrase on this device and protected it using my own TOTP algorithm. Can you recover it ? Once ready, come to the organizers desk to validate your solution on the device. (No connection to the device allowed) We are given a challenge.elf file. Exploration The challenge.elf file First, let’s confirm it is an ELF file: $ file challenge.elf challenge.elf: ELF 32-bit LSB executable, Tensilica Xtensa, version 1 (SYSV), statically linked, with debug_info, not stripped We note that it is not stripped and includes debug information....

Write-up of the ESPMyAdmin of Insomni'hack Teaser CTF 2023. Official description The only prototype of our brand new IoT device was stolen with the laptop containing the application source code… ;( And of course we had no backup ;( ;( For some reasons, the device is still online here, can you help us recover the secret value ? All we can provide is this logic analyzer capture. We are given a capture.dsl file and a URL https://espmyadmin.insomnihack.ch/. Exploration Web service We open https://espmyadmin....

Write-up of the Tuya challenge of CTF Qualifiers for Team Europe Candidates 2023. Official description This is a network forensic challenge. Please analyze the provided network dump. During a forensics mission, CERT was able to identify suspicious traffic from a specific laptop. In fact, by investigating the laptop, it seems that it was compromised and a popular script was used in order to configure Tuya devices inside the internal network. Can you exfiltrate the SSID and password? We are given a network capture trace TuyaDevice....

Write-up of the Engraver challenge of GoogleCTF 2022. Official description You can see pictures of a robot arm laser engraver attached. Can you figure out what it is engraving? Note: the flag should be entered all in upper case. It contains underscores but does not contain dashes. Good luck! We are given a ZIP file containing engraver.pcapng, robot.jpg and robot_engraving.jpg robot_engraving.jpg showing a 6-axis robot drawing G letter with a laser pointer Exploration USB capture Let’s start by opening engraver....

Write-up of the Weather challenge of GoogleCTF 2022. Official description Our DYI Weather Station is fully secure! No, really! Why are you laughing?! OK, to prove it we’re going to put a flag in the internal ROM, give you the source code, datasheet, and network access to the interface. We are given a ZIP file containing Device Datasheet Snippets.pdf and firmware.c. We are also given a server host and port: weather.2022.ctfcompetition.com:1337. Exploration Datasheet snippets Let’s start by reading the datasheet snippets Device Datasheet Snippets....

Write-up of the Myster Mask side-channel analysis challenge of French Cybersecurity Challenge 2022. Official description You will have to analyze the consumption traces of an early implementation of the AES made by Myster Mask. Will you be able to exploit these traces to make the difference? The part to target corresponds to the inversion step in the calculation of the S-box in the first round of the AES. Only this step is implemented, it is not necessary to know the AES since this challenge is specifically focused on the inversion step....

Write-up of the Secure Green Server fault injection challenge of French Cybersecurity Challenge 2022. Official description The MegaSecure company provides a secure server allowing users to compute operations while controlling its energy consumption. The server allows to execute commands in a secure way. Indeed, it relies on a secure element in order to verify the signature of any command received before executing it. The Python code equivalent to the signature process is: 1 2 def sign(self, m): return pow(int(sha256(m), 16), self.d, self.N) and the verification process is equivalent to:...