Posts

Write-up of the Spacial TOTP challenge of Insomni'hack CTF 2023. Official description I sealed my master phassphrase on this device and protected it using my own TOTP algorithm. Can you recover it ? Once ready, come to the organizers desk to validate your solution on the device. (No connection to the device allowed) We are given a challenge.elf file. Exploration The challenge.elf file First, let’s confirm it is an ELF file: $ file challenge.elf challenge.elf: ELF 32-bit LSB executable, Tensilica Xtensa, version 1 (SYSV), statically linked, with debug_info, not stripped We note that it is not stripped and includes debug information....

Write-up of the ESPMyAdmin of Insomni'hack Teaser CTF 2023. Official description The only prototype of our brand new IoT device was stolen with the laptop containing the application source code… ;( And of course we had no backup ;( ;( For some reasons, the device is still online here, can you help us recover the secret value ? All we can provide is this logic analyzer capture. We are given a capture.dsl file and a URL https://espmyadmin.insomnihack.ch/. Exploration Web service We open https://espmyadmin....

Write-up of the Tuya challenge of CTF Qualifiers for Team Europe Candidates 2023. Official description This is a network forensic challenge. Please analyze the provided network dump. During a forensics mission, CERT was able to identify suspicious traffic from a specific laptop. In fact, by investigating the laptop, it seems that it was compromised and a popular script was used in order to configure Tuya devices inside the internal network. Can you exfiltrate the SSID and password? We are given a network capture trace TuyaDevice....

Write-up of the Engraver challenge of GoogleCTF 2022. Official description You can see pictures of a robot arm laser engraver attached. Can you figure out what it is engraving? Note: the flag should be entered all in upper case. It contains underscores but does not contain dashes. Good luck! We are given a ZIP file containing engraver.pcapng, robot.jpg and robot_engraving.jpg robot_engraving.jpg showing a 6-axis robot drawing G letter with a laser pointer Exploration USB capture Let’s start by opening engraver....

Write-up of the Weather challenge of GoogleCTF 2022. Official description Our DYI Weather Station is fully secure! No, really! Why are you laughing?! OK, to prove it we’re going to put a flag in the internal ROM, give you the source code, datasheet, and network access to the interface. We are given a ZIP file containing Device Datasheet Snippets.pdf and firmware.c. We are also given a server host and port: weather.2022.ctfcompetition.com:1337. Exploration Datasheet snippets Let’s start by reading the datasheet snippets Device Datasheet Snippets....

Write-up of the Myster Mask side-channel analysis challenge of French Cybersecurity Challenge 2022. Official description You will have to analyze the consumption traces of an early implementation of the AES made by Myster Mask. Will you be able to exploit these traces to make the difference? The part to target corresponds to the inversion step in the calculation of the S-box in the first round of the AES. Only this step is implemented, it is not necessary to know the AES since this challenge is specifically focused on the inversion step....

Write-up of the Secure Green Server fault injection challenge of French Cybersecurity Challenge 2022. Official description The MegaSecure company provides a secure server allowing users to compute operations while controlling its energy consumption. The server allows to execute commands in a secure way. Indeed, it relies on a secure element in order to verify the signature of any command received before executing it. The Python code equivalent to the signature process is: 1 2 def sign(self, m): return pow(int(sha256(m), 16), self.d, self.N) and the verification process is equivalent to:...

Write-up of the X-Factor challenge of French Cybersecurity Challenge 2022. Official description You have been asked by a client to recover top secret data from a competing company. You have tried several approaches to find vulnerabilities on the exposed servers, which unfortunately proved unsuccessful: the company’s servers look solid and well protected. Physical intrusion into the premises seems complex given all the necessary access badges and surveillance cameras. One possibility lies in the remote access that the company’s employees have to their collaborative work portal: access to it is done via two authentication factors, a password as well as a physical token to plug into the USB with biometric fingerprint recognition....

How to recover calendars from a OwnCloud database dump. I had to recover someone’s calendars from an OwnCloud SQL dump. I will detail the steps I went through in this post. Export CalDav calendar from SQL dump To explore a large SQL file, here my_database_dump.sql, it is easier to import it as a new database rather than exploring the text file. Here I am using PostgreSQL but it should also work with MySQL or MariaDB. 1 2 sudo -u postgres createdb owncloud_backup sudo -u postgres psql owncloud_backup < my_database_dump....

This article details how to display Unifi access points metrics on a Grafana Worldmap. I have been working on deploying and setting up a new monitoring stack for Crans network organisation. We switched from Munin and Icinga2 to Prometheus paired with Grafana dashboards. Using Prometheus SNMP1 exporter, this new monitoring stack can collect metrics from all of our Unifi WiFi access point. This article describes a minimal setup that display Unifi metrics onto a Grafana Worldmap panel. What components will be used Unifi Controller: the official controller to provision and monitor Unifi access points, Prometheus: time-series database, Prometheus SNMP exporter: a Prometheus exporter collecting metrics from SNMP, Grafana: a tool to create dashboards to analyse Prometheus metrics....