duksctf

Bunch of sec. enthusiasts who sometimes play CTF

Insomni'hack 2019 - INSFS

A serial connection gives access to a basic filesystem. Repairing the filesystem with debug tools and adjusting an offset gives access to protected data.

Description

We developped a brand-new, super modern, secure EEPROM filesystem.

It features things like:

  • Fixed size files !
  • Protected (?) storage space !
  • Debug utilities !
  • Basic commands !
  • Filesystem verification (?)

Our secure©® Technology™ is secret and we are only allowed to give you a black box with some USB cables dangling out of it.

Please come to the hardware challenge table to use our product.

Notes:

The serial speed is 9600 bauds. If the board fails to connect over serial, or the filesystem breaks entirely, disconnect it completely and reconnect it. This resets the challenge. Please use one cable per team.

You should be able to access the device. Please tell if you are not able and we’ll help you out.

You may need CP2102/CP2109 UART Bridge Controller drivers

Author: marc

Details

Points: 500 Category: Hardware

Solution

The hardware itself was hidden in a plastic box, only USB cable were available.

After connecting to the serial port we got the following menu:

$ sudo minicom -D /dev/ttyUSB0
|_   _| \ | |/ ____|  ____/ ____| 
   | | |  \| | (___ | |__ | (___   
   | | | . ` |\___ \|  __| \___ \ 
  _| |_| |\  |____) | |    ____) |
 |_____|_| \_|_____/|_|   |_____/ 
      SUPER SECURE FILE SYSTEM COMMANDS 
(1) ls          - List files
(2) writef      - Write file 
(3) cat         - Get file content
------ Debug tools -----
(4) readmem     - Dumps memory 
(5) writeb      - Write byte 
(6) fschk       - Manually check filesystem

Unfortunately the file system commands were not working properly, only the debug tools. The readmem command gave the following result:

------Memory dump-------
00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 ...
F1 7E 53 69 6D 70 6C 65 4E 6F 74 01 00 80 54 68 69 73 20 69 73 20 61 20 73 69 ...
F1 7E 46 69 6C 65 31 00 00 00 00 01 00 C0 46 69 6C 65 73 79 73 74 65 6D 20 63 ...  
F1 7E 54 6F 6F 6C 73 00 00 00 00 01 01 00 56 61 72 69 6F 75 73 20 66 75 6E 63 ...  
F1 7E 46 69 6C 65 00 00 00 00 00 01 01 40 53 69 6D 70 6C 65 20 66 69 6C 65 73 ...  
F1 7E 4D 6F 6E 69 65 73 00 00 00 01 01 80 47 6F 74 20 6C 69 6B 65 2C 20 35 20 ...  
F1 7E 66 69 6C 65 6E 61 6D 65 00 01 01 C0 57 65 6C 63 6F 6D 65 20 74 6F 20 69 ...  
F1 7E 53 65 63 75 72 65 00 00 00 01 00 00 54 68 69 73 20 73 79 73 74 65 6D 20 ...  
00 00 00 00 00 00 00 00 00 00 00 00 02 40 00 00 00 00 00 00 00 00 00 00 00 00 ...  
F1 7E 54 65 73 74 00 00 00 00 00 00 00 00 54 68 69 73 20 69 73 20 61 20 74 65 ...  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
END OF UNPROTECTED USER DATA...

We copy the dump in a file an we started to interpret the data:

$ hexdump file.bin -C
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 40 00 00  |.............@..|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000040  f1 7e 53 69 6d 70 6c 65  4e 6f 74 01 00 80 54 68  |.~SimpleNot...Th|
00000050  69 73 20 69 73 20 61 20  73 69 6d 70 6c 65 20 6e  |is is a simple n|
00000060  6f 74 65 00 00 00 00 00  00 00 00 00 00 00 00 00  |ote.............|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  f1 7e 46 69 6c 65 31 00  00 00 00 01 00 c0 46 69  |.~File1.......Fi|
00000090  6c 65 73 79 73 74 65 6d  20 63 68 65 63 6b 73 20  |lesystem checks |
000000a0  69 6d 70 6c 65 6d 65 6e  74 65 64 00 00 00 00 00  |implemented.....|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  f1 7e 54 6f 6f 6c 73 00  00 00 00 01 01 00 56 61  |.~Tools.......Va|
000000d0  72 69 6f 75 73 20 66 75  6e 63 74 69 6f 6e 73 20  |rious functions |
000000e0  61 72 65 20 61 76 61 69  6c 61 62 6c 65 00 00 00  |are available...|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  f1 7e 46 69 6c 65 00 00  00 00 00 01 01 40 53 69  |.~File.......@Si|
00000110  6d 70 6c 65 20 66 69 6c  65 73 79 73 74 65 6d 00  |mple filesystem.|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000140  f1 7e 4d 6f 6e 69 65 73  00 00 00 01 01 80 47 6f  |.~Monies......Go|
00000150  74 20 6c 69 6b 65 2c 20  35 20 6d 6f 6e 69 65 73  |t like, 5 monies|
00000160  20 69 6e 20 74 6f 74 61  6c 00 00 00 00 00 00 00  | in total.......|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  f1 7e 66 69 6c 65 6e 61  6d 65 00 01 01 c0 57 65  |.~filename....We|
00000190  6c 63 6f 6d 65 20 74 6f  20 69 6e 73 31 39 00 00  |lcome to ins19..|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001c0  f1 7e 53 65 63 75 72 65  00 00 00 01 00 00 54 68  |.~Secure......Th|
000001d0  69 73 20 73 79 73 74 65  6d 20 69 73 20 73 65 63  |is system is sec|
000001e0  75 72 65 20 69 20 73 77  65 61 72 00 00 00 00 00  |ure i swear.....|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 02 40 00 00  |.............@..|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000240  f1 7e 54 65 73 74 00 00  00 00 00 00 00 00 54 68  |.~Test........Th|
00000250  69 73 20 69 73 20 61 20  74 65 73 74 2e 20 44 6f  |is is a test. Do|
00000260  20 6e 6f 74 20 75 73 65  20 69 6e 20 70 72 6f 64  | not use in prod|
00000270  75 63 69 6f 6e 00 00 00  00 00 00 00 00 00 00 00  |ucion...........|
00000280  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000004c0  00 00 00 00 00 00 00 00  00 00 00 00 05 00 00 00  |................|
000004d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000500

We noticed that each file start with f1 7e the we have a file name on 9 bytes and then a number. For the first file named SimpleNot this number is 0x80 which match the size of the file since the following file starts at address 0x80. For the beginning of the filesystem we have a correct size but no filename. With the writeb command we write the correct header f1 7e at address 0x00 and 0x01 and then the ls command worked:

0x0040 - SimpleNot
0x0080 - File1
0x00C0 - Tools
0x0100 - File
0x0140 - Monies
0x0180 - filename
0x01C0 - Secure

After the file named Secure, the command did not display the following files. We noticed that the size was set to 0. Thus we changed it to 0x500 which is the end of the unprotected data. Then the command ls gives:

0x0040 - SimpleNot
0x0080 - File1
0x00C0 - Tools
0x0100 - File
0x0140 - Monies
0x0180 - filename
0x01C0 - Secure
0x0500 - STOP HERE
0x0540 - NOTHING
0x0580 - TO SEE
0x05C0 - INS{BADF5
0x0600 - _1N53_
0x0640 - CuR3}
0x0680 - 

The flag appears INS{BADF5_1N53_CuR3}

Written on March 22, 2019