How I Solve Backdoor Pi – Kaspersky CTF 2017

300. Backdoor Pi

We are doing an project for a school competition in which we need to use a Raspberry Pi to make an IOT prototype. We received SD cards from the professor, and because we lost ours we asked another group to give us a copy of their card, I know it’s been modified because the original hash doesn’t match. Could you please investigate and tell me if everything is ok? Here is some parts of the file system:


download this file:

Screenshot from 2017-10-12 11-41-33

First of all I downloaded the zip file and extracted on my Kali Box. It was a backup of linux based OS. So I started my steps by reading the .bash_history file.

As you can see there are some interesting details on that file.

Old Username:~ U_n33d_th3_fl4g

this one was deleted

New Username:~ b4ckd00r_us3r

by reading the description I was able to  guess there may have any cron task. So, I checked.

I found something interested in /var/spool/cron/crontabs/b4ckd00r_us3r

2Lets see what happens there.


OPS. It was compiled.

By checking what kind of file /bin/back is we can see it was a python 2.7 byte-compiled file. so I used google to find out a tool to decompile this file.

However I was able to decompile the code using a tool on github.

import sys
import os
import time
from flask import Flask
from flask import request
from flask import abort
import hashlib

def check_creds(user, pincode):
if len(pincode) <= 8 and pincode.isdigit():
val = ‘{}:{}’.format(user, pincode)
key = hashlib.sha256(val).hexdigest()
if key == ’34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e’:
return ‘Congr4ts, you found the b@ckd00r. The fl4g is simply : {}:{}’.format(user, pincode)
return abort(404)


app = Flask(__name__)

def hello():
return ‘<h1>HOME</h1>’

def backdoor():
user = request.args.get(‘user’)
pincode = request.args.get(‘pincode’)
return check_creds(user, pincode)


if __name__ == ‘__main__’:, host=’′, port=3333)

According to the python code the flag should be like user:pincode and the pin code range is 0 to 99999999. I know the username and then I made a simple python3 script to brute-force the pin.

import hashlib

for x in range(100000000):
val = user + “:” +str(pincode)
val = val.encode(‘utf-8′)
key = hashlib.sha256(val).hexdigest()
if key == ’34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e’:
print(‘Congr4ts, you found the b@ckd00r. The fl4g is simply : {}:{}’.format(user, pincode))

After few minutes My script was able to find the pincode.


So the flag was:~


Thank You!


4 thoughts on “How I Solve Backdoor Pi – Kaspersky CTF 2017

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s