How I Solve Backdoor Pi – Kaspersky CTF 2017

300. Backdoor Pi

We are doing an project for a school competition in which we need to use a Raspberry Pi to make an IOT prototype. We received SD cards from the professor, and because we lost ours we asked another group to give us a copy of their card, I know it’s been modified because the original hash doesn’t match. Could you please investigate and tell me if everything is ok? Here is some parts of the file system:

FLAG FORMAT: KLCTF{flag}

download this file: https://s3.eu-central-1.amazonaws.com/klctf/fs.zip

Screenshot from 2017-10-12 11-41-33

First of all I downloaded the zip file and extracted on my Kali Box. It was a backup of linux based OS. So I started my steps by reading the .bash_history file.

As you can see there are some interesting details on that file.

Old Username:~ U_n33d_th3_fl4g

this one was deleted

New Username:~ b4ckd00r_us3r

by reading the description I was able to  guess there may have any cron task. So, I checked.

I found something interested in /var/spool/cron/crontabs/b4ckd00r_us3r

2Lets see what happens there.

2

OPS. It was compiled.

By checking what kind of file /bin/back is we can see it was a python 2.7 byte-compiled file. so I used google to find out a tool to decompile this file.

However I was able to decompile the code using a tool on github.

https://github.com/wibiti/uncompyle2

import sys
import os
import time
from flask import Flask
from flask import request
from flask import abort
import hashlib

def check_creds(user, pincode):
if len(pincode) <= 8 and pincode.isdigit():
val = ‘{}:{}’.format(user, pincode)
key = hashlib.sha256(val).hexdigest()
if key == ’34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e’:
return ‘Congr4ts, you found the b@ckd00r. The fl4g is simply : {}:{}’.format(user, pincode)
return abort(404)

 

app = Flask(__name__)

@app.route(‘/’)
def hello():
return ‘<h1>HOME</h1>’

@app.route(‘/backdoor’)
def backdoor():
user = request.args.get(‘user’)
pincode = request.args.get(‘pincode’)
return check_creds(user, pincode)

 

if __name__ == ‘__main__’:
app.run(threaded=True, host=’0.0.0.0′, port=3333)

According to the python code the flag should be like user:pincode and the pin code range is 0 to 99999999. I know the username and then I made a simple python3 script to brute-force the pin.

import hashlib

for x in range(100000000):
pincode=x
user=’b4ckd00r_us3r’
val = user + “:” +str(pincode)
val = val.encode(‘utf-8′)
key = hashlib.sha256(val).hexdigest()
if key == ’34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e’:
print(‘Congr4ts, you found the b@ckd00r. The fl4g is simply : {}:{}’.format(user, pincode))
exit()
else:
print(x)

After few minutes My script was able to find the pincode.

2

So the flag was:~

KLCTF{b4ckd00r_us3r:12171337}

Thank You!

 

4 thoughts on “How I Solve Backdoor Pi – Kaspersky CTF 2017

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s