Last week I competed in the UK Cyber Security Challenge, spending 2 days in London on the HMS Belfast. I was fortunate to be part of a great team, including the event’s overall winner Adam Tonks.
Part of the challenge was a hardware badge, we were given “suspicious” items that had been intercepted and asked to find out what they are.Other than the USB port and central chip, the next thing I noticed was the five gold pads in the middle of the board. Because I tinker with embedded systems, I thought they look a lot like a serial debug port. In fact I don’t think they are are a serial port any more but serial port is a good clue. There is a row of 8 LEDs labelled LED1-8 which become important at the end of the puzzle.
When you plug the device in a slew of USB entries in appear in dmesg, the key lines are in bold. The first line tells you the USB device is made by freescale who make ARM chips which are tiny computers. The next line about ttyACM0 and attaching the removable scsi disk we’ll use to explore the badge in more detail.
usb 1-4.1.2: new full-speed USB device number 39 using ehci-pci usb 1-4.1.2: New USB device found, idVendor=15a2, idProduct=0800 usb 1-4.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 usb 1-4.1.2: Product: MSD_CDC DEVICE usb 1-4.1.2: Manufacturer: FREESCALE SEMICONDUCTOR INC. cdc_acm 1-4.1.2:1.0: This device cannot do calls on its own. It is not a modem. cdc_acm 1-4.1.2:1.0: ttyACM0: USB ACM device usb-storage 1-4.1.2:1.2: USB Mass Storage device detected scsi20 : usb-storage 1-4.1.2:1.2 scsi 20:0:0:0: Direct-Access FSL SEMI FSL MASS STORAGE 0001 PQ: 0 ANSI: 4 sd 20:0:0:0: Attached scsi generic sg6 type 0 sd 20:0:0:0: [sdf] 8 512-byte logical blocks: (4.09 kB/4.00 KiB) sd 20:0:0:0: [sdf] Write Protect is off sd 20:0:0:0: [sdf] Mode Sense: 00 00 00 00 sd 20:0:0:0: [sdf] Asking for cache data failed sd 20:0:0:0: [sdf] Assuming drive cache: write through sd 20:0:0:0: [sdf] Asking for cache data failed sd 20:0:0:0: [sdf] Assuming drive cache: write through Dev sdf: unable to read RDB block 8 sdf: unable to read partition table sdf: partition table beyond EOD, truncated sd 20:0:0:0: [sdf] Attached SCSI removable disk
First question what is on the USB serial port?
I normally use screen to access serial ports when I am working with embedded systems, it’s easier to use than minicom and putting the -L flag writes a log of the serial session. This is important for forensic and incident response work as it records your artifacts. The number at the end is the serial port speed, however the badge is very forgiving of different speeds, other embedded devices are much less so.
screen -L /dev/ttyACM0 115200
Press return, and we get a password prompt but what’s the password?
Sorry, wrong password. Password:*
We tried various passwords related to our previous investigations but not of them worked.
The next thought was to check the USB mass storage device, the device is tiny only 4k in size. Mostly the device is just empty space and doesn’t have a filesystem on it so mounting it doesn’t help. In the heat of the challenge I used strings to “eyeball” the raw contents of the device, but the output of xxd is neater. In the raw dump we found some interesting data.
sudo xxd -a /dev/sdf 0000000: 0000 5365 6375 7265 2070 6173 7377 6f72 ..Secure passwor 0000010: 6420 6469 736b 0000 0000 0000 0000 0000 d disk.......... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ * 0000200: 0053 6563 7572 6520 7061 7373 776f 7264 .Secure password 0000210: 2073 746f 7261 6765 2064 6174 6162 6173 storage databas 0000220: 650d 6164 6d69 6e3a 6e69 6d64 610d 6f70 e.admin:nimda.op 0000230: 6572 6174 6f72 3a62 336c 6661 3574 3233 erator:b3lfa5t23 0000240: 0d00 0000 0000 0000 0000 0000 0000 0000 ................ 0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................ * 0000400: 0053 5550 4552 2053 6563 7572 6520 7061 .SUPER Secure pa 0000410: 7373 776f 7264 2073 746f 7261 6765 2064 ssword storage d 0000420: 6174 6162 6173 650d 0061 6d68 3564 4456 atabase..amh5dDV 0000430: 305a 6d51 3d00 0000 0000 0000 0000 0000 0ZmQ=........... 0000440: 0000 0000 0000 0000 0000 0000 0000 0000 ................ * 0000ff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
A few plain text passwords, and then what looks to be the inevitable base64 encoded string in the “SUPER Secure password storage database”. Simply use base64 -d to decode the string and we get what could be a password.
echo amh5dDV0ZmQ= | base64 -d jhyt5tfd
Using this string as password allows access to a menu, option 1 doesn’t work and option 2 needs a password.
Welcome to your new secure badge token. Please start initialisation. 1 - - - - - Network test 2 - - - - - Superuser mode 3 - - - - - Logout > >1 Sorry, this device does not support this. 1 - - - - - Network test 2 - - - - - Superuser mode 3 - - - - - Logout >2 Entering enable mode... Enable password:*
Again try a few passwords without success, Adam worked out that you can buffer overflow the menu and get a crash dump from the menu process.
Entering enable mode... Enable password:*********************************************************************************************************************** main_thread(16788): Oops! CPU[1]: local_irq_count[0] irqs_running[1] memory DUMP starting 0x004005 01 7F 8E 9E 8D D0 55 E3 64 62 67 6E 77 00 78 66 6D 41 49 6C 20 6D 65 21 6A 6F 65 6C 40 62 2E 63 6F 6D FF 00 FF 00 FF 00
Another leap of Adam’s led to translating the hex dump into binary using perl, and decoding the resulting binary with xxd. This gave more text, an easter egg left by the designer of the puzzle Joel from BT and a null terminated string of 5 characters, lets see if they are a password. I’ve highlighted in bold this string in the various outputs.
perl -E'print pack "H*","017F8E9E8DD055E36462676E770078666D41496C206D65216A6F656C40622E636F6DFF00FF00FF00"'| xxd 0000000: 017f 8e9e 8dd0 55e3 6462 676e 7700 7866 ......U.dbgnw.xf 0000010: 6d41 496c 206d 6521 6a6f 656c 4062 2e63 mAIl me!joel@b.c 0000020: 6f6d ff00 ff00 ff00 om......
The string found in the crash dump does indeed allow access to the final menu that lets find the badge’s key.
Password:** Welcome to your new secure badge token. Please start initialisation. 1 - - - - - Network test 2 - - - - - Superuser mode 3 - - - - - Logout >2 Entering enable mode... Enable password:** 1 - - - - - Debug optical network 2 - - - - - Logout >
How the badge sends the key is the most fun part I think, when you debug the optical network the badge flashes the 8 LEDs on the side of the badge. Again Adam spotted that if you transcribe them as binary the first 2 characters are PW and then 4 random characters which is the badge “ultimate” password.
1 - - - - - Debug optical network 2 - - - - - Logout >1 transmitting key... Format: PW<key> 1 - - - - - Debug optical network 2 - - - - - Logout >
I’ve uploaded a video of my badge transmitting it’s key, see if you can decode it.