HF 2013 War Game - Missile launchers write-up


Setup


Here’s an overview of what was used for this challenge:

  • 3x USB missile launchers
  • A usb hub with at least 4 usb ports
  • A webcam
  • A raspberry pi

image07

The challenge

The idea behind this track was to put in place some physical devices to hack so non-participants could see what’s going on during the war game. It was also a reason/way to make some  hardware hacking during the year.

Part 1 - Hack the fbi.hf web site

First off, players had to break into the fbi.hf web site by forging their own cookie. They had to aes encrypt, with the extremely secure “fbi” key, a pin code and then forge a checksum based on it. The fbi.hf web site was leaked at the beginning on the cheat sheet (given to every team). Charles could tell you more about the flaw (http://www.hackfest.ca/about-2/collaborators).

Part 2 - Inside the fbi.hf web site

Once logged in, there are two things available:

  • A webcam, displaying a dark string, hard to read
    (for now)
  • An obfuscated file


image03

So ok cool, we’ve found a flag but we can’t even read it. If you check carefully, you can see a small led. At this point, you need to find a way to turn it on.

So now let’s dig into the obfuscated file. This file was actually a combination of archiving tools, done 35 times, just enough to force player to write a script. Here’s the script I used to create the file:

image00

Simply revert the script to find a msg.txt file with the following content:


Mail From: [email protected]

Mail To: [email protected]

Subject: Evidence

I've found out this strange shell. Hopefully, it's
fake or a honey pot. I can't believe these guys use so shitty passwords for real
missiles launchers...

Host: ml.hf

User: ml

Pass: ml

Note: There was a shortcut with the black market. It was possible to buy the msg.txt file for 20k$

Note #2: There was a bug in the script so it was not exactly 35 times...

Part 3 - Controlling the missile launchers

So now let’s log into ml.hf with ml user. We reach an interface that look like this:

image06

No bash, no sh. A completely custom command line interface. From there, it was possible to move the missiles launchers with the md, ml, mr and mu commands but first, player needed to enable them. For example, typing “enable 0” would enable the first missile launcher and the following commands would be applied on this one.

Also, the fire command was locked. You needed to unlock it but the unlock command need a key. Where do we find it?

Remember the led? The interface also control the light of the webcam. Typing “light on” turn on light and now the message on the webcam is readable.

image02

At this point, we could type the following commands and trigger some missiles launch at hackfest city:

enable 0

unlock fire DPQJDUEja43H8Dfhmjaq

[aim at some building]

fire

The raspberry pi was able to detect crash and popup automatically a flag when a building was hit.

image01