HitCON CTF’18 EV3-Basic Challenge Write-Up

So this is my first ever experience of HITCON CTF. Boy, the standards of this CTF were really amazing. I learnt a lot of new things from this CTF. Very educative indeed.

This challenge was one of a kind. I had never seen such a challenge ever before. I really had to spend hours into what the challenge was about and the learning part was really exciting. So let us get on with the challenge.

Challenge Description :

Screenshot from 2018-10-21 23-19-57

That really is not much of a description. Hehe. So I downloaded the tar file and when I “untar” ed it, I found an image and a “.pklg” file. So I quickly went through the image, you know, using normal steg tools like strings, binwalk etc. but I found nothing.

ev3_basic

So this was the image. I thought it to be useless at first but little did I know I’d be proved wrong. So let us get to the “.pklg” file. I have never dealt with any file like that before.

Let us open it and see what we have. I am posting here a small screen-shot of the file. Please go through it to really get the idea of what I am saying.

Screenshot from 2018-10-21 23-39-10

So as you can see we have a lot of protocols like HCI_CMD, HCI_EVT etc. I have never heard about these protocols. But going through the packets say 100-150 of them, I found what this challenge really was. Now the image made sense. Now let me explain it very clearly.

We are actually sending some text(flag) over Bluetooth to the LEGO robot’s screen.

So all we have to do is to find the protocol which is responsible for transferring the data and displaying it on the screen of the device and also this was a log file. Now began the interesting and learning part where I googled about “ev3” and found a lot of results on the internet. But I had to find the one which would suit my needs.

Then I found this GitHub repo which helped me: ev3dev

I immediately cloned this repo and executed the very first command it had in its README, which was

$ wireshark -X lua_script:ev3_dissector.lua ev3_basic.pklg

So this opened the same .pklg file but the difference was that Wireshark was now able to understand the packets sent using ev3 protocol and I could look into the data inside it.

Now let us look at what it has. I am only concentrating on the “sent” packets as these have the data which was sent to the LEGO device.

When I placed the packets according to their lengths I found some sort of a pattern in them. Take a close look the images below and you’ll find the pattern “hit”

This slideshow requires JavaScript.

We are on the right path now. So now I wrote down these particular bytes of these “sent” packet down on my paper. Luckily, there were only 58. What I obtained was a jumbled flag. There were underscores, alphabets, numbers etc. Now how should I order them?

Now it is the time to look deeply into the data of the ev3 protocol. I observed weird characters like ‘(‘, ‘R’, ‘6’, ‘D’ for all the packets of the flag. I thought maybe,  the packets were divided into groups and the groups could be identified by these weird characters.

So but there is still one question. How do I know the order of the characters inside these groups? Then I looked at the 23rd byte of each packet which contained the characters of the flag. They were numbered as 10,20,30…120 etc for each packet. After much thinking, I realised that these numbers actually indicated the order in which the characters were to be arranged in each group. So, now it just takes 5mins to get the flag.

I’m posting an image from the notebook for those who couldn’t see my point.

7868303325255868445

You can follow a similar procedure for the other groups as well. Hence by doing so, I got four parts of the flag.

‘)’ Group -> hitcon{m1nd5t0rm

‘6’ Group -> _communication_a

‘D’ Group -> nd_firmware_deve

‘R’ Group -> loper_kit}

Just concatenating all these will give us the final flag.

FLAG – hitcon{m1nd5t0rm_communication_and_firmware_developer_kit}

Happy Hacking!!

Advertisements

2 thoughts on “HitCON CTF’18 EV3-Basic Challenge Write-Up

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: