2022 Hacky Holidays: Unlock the City CTF — Location Analysis
This post is a write up of my method for solving the Location Analysis challenge during the 2022 Hacky Holidays: Unlock the City CTF. The challenge description reads:
We noticed that the AI was breaking in to one of the systems in our research center. The system is used in a lab that is working on self driving cars. You’re tasked to find out the sensitivity of the data that was compromised. Can you find out what the AI was snooping into?
The challenge hint given was:
Can you find out what the AI is doing? The city is almost paralized with fear, every second counts!
And the target provided was: tcp://portal.hackazon.org:17011
This challenge was tagged as #ppc which indicated it was a Professional Programming Challenge.
I enjoyed this challenge because it led me to use new libraries I haven’t used in the past. The challenge provides you access to what is ultimately identified as a Redis server. This can be observed by using NCat to access the provided target and typing the HELLO command:
_> echo "HELLO" | ncat portal.hackazon.org 17011
*14
$6
server
$5
redis
$7
version
$7
6.9.241
...SNIP...We can issue the following command to obtain all of the KEYS available in the Redis store:
_> echo "KEYS *" | ncat portal.hackazon.org 17011...SNIP...
$36
1864b116-1eb0-43ce-9c22-0a885edd8855
$36
634c1025-ff17-45af-9b4d-5d9991639fe3
$36
b9ccd050-9ad2-49e4-a1f4-56a29ded6b4c
$36
c93c1084-ee42-49c6-aadb-3e67133764a7
$36
7af2358d-fce2-4c33-93ef-c5e52467ba28
$36
e2aa28d5-4f4f-47f2-a723-726e63e68e3b
$5
_flag
...SNIP...
Approximately 1002 keys are found in the Redis Store. Filtering through the keys, two unique ones can be found: _welcome and _flag.
The contents of _flag is actually the answer to the first part of the Location Analysis challenge and can be obtained by running:
GET _flag
CTF{DGErbbodqEeHQhjeDs8g}I wanted to focus more on the second part of this challenge though, as it is much more interesting. In the hint of the challenge, this sentence stands out:
every second counts!
With the help of @ruddawg26, I was made aware of the Redis MONITOR command, which outputs every command processed by the Redis server. This command showed that keys with the same GUID format displayed earlier were being written constantly, with a JSON payload that contained a number_plate, longitude, and latitude key set:
The values at first glance appear to be random, but my gut told me that the keys were actually being repeatedly written to, with new values. So in order to test my theory, I wrote a small NodeJS program to connect to the target Redis server, start Monitor mode, then capture and save the results of each JSON payload into a dictionary with every new value appended to a sub array.
NPM has the redis package to interface with Redis, but more recent versions of redis do not include .monitor() functionality, nor does it emit monitor events to capture and respond on, so I opted for version redis@3:
npm i redis@3I wrote the following code to connect to, and capture Monitor events from the target, and save them off as JSON to output.json
This program helped me capture the data necessary to see that multiple writes to the same keys were indeed happening, with slightly adjusted values to the latitude and longitude fields:
At first glance, it appears that each key was only written to once, but by parsing the output.json file using jq, I was able to confirm that some keys were written to more than once:
jq '. | to_entries[] | {key: .key, valueLength: (.value | length)} | select(.valueLength > 1)' output.json
At first, I wasn’t too sure about what would come next, then I had recalled the challenge description:
…The system is used in a lab that is working on self driving cars…
It became apparent to try and plot the coordinates on a graph to see if they would reveal a message, as if the “self driving cars” were being controlled to move to specific points. To do so, I wrote a small python program which would load the output.json file and graph each coordinate with a unique color for the key using Matplotlib:
The output of which rendered the following image:
And after zooming in to the cluster of points on the right, the flag was revealed!
This challenge was pretty fun to figure out and I learned a little more about Redis and even got to play with Matplotlib which was something I had known about but never had a good use-case to try.
Maveris is an IT and cybersecurity company committed to helping organizations create secure digital solutions to accelerate their mission. We are Veteran-owned and proud to serve customers across the Federal Government and private sector. Maveris Labs is a space for employees and customers to ask and explore answers to their burning “what if…” questions and to expand the limits of what is possible in IT and cybersecurity. To learn more, go to maveris.com/#maveris-labs.
