Open in app

Sign in

Write

Sign in

Ph0wn CTF 2018 — Blood Glucose Sensor, Save the Factory & Track the Hacker Write-ups

Rida IDIL
Rtone IoT Security
Published in
4 min readDec 26, 2018

Introduction

Ph0wn is a CTF dedicated to IoT and embedded smart devices. The 2018 edition (second edition) took place on December 14th from 6pm to 2am, in Sophia Antipolis (France)

Challenge I: Blood Glucose Sensor

Before inspecting the Android application code of ph0wn-glucose.apk, we can read the log data of what the device is doing:

>>bullhead:/ # ps | grep ph0wnu0_a97    30768 3733  1590608 47468 SyS_epoll_ 74fbf97af4 S ph0wn.ctf.glucosesensor>>bullhead:/ #

With the Android Debug Bridge (adb) we can attach to the process «ph0wn.ctf.glucosesensor» and print the log data to the screen

$ adb logcat --pid=`adb shell pidof ph0wn.ctf.glucosesensor`

The hints :

  • The mobile application is a MQTT Client.
  • The Mobile App. tries to connect to MQTT Server «tcp://35.241.233.30:1883» with the credentials user:expert.
  • The Client subscribes to 3 MQTT topics : «ph0wn18/info» «ph0wn18/alert» «topic=ph0wn18/glucose-level».
  • We need to login as admin to have higher privileged access.

Exploring the source

Once we have the APK, we just need to extract the code. An APK is just a simple zip file. Lets have a quick peek inside to see what we can find.

jadx — Dex to Java decompiler

Command line and GUI tools for produce Java source code from Android Dex and Apk files

We have every file inside of the apk, so you can browse around the directories and figure out how the application works.
The first thing you’ll notice is a strange base64 string : #@----VRFZHFo=@@@-:#@--JkESVQcFBnYUVRRVFFUUUA==#####@

P.S.: We need to remove 3 characters #@- to get the right Base64 string :
VRFZHFo=:JkESVQcFBnYUVRRVFFUUUA==
So the format of the string is like «USER:PASSWORD»

Obviously, to decode the strange base64 string, we need to use the classAllatori to deobfuscate it :

We compile the java code:

$ javac Allatori.java
$ java Allatori

The login credentials result:

Now we can connect to the MQTT Server as «admin»

With the Glucose team ID and Glucose team key we can decrypt the AES-ECB-128 token-cipher :

Challenge II: Save the factory

OPC-UA is a Server/Client binary protocol implementation .

OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation. Distinguishing characteristics are:

1. Focus on communicating with industrial equipment and systems for data collection and control

2. Open — freely available and implementable under GPL 2.0 license [1]

3. Cross-platform — not tied to one operating system or programming language

4. Service-oriented architecture (SOA)

To make it simple, API offers both a low level interface to send and receive all UA defined structures and high level classes allowing to write and set values into the server nodes or a client in a few lines.

The description says that we have a simple Python OPC-UA script:

  1. It connects to the factory’s server.
  2. It subscribes to notifications of the MainBoard to receive alerts.

The code above browse into the tree node (rootNode, subRootNode and subSubRootNode) and print the Nodes ID and the display name of each node :

The node named «BlackBox» has child nodes, each child node record a DataValue object. DataValue contain a variable value as a variant string type source timestamps :

Challenge III: Track the Hacker

This challenge shares the same nodes as Save The Factory challenge, we spotted previously some nodes with display name Text:frg_«Int»:

We tried to read the value of each node named frg_«Int»:

  • Sort the lines according to string numerical values frg_0 frg_1 frg_3
$ sort -n nodes_log.txt
  • Padding the hex values with leading zeros to get the same length in each fragment (8 characters long).
  • Transform the hexdump into a binary file:
$ echo "1f8b0800f92bad5b0003eddbb2ff8b3fa0103835288ac4221838ceb84934de71e6eefc412c5258a4b8c2425289a585d8446c2585a88d8d10500322a411ed6d2cd6198d180f4210b211c9fb0676969979330f1eaf365abf78696610d26473511488d989027bedfc0b389e1778ae1b446104b6e304b60756906a56abdacd5675c6b2a066c7ede9a9f5cf6db4ff9faafdac7ff98a7f6ca075a395ca1ba2c061e8af5f7f37ecaabf1b452158762ad974d9e6f56f4cd9d7ebb7ecc6f8fe737ec569564e3aadd26dfd5f6785b6ca6affbb93f59b515ca9b7e30bf1c0e5c6e4a6beb151ff07912ffadf776cc7e383f7bfef0701f6ff5648de261f810d974f94811000c20724cb30045412c49772b2220baaa264144dd5754dd5343dd797d3b3f9aca6f51abdf93ec60ca6e7cc82c90afc9f894b8888a4b2ca035956cbb2bf962c82a182022a25064806a106499e435124f90795afee65f023e3dfab844ab2612aa59ee24ebebf8390ae3059e1cbfbf8c544ca64d68449d43041ce949cc2d9abb37793f790a384bf4e0d3802130f0e8d7cfb3c1fbf5cfaf47a70e87cf1e8d88783f7660f7f7d625e9b3bb0bcab3fbf62d5264e0d37fb1fbd193597f6dc393edd79fa7891d1339db9ddd52ff39d8517d5570f174edf7f369ebc4bada8082184104208218410420821841042082184b69def00c10f3900280000" | xxd -r -p - > tracker.bin
$ binwalk -e tracker.bin
Android
Ctf
Security
IoT

--

--

Rida IDIL
Rtone IoT Security

Written by Rida IDIL

35 Followers
Writer for

Cyber Security Consultant @SNCF | creator of https://vulnified.com | ridil Blog - https://blog.ridil.fr

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams