I initially settled for capturing packets from their lab of IoT devices for a future post for the I See Dead Packets blog. I did capture a bunch of NetUSB broadcasts along with other protocols, which will lead into a future post.
As for the CTF itself, the network was split into three networks, with the participants directly attached to the initial network. Many of the devices on Network 2 & 3 had misconfigured gateways, so the only way to reach them was to pivot through another compromised system on that subnet. I've broken the device list by the networks they were found on, and added links to ISE's case studies (which include exploits).
TP-Link TL-WR1043ND FLAG: (md5 of /dev/mtdblock1) - 1000 points
Belkin F5D8236-4v2 FLAG: password hash & settings page screenshot - 1000 points
Netgear WNR3500Lv2 FLAG: (md5 of /dev/mtd1) - 1000 points
D-Link DIR-865L FLAG: (md5 of /dev/mtd0) - 1000 points
Trendnet TEW-812DRU FLAG: (md5 of /dev/mtdblock0) - 1000 points
Asus RT-AC66U FLAG: (md5 of /dev/mtdblock2) - 1000 points
Trendnet TN-200 FLAG: (md5 of /dev/mtd0) - 1000 points
D-Link DNS-345 FLAG: (md5 of /dev/mtd0) - 2000 points
Seagate SRN02D FLAG: (md5 of /dev/mtd0) - 2000 points
PogoPlug Mobile FLAG: (md5 of /dev/mtd0) - 2000 points
Belkin F7D7301v1 FLAG: password hash & settings page screenshot - 2000 points
Netgear WNDR4700 FLAG: (md5 of /dev/mtd1) - 2000 points
WD My Cloud EX4 FLAG: (md5 of /dev/mtd0) - 3000 points
Netgear ReadyNAS (FLAG: md5 of /dev/mtd0) - 3000 points
Belkin F9K1104v1 FLAG: password hash & settings page screenshot - 3000 points
Cisco (Linksys EA6500) FLAG: (md5 of /dev/mtdblock0) - 3000 points
Additionally a host on Network 1 was configured as an admin that would also click any link sent to it, supporting many of the CSRF vulnerabilities discovered by ISE.
Getting admin access to the web interface wasn't enough as most of the flags required access to the underlying Linux system. The real challenge I found, wasn't in exploiting the systems, but rather hashing or exfiltrating the file for hashing. Protip: have md5sum/openssl, utelnetd, and uftpd compiled for both ARM and MIPS systems.
Fortune smiled upon me early on as I crashed a webserver on one of the devices I was attempting to exploit. I was able to transfer the core dump via Samba, and recover the admin password used. The passwords of most of the systems followed a similar pattern, and thus without additional exploits, I was able to log into roughly 80% of the devices, and often enable telnet or SSH services.
While many of the systems wifi routers, they were configured with their wireless radio disabled. At one point, when I was frustrated with pivoting through a SSH tunnel, it occurred to me that I could just enable wifi and configure the security key to one of my choosing. This allowed me direct access to Network 3.
Lastly, I'd like to give a shout-out to my rival Powerword Hack, as they were a fun bunch of guys to play against, and made my time at the CTF feel less isolated. It turns out that our skills were complimentary, as we had very few systems that we both scored points on, and often it felt we each had two halves to a puzzle but didn't collaborate due to the competition. Had we joined forces, I feel confident that we could've grabbed every flag in the challenge.
I used the Amazon Gift card from this event to purchase:
- Game Hacking: Developing Autonomous Bots for Online Games
- Exploring Online Games: Cheating Massively Distributed Systems
- Learn to Program with Minecraft
- Automate the Boring Stuff with Python
I'll end this post with a talk provided by an ISE engineer at Derbycon for those out there who, like myself, are interested in exploring an Internet of Things.