GreHack 2018 Writeups
The GreHack2018 CTF was an offline CTF and one big advantage of offline CTFs is that you can have hardware-oriented challenges, in this case a series of challenges lovely crafted by Philippe Paget (@PagetPhil).
The series is made of 5 (or 6) levels representing the evolution of a realistic product: a hardware secret keeper dongle based on STM32.
The GreHack Secret Keeper
The first level provides the hardware information useful for all levels.
Products Information
How the product works: just plug the USB type A connector and connect to the virtual serial port at 9600 8N1. The fancy menus will guide you over all the available functionality.
A few words about security: At GreHack no joke with security. All the specifications are done at the end of the evening, after several beers, in the respect of the traditions. This GreHack Secret Keeper use SHA-256 hash for ALL the passwords used in the application and the entire secrets are store encrypted with AES-ECB-256. Those algorithms are the state of the art and don’t have any flaw. Until today our whole implementation is proven secure.
So, well done, you’ve choose the most secure "Secret Keeper" of the market. The GreHack team hope you’ll enjoy it and store all your valuable secrets in.
Challenges howto
1) Mandatory Instructions to follow in order to not kill the game: do not burn or lock the microcontroller!
- Never put 2 power lines on the microcontroller boards. The Type A USB port from the serial module of each Secret Keeper is enough for power. A single VCC wire per microcontroller board. Be careful not to add a VCC wire when connecting the ST-LINK if the serial USB module is connected! And, never connect an USB cable to the microcontroller module, it is useless: the port is disabled and will provide a second power supply witch will fry the microcontroller.
- NEVER write in the flash of microcontrollers with low level tools. This includes the "option bytes" or the "fuse configuration" which makes it possible to protect & lock the microcontroller and makes it impossible to dump or even to erase.
2) General instructions to solve the 6 levels:
- The 6 challenges retrace the life of a real product and all successive #fail until its final well protected ultimate version. It should be noted that 99.99% of the code is identical when a firmware is used for the next version of the module. Just minor fixes are applied to remove some flaws.
- These are hardware / reverse / exploit category challenges. No steganography or puzzle. Everything is factual, any clue in the subject is important and everything is to read in the first degree.
- It is almost impossible to solve the challenges in the disorder (only the level 2 can be skipped but would miss for understanding the following levels).
3) Pinout
- Level 1 - 2 :
- Level 3 4 5 6 :
LED: GPIO port A, GPIO PIN 15, (PA15), LED on with output at 0
4) Available extra stuff:
In order to solve the challenges there is additional stuff available on the desk, do not hesitate to use it, it’s even mandatory for the ST-LINK. Other boards, serial modules, cables etc. are available for testing.
5) USB / Serial module :
2 different modules are used in the Secret Keeper: most are PL2303 and there are some CH340. Available, 3 other modules with FTDI chip if there are problems with drivers.
- For Linux, no problem, it's integrated into the kernel since a long time.
- For Win7 and Win10 it is possible you have to download them from here:
- PL2303: http://www.prolific.com.tw/US/ShowProduct.aspx?p_id=225&pcid=41
- CH340 / CH341: http://www.wch.cn/download/CH341SER_EXE.html
- For MacOS, ask to Steve Jobs.
Datasheets
The bundle contains also the following datasheets:
Secret Keeper level 1 (50 points)
"An Insomni'Hack 2018 tribute": Was a 400 points at Insomni'hack and is only a 50 points at GreHack ... with the good tools ( Hello Baldanos :) ) Read the full package to understand how all the challenges works and ask to staff if any doubt. Your first task is to dump the firmware and find the flag. --> Use "Secret Keeper 1 / 2 (revision 1.00)"
TODO
Secret Keeper level 2 (100 points)
Now you have the firmware, great. But something other is still valuable. You need to find it and dump it too. --> Use "Secret Keeper 1 / 2 (revision 1.00)"
TODO
Secret Keeper level 3 (200 points)
Dump the revision 2.00 of the firmware. --> Use "Secret Keeper 3 / 4 (revision 2.00)"
TODO
Secret Keeper level 4 (300 points)
Read the secret stored in the Secret Keeper. --> Use "Secret Keeper 3 / 4 (revision 2.00)"
TODO
Secret Keeper level 5 (500 points)
Extract the firmware & read the secret. --> Use "Secret Keeper 5 (revision 3.00)"
TODO
Secret Keeper level 6 (501 points)
Extract the firmware & read the secret from the Secret Keeper from the software bug-free version. AKA the INSANE level. --> Use the special "Secret Keeper" (revision 4.00), ask to the staff for it.
We didn't reach this level but from the previous challenge, we got all the source code and this rv4.00 seems indeed bug-free. Not sure there is a way besides things like fault injections...
Conclusions
Thanks a lot to @PagetPhil for these nice hardware-origented challenges!
We had a lot of fun trying to solve them :)