Writeup – restricted_python, rev rev rev (TWCTF) + General Updates (Hardware, Flash Recovery)

This weekend, I participated in the Tokyo Westerns CTF. Due to my complete and utter lack of anything resembling sk1llz, I was able to solve the warmup challenges and one non-warmup challenge. I will present my writeup below.

restricted_python

This challenge was presented as an archive file, containing some Python. You can download this here: restricted_python.

I initially coulnd’t get this to work inside my regular CTF environment (Debian-based), but the “run.sh” file indicated this was intended for an Ubuntu 16.04 64-bit environment. I spun up a new AWS instance, and away we went, tackling the “private” challenge first.

This challenge involved calling the _flag function within the Private object, without using the “Private” string in the payload. p.__flag() doesn’t work, so we start by attempting a dir(p). This shows the function “_Private__flag()”, but eval(“p._Priv”+”ate__flag()”) is too long.

Instead, we can abuse eval within eval to call the __flag() function without explicitly naming it:

Moving on, we can tackle the “local” challenge. Here, we are tasked with somehow dumping a local variable within get_flag(). Initially, I had attempted to abuse lazy evaluation with a lambda function argument: in hindsight, this was insane from a program logic perspective.

Instead, we can dump this flag via the func_code property:

Finally, we move onto the comment challenge. This challenge came in two parts: firstly, a 20-character “eval” wrapper, and a flag stored in comment_flag.py. The name indicates this is a comment, but this is untrue: Python’s triple quotes syntax isn’t a comment, but instead represents a multi-line string. Therefore, logically, if we evaluate including comment_flag, we should get the flag back:

rev rev rev (Bonus Writeup!)

During the TWCTF event, I also managed to complete the “rev rev rev” challenge. This was presented as a Linux binary, which you can download here: rev_rev_rev-a0b0d214b4aeb9b5dd24ffc971bd391494b9f82e2e60b4afc20e9465f336089f

Going through this challenge in IDA, we recognize a standard CTF format: retrieve a flag on stdin, do an operation to it, compare it against an actual flag and check if it’s right.

Instead of attempting to reverse this, we can use a generic angr script to bypass the challenge entirely. This is a mirror image of the hackcon “angryreverser” challenge with a different “target” endpoint. You can download this script here. This reveals the flag of “TWCTF{qpzisyDnbmboz76oglxpzYdk}” in moments.

I’d like to thank the Tokyo Westerns team for putting together this event – though I didn’t manage to solve many challenges, I enjoyed the attempt and look forward to improving myself for next year.

General Updates (Hardware, Flash Recovery)

This weekend, I also worked on progressing my hardware learning. I am learning to intercept (and MITM) the communication between IC components. Unfortunately, this is incredibly time-consuming with my current equipment:

Still, my hand gets steadier with practice. I am starting with a simple SPI flash chip – the idea is to proxy the clock, chip select, mosi and miso lines through an FPGA, with each rising edge of the clock signal triggering events on the FPGA, which can “packetize” this data and send it over a host-friendly channel. On an unknown protocol, we can use an FPGA’s onboard clock to trigger events initially: unfortunately, I don’t have anything to share for this project yet.

During this process, I made use of a Saleae logic analyzer to record SPI traffic to the flash chip (I can’t remember which device this is from):

SPI flash is a nice and easy visually recognizable protocol, with 4 primary channels:

  • Clock, a regular square wave which serves to prompt the recipient when to do actions like reading data. Commands and data are synchronised with the clock.
  • Chip Select / Enable: this line is generally pulled low when you want to do an operation to the flash chip, or are waiting for data.
  • Master Out, Slave In: this line is the “command channel”.
  • Master In, Slave Out: this line is how the flash chip communicates to the master, normally filled with data.

A visual representation of this is below:

Note that this isn’t the “gold standard”: there are variations on this, check your datasheet. Reading from Flash isn’t as straightforward as setting your address to “0” and holding the Enable line open for more data: instead, Flash is read in chunks, sometimes in overlapping portions, and not in linear order.

It turns out that the Saleae’s built-in SPI analyzer can convert this to a series of SPI packets, and with a little Python, you can reconstruct a Flash image. You can download a beta version of this script here. Note that this is designed to work with one particular device, please modify it to suit your own needs.

Additionally, I progressed slightly in my exploration of the Huawei E5573 device, desoldering the NAND flash:

While my intent was to bit-bang the flash chip itself, my soldering iron (and solder) is far too wide to allow this. I’ve got a new soldering iron tip in the mail to progress this. From a technique perspective, this is enough to serve as a sacrifical device, and begin mapping out debug pins for the Flash chip on the device: it turns out that some of the pins are mapped, but not in any sane order I can determine (IO1 is on the debug-connector-looking thing, IO2 is right next to the flash chip, under the shielding).

I look forward to seeing you all in the ASIS CTF finals next weekend.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s