This weekend, I spent some time participating in the Kaspersky Labs CTF. I was able to solve a few challenges in the time allocated – it is a humbling reminder of how quickly one’s mental acuity can dull, if not exercised relentlessly (or perhaps it’s just old age catching up to me).
From this CTF, I will present my solution to the Backdoor Pi challenge below.
This challenge was presented as a zip file, which you can download here (warning: large file (approx. 96MB)). The challenge claims that this is “parts of the filesystem” from a Raspberry Pi SD Card, and the title implies we are looking for a backdoor.
We can start by extracting the archive into our filesystem. A little manual delving, and we quickly find a suspicious file:
The “file” command says that this is a compiled Python binary, and a quick “strings” shows something about a “fl4g”: a smart way to evade a simple strings check. We can use the “uncompyle” utility, an essential part of any reverse engineering toolkit, to grab source code from this file. From here, we can infer the algorithm:
We can identify the “user” input from /etc/passwd (“b4ckd00r_us3r”), but there is no indication of what the pincode is: no matter, here we can deploy brute force, to quickly identify the pincode, and thus, the flag (“b4ckd00r_us3r:12171337”).
You can download the brute force script here.
Thanks to the Kaspersky Labs team, who put together this CTF – I enjoyed the time I spent playing it (though I am frustrated by my inability to solve the more difficult forensics problems in time – so close, but not close enough), and I look forward to playing again when the opportunity next presents itself.