Writeup – Backdoor Pi (Kaspersky Labs CTF)

This weekend, I spent some time participating in the Kaspersky Labs CTF. I was able to solve a few challenges in the time allocated – it is a humbling reminder of how quickly one’s mental acuity can dull, if not exercised relentlessly (or perhaps it’s just old age catching up to me).

From this CTF, I will present my solution to the Backdoor Pi challenge below.

Backdoor Pi

This challenge was presented as a zip file, which you can download here (warning: large file (approx. 96MB)). The challenge claims that this is “parts of the filesystem” from a Raspberry Pi SD Card, and the title implies we are looking for a backdoor.

We can start by extracting the archive into our filesystem. A little manual delving, and we quickly find a suspicious file:

The “file” command says that this is a compiled Python binary, and a quick “strings” shows something about a “fl4g”: a smart way to evade a simple strings check. We can use the “uncompyle” utility, an essential part of any reverse engineering toolkit, to grab source code from this file. From here, we can infer the algorithm:

We can identify the “user” input from /etc/passwd (“b4ckd00r_us3r”), but there is no indication of what the pincode is: no matter, here we can deploy brute force, to quickly identify the pincode, and thus, the flag (“b4ckd00r_us3r:12171337”).

You can download the brute force script here.

Thanks to the Kaspersky Labs team, who put together this CTF – I enjoyed the time I spent playing it (though I am frustrated by my inability to solve the more difficult forensics problems in time – so close, but not close enough), and I look forward to playing again when the opportunity next presents itself.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s