Introduction In this post, we will be completing the loop on our three-part series by describing a specific attack vector that is available upon successful bypass of the bootloader process. Once landed within the Das U-Boot prompt, an attacker is able to surge forward to ultimately take over the device that underlies it.  As our attack vector, we will be looking at using TFTP to load a kernel and filesystem of our own onto the affected target.  We will look at how to first set up the attack device and then ultimately try our hand at gaining root access to our target device. What is ..read more

Introduction In this post, we will be describing the bootloader that goes by the name of Das U-Boot. We will delve into the following Das U-Boot features, including: - Das U-Boot Origin Story - The Building of Das U-Boot - Running Das U-Boot in an emulator (QEMU) - Das U-Boot command line - Attacker Options U-Boot Origin Story This open-source project first sprang into existence as a bootloader for the embedded PowerPC architecture. In this guise, it was initially known as 8xxROM and was later renamed to PPCBoot. Interestingly enough, the latter name, 'PPCBoot', was chosen somewhat based on t ..read more

Introduction This is Part 1 of a three-part blog post that will look to describe what a bootloader is and where it fits into the boot process. Part 2 will describe the U-Boot bootloader, specifically "Das U-Boot", where we will be further examining its origins and its usage in the world of embedded Linux systems. With a thorough understanding under our belt, we will look to examine the possible attack vectors available using practical examples in Part 3. What is a Bootloader In an embedded system context, the bootloader is simply the part of the system that is used at start-up to assist in th ..read more

In this post we will be looking at analyzing a STM32 firmware binary in Ghidra. In particular the firmware is for the STM32F103C development board from STMicroelectronics. The file can be downloaded from this link. Analyzing firmware binaries is often different from analyzing a PE or ELF file. A PE (Portable Executable) is the standard executable file format on Windows. An .exe file is a PE underneath. The PE file format is intended for 32-bit Windows systems. There’s the PE64 file format which is similar to PE but intended for 64-bit systems. Correspondingly on Linux we have the ELF (Executa ..read more

This is the twelfth and final part of the Flare-On 6 CTF WriteUp Series. 12 - help The challenge reads You're my only hope FLARE-On player! One of our developers was hacked and we're not sure what they took. We managed to set up a packet capture on the network once we found out but they were definitely already on the system. I think whatever they installed must be buggy - it looks like they crashed our developer box. We saved off the dump file but I can't make heads or tails of it - PLEASE HELP!!!!!! We have two files - help.dmp - A 2 GB memory dump help.pcapng - Packet capture Identifying ..read more

This is the eleventh part of the Flare-On 6 CTF WriteUp Series. 11 - vv_max The challenge reads Hey, at least its not subleq. Subleq is an esoteric language. The program grammar consists of a single instruction "Subtract and Branch if Less Than or Equal". The final challenge of Flare-on 5 deal with reversing such a binary. You can read more on it here. Different from previous year's, this year's penultimate challenge is not about Subleq but rather about a reversing a small VM which uses AVX instructions for its operation. For running the challenge binary our processor must support AVX. Nearly ..read more

This is the tenth part of the Flare-On 6 CTF WriteUp Series. 10 - Mugatu The challenge reads Hello, I’m working an incident response case for Derek Zoolander. He clicked a link and was infected with MugatuWare! As a result, his new headshot compilation GIF was encrypted. To secure an upcoming runway show, Derek needs this GIF decrypted; however, he refuses to pay the ransom. We received an additional encrypted GIF from an anonymous informant. The informant told us the GIF should help in our decryption efforts, but we were unable to figure it out. We’re reaching out to you, our best malware ana ..read more

This is the ninth part of the Flare-On 6 CTF WriteUp Series. 9 - reloaderd The challenge reads This is a simple challenge, enter the password, receive the key. I hear that it caused problems when trying to analyze it with ghidra. Remember that valid flare-on flags will always end with @flare-on.com From a cursory look, this does look look like a simple challenge. Running the provided PE file reloaderd.exe prompts for a key. Figure 1: We need a keyLoading the binary in x64dbg we notice two calls from the main function. Figure 2: Two calls in mainThe print_banner just prints the "ReLoaderd" bann ..read more

This is the eighth part of the Flare-On 6 CTF WriteUp Series. 8 - snake The challenge reads The Flare team is attempting to pivot to full-time twitch streaming video games instead of reverse engineering computer software all day. We wrote our own classic NES game to stream content that nobody else has seen and watch those subscribers flow in. It turned out to be too hard for us to beat so we gave up. See if you can beat it and capture the internet points that we failed to collect. Different from others, challenge 8 deals with reversing a NES Rom named snake.nes. We will be using the Mesen emul ..read more

This is the seventh part of the Flare-On 6 CTF WriteUp Series. 7 - wopr The challenge reads We used our own computer hacking skills to "find" this AI on a military supercomputer. It does strongly resemble the classic 1983 movie WarGames. Perhaps life imitates art? If you can find the launch codes for us, we'll let you pass to the next challenge. We promise not to start a thermonuclear war. Running the provided binary wopr.exe asks for an input. Not knowing what to do we type in help and it shows a list of available commands. Figure 1: List of commandsFiddling with the game commands, we can fi ..read more