Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could  try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

Modules described in the article (two copies of the challenge shown, so, two lines of modules)

Spaceship Repair CTF Covers Hardware Hacker Essentials

At even vaguely infosec-related conferences, CTFs are a staple. For KernelCon 2021, [Tyler Rosonke] resolved to create a challenge breaking the traditions, entertaining and teaching people in a different way, while satisfying the constraints of that year’s remote participation plans. His imagination went wild in all the right places, and a beautifully executed multi-step hardware challenge was built – only in two copies!

Story behind the challenge? Your broken spaceship has to be repaired so that you can escape the planet you’re stuck on. The idea was to get a skilled, seasoned hacker solving challenges for our learning and amusement – and that turned out to be none other than [Joe “Kingpin” Grand]!

The modules themselves are what caught our attention. Designed to cover a wide array of hardware hacker skills, they cover soldering, signal sniffing, logic gates, EEPROM dumping and more – and you have to apply all of these successfully for liftoff. If you thought “there’s gotta be a 555 involved”, you weren’t wrong, either, there’s a module where you have to reconfigure a circuit with one!

KernelCon is a volunteer-driven infosec conference in Omaha, and its 2022 installment starts in a month – we can’t wait to see what it brings! Anyone doing hardware CTFs will have something to learn from their stories, it seems. The hacking session, from start to finish, was recorded for our viewing pleasure; linked below as an hour and a half video, it should be a great background for your own evening of reverse-engineering for leisure!

This isn’t the first time we’ve covered [Tyler]’s handiwork, either. In 2020, he programmed a batch of KernelCon badges while employing clothespins as ISP clips. Security conferences have most certainly learned just how much fun you can have with hardware, and if you ever need a case study for that, our review of 2019 CypherCon won’t leave you hanging.

Continue reading “Spaceship Repair CTF Covers Hardware Hacker Essentials”

This Week In Security:Use-After-Free For Dummies, WiFi Cracking, And PHP-FPM

In a brilliant write-up, [Stephen Tong] brings us his “Use-After-Free for Dummies“. It’s a surprising tale of a vulnerability that really shouldn’t exist, and a walkthrough of how to complete a capture the flag challenge. The vulnerable binary is running on a Raspberry Pi, which turns out to be very important. It’s a multithreaded application that uses lock-free data sharing, through pair of integers readable by multiple threads. Those ints are declared using the volatile keyword, which is a useful way to tell a compiler not to optimize too heavily, as this value may get changed by another thread.

On an x86 machine, this approach works flawlessly, as all the out-of-order execution features are guaranteed to be globally transparent. Put another way, even if thread one can speed up execution by modifying shared memory ahead of time, the CPU will keep the shared memory changes in the proper order. When that shared memory is controlling concurrent access, it’s really important that ordering happens the way you expect it. What was a surprise to me is that the ARM platform does not provide that global memory ordering. While the out-of-order execution will be transparent to the thread making changes, other threads and processes may observe those actions out of order. An example may help:

volatile int value;
volatile int ready;

// Thread 1
value = 123; // (1)
ready = 1; // (2)

// Thread 2
while (!ready); // (3)
print(value); // (4)

Continue reading “This Week In Security:Use-After-Free For Dummies, WiFi Cracking, And PHP-FPM”

Two hands on a book labeled "hardware crowdfunding"

Successfully Crowdfunded Hardware: Everything Behind The Scenes

Crowdfunding hardware has its own unique challenges, and [Uri Shaked] wrote a fascinating report that goes into excellent detail about his experience bringing a crowdfunded hardware project to life.

A skull-shaped PCB with two red eyes[Uri]’s project was The Skull CTF, an electronic hardware puzzle that came in the shape of a PCB skull, and his detailed look behind the scenes covers just about every angle, from original concept to final wrap-up, along with his thoughts and feedback at every stage. His project reached its funding goal, got manufactured and shipped, and in the end was a success.

[Uri] started with a working project, but beyond that was virtually a complete novice when it came to crowdfunding. He eventually settled on using Crowd Supply to make his idea happen, and his writeup explains in great detail every stage of that process, including dollar amounts. What’s great to see is that not only does [Uri] explain the steps and decisions involved, but explains the research that went into each, and how he feels each of them ended up working out.

The entire thing is worth a read, but [Uri] summarizes the experience of crowdfunding a hardware project thus: an excellent way to test out the demand for an idea and bring a product into existence, but be aware that unless a project is a runaway success it probably won’t be much of an income generator at that stage. It was a great learning experience, but involved a lot of time and effort on his part as well.

[Uri] really knows his stuff, and considering his skill at hunting down pesky bugs, it’s probably no surprise that this wasn’t his first hardware puzzle.

Hackaday Links Column Banner

Hackaday Links: June 28, 2020

You can imagine how stressful life is for high-power CEOs of billion-dollar companies in these trying times; one is tempted to shed a tear for them as they jet around the world and plan their next big move. But now someone has gone and upset the applecart by coming up with a way to track executive private jets as they travel across North America. This may sound trivial, but then you realize that hedge fund managers pay big money for the exact same data in order to get an idea of who is meeting with whom and possibly get an idea of upcoming mergers and acquisitions. It’s also not easy, as the elites go to great lengths to guard their privacy. Luckily, the OpenSky Network lists all ADS-B traffic its web of ground stations receives, unlike other flight monitoring sites which weed out “sensitive” traffic. Python programs scrape the OpenSky API and cross-reference plane registrations with the FAA database to see which company jets are doing what. There are plenty of trips to Aspen and Jackson Hole to filter out, but with everyone and his little brother fancying themselves a day trader lately, it’s another tool in the toolbox.

We got a nice note from Michelle Thompson this week thanking us for mentioning the GNU Radio Conference in last week’s Links article, and in particular for mentioning the virtual CTF challenge that they’re planning. It turns out that Michelle is deeply involved in designing the virtual CTF challenge, after having worked on the IRL challenges at previous conferences. She shared a few details of how the conference team made the decision to go forward with the virtual challenge, inspired in part by the success of the Hack-A-Sat qualifying rounds, which were also held remotely. It sounds like the GNU Radio CTF challenge will be pretty amazing, with IQ files being distributed to participants in lieu of actually setting up receivers. We wish Michelle and the other challenge coordinators the best of luck with the virtual con, and we really hope a Hackaday reader wins.

Amateur radio is often derided as a hobby, earning the epithet “Discord for Boomers” according to my son. There’s more than a grain of truth to that, but there are actually plenty of examples where a ham radio operator has been able to make a big difference in an emergency. Case in point is this story from the Western Massachusetts ARRL. Alden Jones (KC1JWR) was hiking along a section of the Appalachian Trail in southern Vermont last week when he suddenly got light-headed and collapsed. A passing hiker who happened to be an emergency medical technician rendered aid and attempt to contact 911 on his cell phone, but coverage was spotty and the dispatcher couldn’t hear him. So Alden, by this point feeling a little better, pulled out his handy talkie and made an emergency call to the local repeater. Luckily the Western Massachusetts Traffic Net was just about to start, so they went into emergency mode and coordinated the response. One of the hams even went to the rescue staging area and rigged up a quick antenna to improve the signal so that rescuers could finally get a helicopter to give Alden a ride to the hospital. He’s fine now, and hats off to everyone who pitched in on the eight-hour rescue effort.

And finally, there are obviously a lot of details to be worked out before anyone is going to set foot on the Moon again. We’ve got Top People™ working on all the big questions, of course, but apparently NASA needs a little help figuring out how and where the next men and first women on the Moon are going to do their business. The Lunar Loo Challenge seeks innovative designs for toilets that can be used in both microgravity and on the lunar surface. There is $35,000 in prize money for entrants in the Technical division; NASA is also accepting entries in a Junior division, which could prove to be highly entertaining.

Tiny SAO, Tough CTF Challenge!

Over the year or two since the SAO connector specification was published, otherwise known as the Shitty Addon, we’ve seen a huge variety of these daughter boards for our favourite electronic badges. Many of them are works of art, but there’s another subset that’s far less about show and more about clever functionality. [Uri Shaked]’s little SAO is rather unprepossessing to look at, being a small round PCB with only an ATtiny microcontroller, reset button, and solitary LED, but its interest lies not in its looks but its software. It contains a series of CTF puzzles within, and despite its apparent simplicity should contain enough to detain even the hardiest puzzle-solving hackers.

It’s a puzzle of three parts, at the simplest level merely flashing the LED is enough, while the next level involves retrieving a buried string from the firmware and the last requires replacing the string with one of your own. You are only allowed to do so through the SAO connector, but fortunately you do have the benefit of access to the source code to trawl for vulnerabilities. There is a hefty hint that the data sheet for the microcontroller might also be useful.

[Uri] has appeared many times on these pages, most recently when he added a microscope to his 3D printer.

What’s The Secret Of Cyphercon?

Cyphercon is not particularly large, or in a glamorous part of the world — in fact most people who came in from out of town had to fight snow to make it. Yet when I stepped into the con last Thursday there was no doubt something awesome was in progress. People were camped out in small groups, working furiously on their computers, talks were packed with people who came alive in the Q&A, and everywhere you looked you found people deep in conversation with friends old and new. If you missed out on Cyphercon 4.0, you need to make an effort to be here for 5.0.

Join me after the break for the highlights of this two-day security conference nestled in the heart of Milwaukee.

Continue reading “What’s The Secret Of Cyphercon?”