Turn me on
Énoncé
Reprenons le controle de nos objets connectés avec Tasmota !
Solve
Doc Tasmota: https://tasmota.github.io/docs/
With a little research, we understand that it is possible to execute commands or manage the equipment via a web interface while being on the same WiFi.
(face-to-face CTF) Equipment with Tasmota is present in the room. A WiFi IOT is available and protected by a password.
Objective n°1, find the WiFi password.
With a strings on the firmware, we don’t really get any info :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
strings firmware.bin
[...]
'P+^&WD
],TB`&U!F$CB
f@DU%\+\C
BoCODz
9KI>AJ:
CQ(["ZB\,]!42T6f*^![4EjT6]'@(^,
jH(["P6[,]j\3T$
d[0@1
45P1_,G%kd
4F$W+Jf
[email protected]+Qf
P1_,G%4
\*R(Vb
'3y4
W _,[-TDI:1`OC^DG G'2
]D{'WB2
B3E4E1C2
3I4y0k2
2.433G3
enCy%Z
D3|#K F*~4]
G$`!D
R6|,E
Q"1gAn
4A7F3G0C1C5JE4Dj46F52y
D\5E22+G0D21
wq4/D.^C3D4A1B2h
btAk 0
s3C3D4A1B2C3D4A1B2C3D4A1B2C3D4A1B2C3D4A1B2C3D4A1B2C
0A1J2C3@4A1R2C3d4A1
2C3D4A1B2C3D4A1
2C3D5d
(PA_#\CZ*RAx
`c]+@aX,
y`<B
[...]
|
I went to compare the firmware given for the chall with the official firmwares on the Tasmota website : http://ota.tasmota.com/tasmota/release/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
strings tasmota.bin # english
[...]
Learn failed
Tasmota
Status:
WifiConfig %d
LOG_LEVEL_INFO
LOG_LEVEL_NONE
Scanning
Toggle
RESULT
UPDATE
"sequence"
"switch"
"on"
"color
"bright"
"mode"
SETTING
=exit
▼
▲
save
BL09XX
[...]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
strings tasmota-FR.bin # french
[...]
chec de connexion avec l'AP, expir
Successful
Testing
Busy
Not Started
chec de connexion car aucune adresse IP n'a
chec de connexion car l'AP ne peut-
tre contact
chec de connexion
Dimmer1:
Dimmer2:
Status
Setled:
%s:%02x:11-%02x
ADE7953
null
AT+START
AT+SEND=ok
AT+SEND=fail
AT+STATUS=4
[...]
|
We note that the intrucstions and / or config information are present in the firmware. We can deduce that the firmware of the chall is encrypted.
We can try to bruteforce the firmware with XOR: https://wiremask.eu/tools/xor-cracker/
We obtain an XOR file with the key: A1B2C3D4 | 41 31 42 32 43 33 44 34
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
strings plain-firmware.bin
[...]
0123456789ABCDEF
%s%s%s%s
#4ckVens22!CTF
Hackvens-CTF-IOT
Connect failed with AP timeout
Successful
Testing
Busy
Not Started
Connect failed as no IP address received
Connect failed as AP cannot be reached
Connect failed
%04d
Time
Referer
|
With a bit of guessing we find the WiFi password.
Wi-Fi pass: #4ckVens22!CTF
Now we have to find the URL to connect to. According to the documentation, a URL is defined by default: http://192.168.4.1
But here the URL is different because the connected object has already been configured :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
strings plain-firmware.bin | grep -i -A 10 -B 10 192.168.
BASE
FLAG
TPL: Converting template ...
NAME
{"Time":"%s"
{"Time":%u
{"Time":"%s","Epoch":%u
SRC: %s
Blocked Loop
255.255.255.0
192.168.99.1
0.0.0.0
HOLD
TOGGLE
#4ckVens22!CTF
Hackvens-CTF-IOT
192.168.15.1
192.168.15.2
Tasmota4
Tasmota3
Tasmota2
CFG: Use defaults
CFG: Loaded from flash at %X, Count %lu
CFG: Saved to flash at %X, Count %d, Bytes %d
CFG: CR %d/%d, Busy %d
CFG: Text overflow by %d char(s)
Config_%s_%s.dmp
APP: Not enough space
|
management URL : http://192.168.15.2/
We press the button present on the interface and the flag appears.
Flag : HACKVENS{x0r_is_n07_53cur3}
