DEV Community: Jason Rebelo

Spoofing an iOS device - TSA Techie @ SunshineCTF 2020 write-up

Jason Rebelo — Mon, 09 Nov 2020 14:40:12 +0000

SunshineCTF logo

This post is only one of the writeups I wrote about SunshineCTF 2020. To check out more posts from this CTF, check out my profile.

TSA Techie (150 points)

On a regular flight between NRT and MCO, Customs and Border Protection seized a suspicious iPhone from someone's luggage, along with a sticky note with a mysterious URL to some sort of device registration page. The phone doesn't boot into iOS and, upon further inspection, was stolen from the factory.

That's where you, the contractor, come in! Take a look at the report the TSA gave you to investigate. It should include everything you need to bust this prototype iPhone smuggling ring!

challeng author: Jeffrey D.

Free Hint

Initial analysis

A suspicious, stolen iPhone has been seized and we're tasked with busting the smuggling ring. We are given two documents: the investigation report, and a note found with the phone.

The investigation report mentions that the suspect is believed to be smuggling smartphones out of Foxconn factories.

We are given some details on the stolen iPhone, namely some parts of the serial number, the WiFi and Bluetooth MAC addresses, the ECID and the iPhone model name.

The note found with the phone comes with a URL: http://device-registration.web.2020.sunshinectf.org

We are also given the flight history of the suspect. To note here, his first flight originates in Zhengzhou, in the third week of november.

Taking a look at the website

We are presented with a registration page that says our device model and the device's UDID will be used to verify we are indeed in possession of a smuggled iPhone.

Upon pressing the register button, we are sent a file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <dict>
      <key>URL</key>
      <string>https://device-registration.web.2020.sunshinectf.org/udid/verify</string>
      <key>DeviceAttributes</key>
      <array>
        <string>UDID</string>
        <string>PRODUCT</string>
      </array>
    </dict>
    <key>PayloadOrganization</key>
    <string>TotallyNotASmugglingRing</string>
    <key>PayloadDisplayName</key>
    <string>Device Registration</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>2fe6ebd9-a281-4d46-8094-9468b6d6e701</string>
    <key>PayloadIdentifier</key>
    <string>sunshinectf.udid</string>
    <key>PayloadDescription</key>
    <string>This configuration is a device enrollment challenge that verifies your device using its UDID and model name.</string>
    <key>PayloadType</key>
    <string>Profile Service</string>
  </dict>
</plist>

The content-type of this file is application/x-apple-aspen-config. This, coupled with the free hint we are given that links us to the apple developer page to a configuration profile service, leads us to believe we have to spoof a response to this file using the details we were given from the smuggled iPhone.

To go into a little detail; a configuration profile is essentially an XML file that can be distributed to iOS devices to easily configure some settings. This is very common for WiFi settings, especially for universities that require authentication via student/personnel email for security reasons.

The important data from the server request is within the key DeviceAttributes:

<key>DeviceAttributes</key>
<array>
    <string>UDID</string>
    <string>PRODUCT</string>
</array>

Our payload needs to contain these attributes. Looking around a bit on the apple developer page, we find config examples (here), and we're able to find a minimal iOS response example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>UDID</key>
        <string></string>
        <key>VERSION</key>
        <string>7A182</string>
        <key>MAC_ADDRESS_EN0</key>
        <string>00:00:00:00:00:00</string>
    </dict>
</plist>

Apparently all we need to do is provide a dictionary with the keys and the corresponding values that need to be in the payload, so here's what our response would need to look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>UDID</key>
        <string>...</string>
        <key>PRODUCT</key>
        <string>iPhone10,1</string>
    </dict>
</plist>

So here comes the hard part. We don't have the UDID.

Calculating the UDID

We can calculate the UDID??? Yup:

Source https://www.theiphonewiki.com/wiki/UDID#Calculation

So we have the ECID, wifiMac and bluetoothMac values, but not the full serial number.

The good thing is that we have all the information we need to complete the serial number:

Source https://en.tab-tv.com/?p=18929

Our current serial number looks like this: ##T##621J##H.

The first two digits are the assembly plant id, we know our iPhone probably came from Zhengzhou, given the flight history of the suspect. This gives us FK as digits 1 and 2.

Digits 4 and 5 correspond to the production date. The previous source also includes an assembly date table, and since we know that the suspect left China in the third week of november, we assume that the iPhone was assembled the previous week, giving us digits DP.

The remaining digits denote the phone model. We know we have an iPhone 8. This gives us the remaining digits: C6.

The full serial number: FKTDP621JC6H.

To calculate the UDID I wrote a quick python script:

from pwnlib.util.hashes import sha1sumhex

# serial number decoding: https://en.tab-tv.com/?p=18929
SERIAL = "FKTDP621JC6H"
ECID = "2843135617639718"
WIFI = "14:88:e6:ac:63"
BLUETOOTH = "14:88:e6:ac:64"
print(sha1sumhex(SERIAL + ECID + WIFI + BLUETOOTH))

Running this sript gives us:

Note here that we were given the last 4 digits of the UDID, which match the calculated UDID. Neat sanity check.

Solving

From there, we just have to complete our spoofed iPhone response:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>UDID</key>
        <string>1d87930059bad8eab14bebb81d7680c02a299ac6</string>
        <key>PRODUCT</key>
        <string>iPhone10,1</string>
    </dict>
</plist>

and send it to the server:

and there's the flag!

Here's the flag: sun{2de17cd306bcb1606f2ee23f05bf1504a537d}

Conclusion

That's it for the TSA Techie challenge. A nice introduction into iOS configuration profiles, some iPhone spec internals and a bit of OSINT. Fun challenge!

If you're interested in other writeups for this CTF, check out my profile as they might keep popping up if I find the time! 👋

Linux/Talking to the dead 1-4 @ Hacktober CTF 2020 write-up

Jason Rebelo — Thu, 22 Oct 2020 12:19:21 +0000

Hacktober CTF logo

This post is part of my Hacktober CTF 2020 writeups series. To check out the entire series, read the post below.

Hacktober CTF 2020 write-up series

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #security

Talking to the dead 1 (30 points)

We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc). Submit the contents of flag1.txt.

ssh hacktober@env.hacktober.io

Password: hacktober-Underdog-Truth-Glimpse

challenge author: syyntax

Analysis

So here we are given access to a server and are supposed to find a few important files denoted flagX.txt, X being 1 to 4.

The first thing to do is to connect to that server and do some file discovery.

Discovery

Connecting to the server

After connecting to the server, since we know what files we are looking for,
we can simply run find to see if all 4 files show up in our search.

Finding the files we're looking for

There we go, now we know exactly where the files we need are located.

To break down the above command into simple terms first though:

find is a command that allows us to look for different kinds of files, anywhere on the system. It comes with some neat features such as looking for files with a specific name, or files with a specific extension, and so on.
the / character indicates to the find command that we want to search everywhere on the system.
the -name "*flag*.txt"* argument indicates to the find command that we are looking for files with a name that has "flag" in its name, and ends with the extension ".txt".
2>/dev/null redirects all error output outside of our view. This makes it so we don't see a bunch of errors while trying to find files in folders that we don't have permission to see.

Solving

From here, we can simply read the file since we know its location:

Here's the flag: flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}

Talking to the dead 2 (30 points)

There's a hidden flag that belongs to luciafer. Submit the contents of the hidden flag2.txt.

ssh hacktober@env.hacktober.io

Password: hacktober-Underdog-Truth-Glimpse

challenge author: syyntax

Analysis

The challenge here was that this file is a hidden file (it starts with a ., this makes it so that the file is usually hidden from searches, unless we are specifically looking for hidden files, which we are!).

Since we expected this from the start, we made find look for this kind of file, too.

Solving

Once again, we can simply read the file since we know its location:

Here's the flag: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

Talking to the dead 3 (100 points)

Submit the contents of flag3.txt from the remote machine.

ssh hacktober@env.hacktober.io

Password: hacktober-Underdog-Truth-Glimpse

challenge author: syyntax

Analysis

We already know where this file is, but we don't have the rights to read it:

The logical next step here is to find a way to either get access to that user's
login credentials, or to find an application that allows us to bypass our insufficient permissions.

Discovery

To achieve this, I ran LinEnum, a script that automatically checks the entire system for potential ways of gaining higher privileges. Nothing interesting showed up though in terms of privilege escalation, other than potential applications with the SUID bit set.

The SUID bit allows any user to run an application with elevated privileges.

In order to find these kinds of applications, that potentially allows us to escalate our privileges, we can also use the find command:

Most of these applications look and are quite normal, they are part of the packaged linux applications. One of these stands out though: ouija. It's not a standard application, so let's see what it's all about.

Oh. This application lets us read files in the root directory, regardless of whether we have the right to or not.

The problem now though, is that the file we want to open right now, is not in the root directory.

Solving

We first try to pass the full path to the flag3.txt file to ouija:

We notice that it doesn't work, but we also notice immediately that the program simply takes the path we provide, and appends it to /root, so maybe we can just do some simple path traversal to get to the file we want to read?

There we go! Simple as that 😎

Here's the flag: flag{445b987b5b80e445c3147314dbfa71acd79c2b67}

Talking to the dead 4 (300 points)

We suspect spookyboi doesn't use the root account for this server. There must be some mechanism used to read the flag4.txt file without gaining root. Submit the contents of flag4.txt from the remote machine.

ssh hacktober@env.hacktober.io

Password: hacktober-Underdog-Truth-Glimpse

challenge author: syyntax

Analysis

Looking at the point difference in "Talking to the dead" 3 and 4, we come to the realisation that ouija was probably supposed to be part of "Talking to the dead 4" only, and the path traversal trick was an unintended solution to "Talking to the dead 3". I'm guessing that there was a way to find the password for the spookyboi user, maybe from another challenge.

Either way, there is no big secret about solving this challenge anymore 😛

Solving

Here's the flag: flag{4781cbffd13df6622565d45e790b4aac2a4054dc}

Conclusion

That's it for the "Talking to the dead" challenges. A pretty easy linux challenge that required some knowledge about finding files, path traversal tricks, SUID bits, and maybe some effort into finding spookyboi's password? We'll never know!

If you're interested in other writeups for this CTF, check out the post below.

Hacktober CTF 2020 write-up series

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #security

OSINT/Past Attacks @ Hacktober CTF 2020 write-up

Jason Rebelo — Mon, 19 Oct 2020 16:54:14 +0000

Hacktober CTF logo

This post is part of my Hacktober CTF 2020 writeups series. To check out the entire series, read the post below.

Hacktober CTF 2020 write-up series

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #security

Past Attacks (20 points)

Knowing that it is going to be an attack against a Financial firm.
What is the type of attack that is likely to happen?

Enter the answer as flag{word word}.

challenge author: nmott131

Analysis

The task here was to find a specific attack. This was much harder than I had expected as there are many different kinds of attacks, and it was unclear whether the challenge author was interested in the umbrella term or specific attack names that have occurred in the past (yes, the intent is much clearer in retrospect 🤦‍♂️) so I had to resort to unlocking two hints:

look up attacks that have hit financial firms in the past
this attack has hit polish financial firms

Solving

From there, I found an article that mentions very specific attacks, which are dubbed watering-hole attacks. These attacks are mentioned in conjunction with one of the victims of these atacks: Polish banks.

Here's the flag: flag{watering hole}

Conclusion

That's it for the Past Attacks challenge. It felt a bit guessy, and without the hints it would have been hard with my limited knowledge to find specific attack types that fit the bill. Or rather, there were too many to chosoe from?

If you're interested in other writeups for this CTF, check out the post below.

Hacktober CTF 2020 write-up series

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #security

Hacktober CTF 2020 write-up series

Jason Rebelo — Mon, 19 Oct 2020 16:53:21 +0000

Hacktober CTF logo

The Hacktober 2020 CTF is by far the most fun and educational CTF I have ever participated in.

Introduction

This CTF was hosted by CyberHacktics and CyberUp, in support of National Cyber Security Awareness Month.

Players have to take on a group of notorious hackers:
DEADFACE.

Hacktober CTF differs from your normal CTF in that it considers a cohesive story that ties challenges together to be essential, letting players know why they need to find a flag.

DEADFACE is a notorious hacker group who increase their activity particularly in October. They're all about theatrics and inciting fear. They employ a variety of different hackers, each with their own unique skillsets. One of the calling cards of DEADFACE is that they use a Halloween-themed naming convention for their attacks and artifacts left on their victim's machines.

Source: https://blog.cyberhacktics.com/hacktober-2020/

Challenges

The challenges are broken down into various categories, and many of them require knowledge acquired throughout the CTF, as part of that previously mentioned cohesive storyline. The challenges mainly revolve around members of DEADFACE leaving information, files, and hints on a public forum for us to find. We can then start forming a picture of the various members, what they do, what kind of person they are, the techniques they use, and so on and so forth.

The main challenge categories are:

cryptography
steganography
linux
traffic analysis
forensics
OSINT
programming
sql
web exploitation
bonus

My writeups for the solved challenges will be linked at the end of this article.

Personal results

My favourite categories were mostly well represented in this CTF. There were a lot of forensics and OSINT related challenges. Web exploitation was definitely the least represented one, but often the most guessy, or the easiest challenges in these competitions.

As per usual, I participated alone and managed to climb my way to 151st out of 1062 participants. 🥇

The biggest take-away from this competition though is the amount of newly acquired knowledge. From new steganography techniques I had never heard of, to learning how to read and evaluate memory dumps, prefetch informatio, and the likes.

Prizes & Recognition

Cash prizes are provided for US residents. The top three US based teams are awarded $400, $200, and $100 respectively.

Non-US residents participated for bragging rights, and some digital badges to be redeemed at badgr.io.

Hacktober CTF badges

Writeups

I'm posting all my writeups as separate blog posts, minus the challenges that are split into multiple parts, those have all been merged into one.

Updated as all writeups are published ⏰

OSINT

OSINT/Creeping 1-4 @ Hacktober CTF 2020 write-up

Jason Rebelo ・ Oct 19 ・ 3 min read

#ctf #hacktober #cybersecurity #osint

OSINT/Past Attacks @ Hacktober CTF 2020 write-up

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #osint

Linux

Linux/Talking to the dead 1-4 @ Hacktober CTF 2020 write-up

Jason Rebelo ・ Oct 22 ・ 4 min read

#ctf #hacktober #cybersecurity #linux

OSINT/Creeping 1-4 @ Hacktober CTF 2020 write-up

Jason Rebelo — Mon, 19 Oct 2020 16:29:40 +0000

Hacktober CTF logo

This post is part of my Hacktober CTF 2020 writeups series. To check out the entire series, read the post below.

Hacktober CTF 2020 write-up series

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #security

Creeping 1 (10 points)

Ali Tevlin is quite active on Ghost Town and we believe he's behind some of the recent attacks on De Monne Financial. See what you can find out about him on the internet - it might give us an idea about why he's targeting De Monne Financial.

What company does Ali Tevlin work for? Submit the flag in this format: flag{Little Shop of Horrors}

challenge author: syyntax

Key information

Let's establish some key information we have been given.

Name: Ali Tevlin
Username: alitevlin
Active on Ghost Town (https://www.ghosttown.xyz)
Involved in recent De Monne Financial attacks

Ghost Town

We can easily find his profile on ghosttown. However, there was nothing related to his current position on there as far as I am aware.

Intel

The intel page mentions that he is employed at De Monne Financial's rival.

Solution

We simply look up his username on a google search and find his facebook profile.

We know it's the correct profile because the same person appears in the available pictures.

Good thing our person of interest is very active on Facebook, and shares information willingly!

Here's the flag: flag{F. Kreuger Financial} ✅

Creeping 2 (10 points)

Based on what you've been able to discover about Ali Tevlin, tell us what his position is at his current company.

Submit the flag in the following format: flag{Chief Executive Officer}

challenge author: syyntax

Solution

From that same Facebook profile, and visible on the previous image, we are able to extract this information, too.

Here's the flag: flag{Senior Acquisitions Supervisor} ✅

Creeping 3 (10 points)

For claiming to be part of a hacker group as dangerous as DEADFACE, I'm surprised how much sensitive information Ali posts online. Based on the information you've been able to gather on Ali Tevlin, what date was he born?

Submit the flag in the following format: flag{dd mmm yyyy}.

challenge author: syyntax

Solution

Once again, that Facebook profile proves beneficial. In his about section, we find his birthdate.

Here's the flag: flag{17 jun 1973} ✅

Creeping 4 (30 points)

Ali Tevlin went on vacation in August. Based on his social media activity, which town did he stop in first? Submit the flag as flag{City, State}.

Example: flag{Albany, NY}

challenge author: syyntax

Key information

Let's once again establish the information we've been given.

vacation in August
social media activity will help
need to find location of the first stop

The logical step here is to re-use the Facebook profile, look for posts or pictures that date back to August and see what we can find.

Solution

Taking a look at Ali's pictures we find this one:

Ali posted this picture in August:

Since this picture includes some sort of statue, it is likely that we will find information about that statue with a simple reverse image search.

Google immediately recognises it and tells us that it's the Mothman Statue, located in Point Pleasant, West Virginia.

Here's the flag: flag{Point Pleasant, WV} ✅

Conclusion

That's it for the Creeping challenge. Some pretty straight forward and simple OSINT.

If you're interested in other writeups for this CTF, check out the post below.

Hacktober CTF 2020 write-up series

Jason Rebelo ・ Oct 19 ・ 2 min read

#ctf #hacktober #cybersecurity #security