by RSS Axelle Apvrille  |  Dec 07, 2017  |  Filed in: Security Research

Update Dec 8 2017: adding legends to videos & pictures

Ph0wn, a CTF dedicated to smart devices, is over! It was a real success, with ~70 participants for this first editions. 16 teams of (a max of) 5 lined up for the competition. 11 teams managed to score in at least one challenge - we are sorry for the 5 remaining teams, but hope they had fun nevertheless.

Of course, we congratulate the top 3 teams, who deserved their drone & raspberry pi gaming kits as prizes. We would also like to extend congratulations to all participants. We enjoyed the team spirit as well as the sense of fair play and participants being open-minded.

We are also very proud of Laurent, a Fortinet employee in the Pwntera team (3rd), and the Fortinet Tiger Team (8th). The tiger team started off very well, but bumped into difficulties later.

Despite the late hour, competition was fierce until the end. In particular, one team was close to flagging the drone challenge at 1.40 AM (but unfortunately did not quite make it on time), and the Fortinet Tiger Team was extremely close to flagging the toothbrush challenge.

Challenges overview

Parrot Drone ("Apollo Mission")

One of the challenges consisted of making a Parrot drone fly... without any prior knowledge or access to it. The participants first had to locate it on wi-fi, for example using nmap. Then, there were different options to flag, One team used a nice Python project on github that they modified to their needs. Another team tried to directly bruteforce the GPIOs of the drone's motors. Yet another option could have been to retrieve the official Parrot application and hack it to change the IP address of the drone.

 

The challenge "Apollo Mission" - designed by Ludovic Apvrille (Telecom ParisTech)

Weather station

Another challenge, created by Philippe Paget for the CTF, involved a fully functional weather station, complete with temperature and humidity sensors. (The custom boot was so nice we just liked to watch it boot!) The challenge featured 4 different stages, each gradually becoming harder and harder. There were 11 solves for stage 1, 4 for stage 2, 1 for stage 3, and none for stage 4 (NOPS was close, though).

 

The weather station - video of Philippe Paget (GreHack)

ReconJet smart glasses ("Help X-Men")

We also had a challenge focused on ReconJet smart glasses. The first stage consisted of actually using the glasses and noticing a new application named "Ph0wn Glasses". In that application, a QR code was displayed, and participants had to find a way to retrieve it.

The ReconJet Ph0wn application - by ... myself :)

In the second stage, participants were meant to download that new application and analyze it. This stage did not require much in the way of reverse engineering skills: people just had to notice that there was an additional hidden activity, find a way to display it, and read it.

Finally, the third stage consisted of actually using the smart glasses. At the end of stage 2, the application said to search in the room in a North West direction. The smart glasses feature a compass, so it was possible to use that compass to locate North West (if needed). After a quick search participants would be able to locate a white envelope on a white wall :)

Hidden envelope for last stage of smart glasses challenge

That envelope contained a grid of words. As part of stage 3, a participant had to locate given words and then provide their coordinates as part of the flag.

Part of the puzzle to solve to flag stage 3 of smart glasses challenge

Hardware Rework

For those who wanted to exercise, Ph0wn CTF offered 3 different levels of hardware challenges. In those challenges, STM Nucleo boards with NFC had intentionally been damaged, and participants had to fix them and then use NFC to find the flag.

Many participants tried those challenges. According to their creator, it was an "easy way to grab points". Stage 1 was solved 9 times, stage 2, 7 times and stage 3, 4 times.

Simon Bryden (Fortinet) working on Rework, a challenge created by Aurelien Francillon (Eurecom)

FortiCam

A smart devices CTF without an IP webcam? Impossible!

Our FortiCam challenge featured a FortiCam MB40. Participants first had to find default credentials to login. Whether reading on Internet or just guessing, that wasn't a problem for most teams. ;) Once the team was logged into the webcam's UI they then had to locate the flag.

The flag could have been hidden in many places and many different ways, but this particular challenge was easy (50 points) and could be solved without writing a single line of script. Participants just needed to notice that some videos had been recorded on the SD card in October of 2017. After viewing one or two videos, they'd see the right one and then record the flag on a sticker :)

 

Part of the video to find on the FortiCam - a challenge designed by myself :)

Incidentally, the FortiCams were also providing a live feed of the CTF room and the hardware soldering area. I don't know if participants noticed, but it was fun to monitor them struggling on the hardware challenges. ;P lol

And more

There were many other challenges. For example on the Black Alps badge (thanks to @Baldanos), or the washing machine simulator, or a Bluetooth Low Energy beacon or some Arduino boards (idea of @acervoise).

=====================================================================
===Welcome to superclean 3000 - the washing machine of the future!===
=====================================================================

Initializing ..........Done!


What do you want to do?
1) Select Washing programs
2) Start Washing Machine
3) Change Display Text
4) Enter administrative shell

The boot of the washing machine - challenge created by Marius Muench (Eurecom)

Challenges without equipment

A few challenges did not involve any equipment at all, and ensured that teams had enough to work at all time (teams needed to book equipment in advance for a 10 to 20 minute time slot). Among those challenges, there were videos of a connected toothbrush, or our Android Home Alarm application. Ha, this one was solved only once, mostly because participants failed to notice hidden code in the Smali bytecode.

Only a few tried the Retro games. A pity! I had personally had so much fun testing Don't Panic, a hacked version of the old "Hitchhiker's Guide to the Galaxy", a text-based game for Z-Machine. I even played part of the game, getting run over by a bulldozer or killed by the Captain. You can try the challenge here, just make sure to not look at the spoiler.

Playing Don't Panic - challenge designed by Fabrice Frances (ISAE)

Others members of the Ph0wn CTF core team also had a lot of fun playing "Ph0wn Invaders". It's like Space Invaders, but for ph0wn. :)

It was a real pleasure to organize 2017's Ph0wn CTF, and we hope to see you there next year!

-- the Crypto Girl for the Ph0wn CTF team

References:

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

by RSS Axelle Apvrille  |  Dec 07, 2017  |  Filed in: Security Research