├── write-ups
└── insomni'hack
│ └── The_Exploit_Quest
│ ├── assets
│ ├── QR1.jpeg
│ ├── Numpad.jpeg
│ ├── image-20230324214745768.png
│ ├── image-20230325012240254.png
│ ├── image-20230325012328001.png
│ ├── image-20230325012608641.png
│ ├── image-20230325012628727.png
│ ├── image-20230325012632779.png
│ ├── image-20230325015913882.png
│ ├── image-20230325020019495.png
│ ├── image-20230325020316449.png
│ ├── image-20230327130635275.png
│ ├── image-20230327135247471.png
│ ├── image-20230327140041676.png
│ ├── image-20230327153758755.png
│ ├── image-20230327153900553.png
│ ├── image-20230327154333806.png
│ ├── image-20230404120738424.png
│ ├── image-20230404120845300.png
│ ├── image-20230404121014800.png
│ ├── image-20230404121734682.png
│ ├── image-20230404132902087.png
│ ├── image-20230404132959019.png
│ ├── image-20230404133116283.png
│ ├── image-20230404133132063.png
│ ├── image-20230404133224300.png
│ └── image-20230404133409529.png
│ └── README.md
├── .gitmodules
├── ph0wn
└── README.md
├── DVID
└── README.md
├── hackropole
└── README.md
├── ics
└── README.md
├── DVAR
└── README.MD
├── hackthebox
└── README.md
├── DVRF
└── README.MD
├── IoTGoat
└── README.md
├── radio
└── README.md
├── .all-contributorsrc
└── README.md
/write-ups/insomni'hack/The_Exploit_Quest/assets/QR1.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/QR1.jpeg
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/Numpad.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/Numpad.jpeg
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230324214745768.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230324214745768.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012240254.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012240254.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012328001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012328001.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012608641.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012608641.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012628727.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012628727.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012632779.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325012632779.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325015913882.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325015913882.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325020019495.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325020019495.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325020316449.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230325020316449.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327130635275.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327130635275.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327135247471.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327135247471.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327140041676.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327140041676.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327153758755.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327153758755.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327153900553.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327153900553.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327154333806.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230327154333806.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404120738424.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404120738424.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404120845300.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404120845300.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404121014800.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404121014800.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404121734682.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404121734682.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404132902087.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404132902087.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404132959019.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404132959019.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133116283.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133116283.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133132063.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133132063.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133224300.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133224300.png
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133409529.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iamABH/awesome-hardware-ctf/HEAD/write-ups/insomni'hack/The_Exploit_Quest/assets/image-20230404133409529.png
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "ph0wn/write-up"]
2 | path = ph0wn/write-up
3 | url = https://github.com/ph0wn/writeups.git
4 | [submodule "riscure-hack-me-2017"]
5 | path = riscure-hack-me-2017
6 | url = https://github.com/Riscure/Rhme-2017
7 |
--------------------------------------------------------------------------------
/ph0wn/README.md:
--------------------------------------------------------------------------------
1 | # ph0wn 2022
2 |
3 | ## Description
4 |
5 | Ph0wn is a Capture The Flag (CTF) dedicated to smart devices in Sophia Antipolis, France.
6 |
7 | The workshops and the CTF are free and I recommend you all to try and go if you can!
8 |
9 | ## Links
10 |
11 | [Official github repo](https://github.com/ph0wn/writeups)
12 | [Official Website](https://ph0wn.org/)
13 |
--------------------------------------------------------------------------------
/DVID/README.md:
--------------------------------------------------------------------------------
1 | # Damn Vulnerable IoT Device (DVID)
2 |
3 | ## Description
4 |
5 | DVID is an open-source board which main objective is to provide a vulnerable board to improve IoT Hacking skills.
6 |
7 | You can dm [Vulcainreo](https://twitter.com/Vulcainreo) on twitter to get more infos !
8 |
9 | ## Links
10 |
11 | [Official Github Repository](https://github.com/Vulcainreo/DVID)
12 | [Official Website](https://dvid.eu/)
13 |
--------------------------------------------------------------------------------
/hackropole/README.md:
--------------------------------------------------------------------------------
1 | # Hackropole
2 |
3 | ## Description
4 |
5 | Hackropole allows us to replay the challenges of the France Cybersecurity Challenge. We can fin a lot of hardware challenges.
6 |
7 | Every challenge can be run in a virtual environment (if needed)
8 |
9 | There are various hardware fields like side channel attacks, radio, communication protocols and more.
10 |
11 | ## Links
12 |
13 | [Hackropole](https://hackropole.fr/en/hardware/)
14 |
--------------------------------------------------------------------------------
/ics/README.md:
--------------------------------------------------------------------------------
1 | # Industrial Control Systems
2 |
3 | ## Description
4 |
5 | You can find some ics/scada challenge on [TryHackMe](https://tryhackme.com) and [HackTheBox](https://app.hackthebox.com)
6 |
7 | ## Links
8 |
9 | ### HackTheBox
10 |
11 | [Factory](https://app.hackthebox.com/challenges/factory)
12 |
13 | ### TryHackMe (good to start)
14 |
15 | [Attacking ICS Plant #1](https://tryhackme.com/room/attackingics1)
16 |
17 | [Attacking ICS Plant #2](https://tryhackme.com/room/attackingics2)
18 |
19 |
--------------------------------------------------------------------------------
/DVAR/README.MD:
--------------------------------------------------------------------------------
1 | # Damn Vulnerable Arm Router (DVAR)
2 |
3 | ## Description
4 |
5 | DVAR is an emulated Linux based ARM router running a vulnerable web server that you can sharpen your ARM stack overflow skills with.
6 |
7 | You can dm [Therealsaumil](https://twitter.com/therealsaumil) on twitter to get more infos !
8 |
9 | ## Links
10 |
11 | [Official Vulnhub Link](https://www.vulnhub.com/entry/damn-vulnerable-arm-router-dvar-tinysploitarm,224/)
12 |
13 | [Official Website](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html)
14 |
--------------------------------------------------------------------------------
/hackthebox/README.md:
--------------------------------------------------------------------------------
1 | # HackTheBox
2 |
3 | ## Description
4 |
5 | There is a whole hardware category on hackthebox with dozens of well-designed challenges.
6 |
7 | Topics vary from RF to firmware reverse engineering, mqtt (mosquitto), ICS (modbus), etc...
8 |
9 | Write-ups are not allowed on active challenges but I will post as many write-ups as possible on challenges as soon as they are retired!
10 |
11 | You can ask for help on the hackthebox discord though for active challenges.
12 |
13 | ## Links
14 |
15 | [HackTheBox](https://app.hackthebox.com/)
16 |
17 | [HackTheBox Discord](https://discord.gg/hackthebox)
18 |
--------------------------------------------------------------------------------
/DVRF/README.MD:
--------------------------------------------------------------------------------
1 | # Damn Vulnerable Router Firmware (DVRF)
2 |
3 | ## Description
4 |
5 | The goal of this project is to simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space. This project will also help people get into discovering new things about hardware.
6 |
7 | You can dm [Praetorianlabs](https://twitter.com/praetorianlabs) on twitter to get more infos !
8 |
9 | ## Links
10 |
11 | [Official Github Repository](https://github.com/praetorian-inc/DVRF)
12 | [Official Website](https://www.praetorian.com/blog/getting-started-with-damn-vulnerable-router-firmware-dvrf-v0.1)
13 |
--------------------------------------------------------------------------------
/IoTGoat/README.md:
--------------------------------------------------------------------------------
1 | # OWASP IoTGoat
2 |
3 | ## Description
4 |
5 | OWASP IoTGoat project is a vulnerable router firmware based on OpenWrt to practice research IoT vulnerabilities from the [OWASP IoT top 10](https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10) like [Juice Shop](https://github.com/juice-shop/juice-shop) or [mutilidae](https://owasp.org/www-project-mutillidae-ii/) for learning web security.
6 | It is kinda old but still useful to learn.
7 |
8 | You can either work on a virtual environment, or flash the firmware on a raspberry Pi 2.
9 |
10 |
11 | ## Links
12 |
13 | [IoTGoat github](https://github.com/OWASP/IoTGoat/)
14 |
--------------------------------------------------------------------------------
/radio/README.md:
--------------------------------------------------------------------------------
1 | # Radio frequency
2 |
3 | ## Description
4 |
5 | You can find some radio frequency challenge on [Root-me](https://root-me.org) and [HackTheBox](https://app.hackthebox.com)
6 |
7 | ## Links
8 |
9 | ### HackTheBox
10 |
11 | [Signals](https://app.hackthebox.com/challenges/signals)
12 |
13 | ### Root-me
14 |
15 | [RF-AM-Transmission](https://www.root-me.org/en/Challenges/Reseau/RF-AM-Transmission)
16 |
17 | [RF-FM-Transmission](https://www.root-me.org/en/Challenges/Network/RF-FM-Transmission)
18 |
19 | [RF-Key-Fixed-Code](https://www.root-me.org/en/Challenges/Network/RF-Key-Fixed-Code)
20 |
21 | [RF-Satellite-transmission](https://www.root-me.org/en/Challenges/Network/RF-Satellite-transmission)
22 |
23 | [RF-L-Band](https://www.root-me.org/en/Challenges/Network/RF-L-Band)
--------------------------------------------------------------------------------
/.all-contributorsrc:
--------------------------------------------------------------------------------
1 | {
2 | "files": [
3 | "README.md"
4 | ],
5 | "imageSize": 100,
6 | "commit": false,
7 | "commitConvention": "angular",
8 | "contributors": [
9 | {
10 | "login": "Enelg52",
11 | "name": "Enelg52",
12 | "avatar_url": "https://avatars.githubusercontent.com/u/70370923?v=4",
13 | "profile": "https://github.com/Enelg52",
14 | "contributions": [
15 | "content"
16 | ]
17 | },
18 | {
19 | "login": "Numb3rsProprety",
20 | "name": "Numb3rs",
21 | "avatar_url": "https://avatars.githubusercontent.com/u/64932654?v=4",
22 | "profile": "https://github.com/Numb3rsProprety",
23 | "contributions": [
24 | "content"
25 | ]
26 | }
27 | ],
28 | "contributorsPerLine": 7,
29 | "skipCi": true,
30 | "repoType": "github",
31 | "repoHost": "https://github.com",
32 | "projectName": "awesome-hardware-ctf",
33 | "projectOwner": "iamABH"
34 | }
35 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 🧰 Awesome Hardware CTF
2 |
3 | [](#contributors-)
4 |
5 |
6 | Awesome Hardware CTF is a curated list of **hardware-oriented** CTF challenges.
7 |
8 | We did not create these challenges but only intend to centralize the challenges which are of various platforms and lost in the galaxy of the World Wide Web.
9 |
10 | # ❤️ Contributing
11 |
12 | If you find a challenge that is not listed here, don't hesitate to make a pull request!
13 |
14 | We deeply want this repo to be as complete as possible, and this, on all the topics that hardware hacking can cover.
15 |
16 | ## Contributors ✨
17 |
18 | Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
19 |
20 |
21 |
22 |
23 |
31 |
32 |
33 |
34 |
35 |
36 |
37 | This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!
--------------------------------------------------------------------------------
/write-ups/insomni'hack/The_Exploit_Quest/README.md:
--------------------------------------------------------------------------------
1 | # The exploit quest
2 |
3 |
4 | # Étape 1
5 |
6 |
7 | 
8 |
9 | ## Data leak 1/3
10 |
11 | Une petite [IDOR](https://portswigger.net/web-security/access-control/idor) pour récuperer le premier zip. Le data leak 2/3 à l'ID 1338, donc on peut changer pour prendre l'ID 1337 et télécharger le premier fichier.
12 |
13 | 
14 |
15 | ## Data leak 2/3
16 |
17 | On trouve ces fonctions dans le js.
18 |
19 | ```js
20 | function xor(a, b) {
21 | return a ^ b;
22 | }
23 |
24 | function add(a, b) {
25 | return a + b;
26 |
27 | }
28 | function times(a, b) {
29 | return a * b
30 | }
31 |
32 | function encrypt(pt) {
33 | let key = "TheKey"
34 | let ct = new Array();
35 | for(let i = 0; i < pt.length; ++i) {
36 | a = key.charCodeAt(i%key.length);
37 | b = pt.charCodeAt(i);
38 | switch(i%3) {
39 | case 0:
40 | ct.push(xor(a,b));
41 | break;
42 | case 1:
43 | ct.push(add(a,b));
44 | break;
45 | case 2:
46 | ct.push(times(a,b));
47 | break;
48 | default:
49 | break;
50 | }
51 |
52 | }
53 | return btoa(ct.toString())
54 | }
55 |
56 | // To remove after tests
57 | // expected_ct = "MzQsMjE1LDExODE3LDQwLDIwNSwxMjIyMSwzOCwxOTksMTA1MDQsNjIsMTU2LDE0MDM2LDUwLDIwOSw3MTcxLDMxLDE3NCw2NjU1LDM4LDE1OCwxMDEwMCw0NSwyMTcsODgzMywzNCwyMjEsMTE1MTQsMTI1LDIxNSw4NDcwLDAsMjIyLDEwNjA1LDQ3LDE1NSwxNDE1Nyw5NiwxNTcsNzA3MCwyNSwxOTEsMTIxMDAsOTcsMjIxLDEwMTAwLDQ3LDIxNSwxNDE1Nw==";
58 | ```
59 |
60 | On génère à l'aide de ChatGPT la fonction decrypt() qui déchiffre le mot de passe.
61 |
62 | ```js
63 | function decrypt(ct) {
64 | let key = "TheKey";
65 | let pt = '';
66 | let arr = atob(ct).split(',');
67 | for (let i = 0; i < arr.length; i++) {
68 | let a = key.charCodeAt(i % key.length);
69 | let c = parseInt(arr[i]);
70 | switch (i % 3) {
71 | case 0:
72 | pt += String.fromCharCode(xor(a, c));
73 | break;
74 | case 1:
75 | pt += String.fromCharCode(c - a);
76 | break;
77 | case 2:
78 | pt += String.fromCharCode(c / a);
79 | break;
80 | default:
81 | break;
82 | }
83 | }
84 | return pt;
85 | }
86 | ```
87 |
88 | Ce qui nous donne le passwd `voucher_hu7tfiGTI7r6dftIvur6rFTvid6u45FRZd5uddru`
89 |
90 | On peut donc télécharger le pdf de documentation du numpad
91 |
92 | ## Data leak 3/3
93 |
94 | On reçois une erreur mysql. On essaie donc le payload basic `' OR 1=1 #`
95 |
96 | 
97 |
98 | Ce qui nous permettait de download le 3ème fichier : La documentation de l'API
99 |
100 | ## Wiegand
101 |
102 | Le premier leak qu'on à téléchargé, c'est une capture faite avec un analyseur logique. On peut l'ouvrir avec [logic 2](https://www.saleae.com/fr/downloads/). Une fois ouvert, le signal ressemblait à ça :
103 |
104 | Dans la documentation, on pouvais y trouver que le signal était envoyé avec le protocole Wiegand. 
105 |
106 | Décoder du Wiegand n'est pas possible nativement dans logic 2, mais avec [PulseView](https://sigrok.org/wiki/PulseView). Il faut exporter/importer en format CSV.
107 |
108 | 
109 |
110 | Depuis là on peut récuperer une séquence de bits. Il ne sagit pas de BCD classique, mais la table de conversion est disponible dans la documentation.
111 |
112 | 
113 | On a utilisé un script ruby pour décoder le BCD
114 |
115 | ```ruby
116 | INVMAP = {"0000"=>"0", "0001"=>"1", "0010"=>"2", "0011"=>"3", "0100"=>"4", "0101"=>"5", "0110"=>"6", "0111"=>"7", "1000"=>"8", "1001"=>"9", "1010"=>"*", "1011"=>"#", "1111"=>"F2"}
117 |
118 | wiegand = "001000010101000001101000101100100001010010010110100010100010000101011001011010001011001000010101100101101000101100110001010010010110100010100010000101011001011010001011001000010101100101101000101100100001010110010110100010110000000100100011010001011010101100010010100101110100001000100001010110010110100010110010000101011001011010001011001000010101100101101000101110110010000101011001011010000010000101011001011010001011001000100001010110010110100010110010001000010101100101101000101000100001010110010110100010110010000101011001100001101011001000010101100101101000101100100001010110010110100010111001011010000010000101011011001000010101100101101000101100100001001110010001100010100010000101011001011010001011001000010101100101101000101100100001010110010110100010110010000101011001011010001011001000010101100101101000101100100001010100100011101010110010000100010101000101011001011010001011001000010101100101101000101100100010000101011001011010001011001000010101100101101000101"
119 | codes = wiegand.scan /..../
120 | puts codes.map {|code| INVMAP[code] }.join
121 | ```
122 |
123 | 
124 |
125 | On a donc notre code et on peut ouvrir la première porte.
126 |
127 | 
128 |
129 | Et derrière la porte, on pouvait y trouver ce message :
130 |
131 | 
132 |
133 | Le QRcode donnait accès au premier WLAN
134 |
135 | ```
136 | SSID: Quest-Guest
137 | PASS: hL98LnHXB6bwCMEUR6Z5
138 | ```
139 |
140 |
141 |
142 |
143 |
144 | # Étape 2
145 |
146 | ## API
147 |
148 | Dans les fichiers trouvé sur le site web, on y trouve une documentation sur une API.
149 |
150 | 
151 |
152 | Une fonction attire notre attention :
153 |
154 | 
155 |
156 | ```
157 | curl -v 'http://10.0.100.50/api/v1/ressources/accesscard/create?in=1337&name=bato'
158 | ```
159 |
160 | Par défaut, la réponse nous dit qu'il n'y a pas de badge, on en déduit alors qu'il faut mettre le badge devant le lecteur NFC.
161 |
162 | 
163 |
164 | On a donc un badge écrit.
165 |
166 | ## Rewrite the NFC
167 |
168 | A l'aide d'un [Flipper Zero](https://flipperzero.one/) ou d'un téléphone avec [Milfare Classic Tool](https://github.com/ikarus23/MifareClassicTool), on va pouvoir lire le badge.
169 |
170 |
171 |
172 | ### Read the NFC
173 |
174 | 
175 |
176 | En ascii :
177 |
178 | 
179 |
180 | ### Changer la valeur
181 |
182 | On va changer la valeur de `admin=0` (61646D696E3D30) vers `admin=1` (61646D696E3D31) et de réécrire le secteur 1 sur le badge.
183 |
184 | 
185 |
186 | Et on peut ouvrir la deuxième porte et accéder au prochain WLAN
187 |
188 | 
189 |
190 | ```
191 | SSID: Quest-Internal
192 | PASS: 32uHeleMbyRLVdqPXSg7
193 | ```
194 |
195 |
196 |
197 | # Étape 3
198 |
199 |
200 |
201 | ## SMB share
202 |
203 | Depuis là, il fallait trouver l'adresse d'un share smb. Après plein de scan nmap, on finit par tomber dessus à l'adresse `10.0.100.52`. Le serveur et dans le même subnet que le serveur web de l'étape 2
204 |
205 | ```
206 | \\10.0.100.52\Confidential
207 | ```
208 |
209 | On pouvais s'authentifier en anonymous et on y trouvais un fichier `Safe.kdbx`
210 |
211 | 
212 |
213 | ## Keepass
214 |
215 | Il s'agit d'un de la db de mdp keepass. Après une rapide recherche google, on trouve script bash.
216 |
217 | https://github.com/r3nt0n/keepass4brute/blob/master/keepass4brute.sh
218 |
219 |
220 |
221 | Le script est hyper lent, mais on arrive quand même à récuperer le mot de passe.
222 |
223 | 
224 |
225 | En ouvrant le fichier avec le bon mdp, on peut récuperer le flag !
226 |
227 | 
228 |
229 |
230 |
231 | Il y avait aussi un easter egg à aller chercher à l'exterieur du batiment.
232 |
233 | 
234 |
235 |
236 |
237 | Les coordonnées mênent vers une addresse où il y avait des goodies à gagner, mais uniquement pour la première équipe.
238 |
239 | 
240 |
--------------------------------------------------------------------------------
