Dark side
, . , : , , . , - . , , " ?". , -, - . , . .
, ( - , , ). , , , , - . , . security research . , - buffer-overflow', , . e-mail , 2 . 16- . hex-, , e-mail . , . - , , , , . , -, , , . UPS , .
?
UPS, , , . , SATA-USB3, , , 3,5" HDD .
, :
,
, 0.1337 BTC
, , ,
.
1 " ".
3 - IC, Winbond Flash Chip,
, SATA power & SATA data, 4 pina
Debian-, , 4 . 1 , , 3 . 4 . , , , .
root@ubuntu:~# dmesg
...
[ 4718.927084] sdb: sdb1 sdb2 sdb3 sdb4
[ 4718.927140] sdb: p2 start 20480000 is beyond EOD, truncated
[ 4718.927140] sdb: p3 start 40960000 is beyond EOD, truncated
[ 4718.927140] sdb: p4 start 81920000 is beyond EOD, truncated
[ 4718.928123] sd 3:0:0:0: [sdb] Attached SCSI disk
...
LEVEL0
:
root@ubuntu:/media/user/LEVEL0# file *
level0_instructions.txt: UTF-8 Unicode text
level1.md5: ASCII text
seaflashlin_rbs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, stripped
root@ubuntu:/media/user/LEVEL0# cat level0_instructions.txt
Hereโs where the challenge starts.
1. Flash level_1.lod using the seaflash tool.
2. Maybe a serial console to the drive would be useful?
root@ubuntu:/media/user/LEVEL0# cat level1.md5
cbf06ad97efb847d040d178ae953715c ../2020-10-13-lods//1//level_1.lod
, , , . rbs - , . virustotal.com . !
. FAT32. testdisk, . /dev/sdb1, .
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
P FAT32 0 0 1 1337 63 31 2740223 [LEVEL0]
Directory /
>-rwxr-xr-x 0 0 139 21-Oct-2020 00:35 level0_instructions.txt
-rwxr-xr-x 0 0 104280 21-Oct-2020 00:35 seaflashlin_rbs
-rwxr-xr-x 0 0 1014784 21-Oct-2020 00:42 level_1_makesureitsnotcorrupted.lod
-rwxr-xr-x 0 0 1014784 21-Oct-2020 00:42 level_1_thankyoumd5.lod
-rwxr-xr-x 0 0 69 21-Oct-2020 00:42 level1.md5
level_1_makesureitsnotcorrupted.lod level1.md5 , . , . , , SCSI. seaflashlin_rbs /dev/sg1. - .
root@ubuntu:/home/user/Desktop# ./seaflashlin_rbs -i
================================================================================
Seagate Firmware Download Utility v0.4.6 Build Date: Oct 26 2015
Copyright (c) 2014 Seagate Technology LLC, All Rights Reserved
Tue Mar 23 20:49:37 2021
================================================================================
ATA /dev/sg0 MN: APPLE SSD SM0256F SN: S1K4NYBF685537 FW: JA1Q
ST325031 /dev/sg1 MN: 2AS SN: 2F6112500220 FW: 0
StoreJet /dev/sg2 MN: Transcend SN: C3C3P79A1HXW FW: 0
APPLE /dev/sg3 MN: SD Card Reader SN: 00000000 FW: 3.00
root@ubuntu:/home/user/Desktop# ./seaflashlin_rbs -f level_1_makesureitsnotcorrupted.lod -d /dev/sg1
================================================================================
Seagate Firmware Download Utility v0.4.6 Build Date: Oct 26 2015
Copyright (c) 2014 Seagate Technology LLC, All Rights Reserved
Tue Mar 23 19:25:42 2021
================================================================================
Flashing microcode file level_1_makesureitsnotcorrupted.lod to /dev/sg1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : !
Microcode Download to /dev/sg1 SUCCESSFUL
, 10 . , , . ! USB-to-SATA , , SCSI . .
LEVEL1
1 - , 4 pina, . . , GND, TX, RX.
UART ( ). , , Raspberry Pi 3b+. GPIO , UART.
, :
RPI TX (pin #10) -> HDD RX
RPI RX (pin #08) -> HDD TX
RPI GND (pin #06) -> HDD GND
Female-Female . , . , SATA data, , .
, UART , . , Login Prompt Raspbian. , :
1. raspi-config
2. Interface Options
3. Serial Port
4. "" Would you like a login shell to be accessible over serial?
5. "" Would you like the serial port hardware to be enabled?
6. Raspberry Pi
, minicom Serial . , , (, ). Serial :
root@rpi ~ # minicom -b 38400 -D /dev/ttyS0
, - .
Welcome to minicom 2.7.1
OPTIONS: I18n
Compiled on Aug 13 2017, 15:25:34.
Port /dev/ttyS0, 21:05:41
Press CTRL-A Z for help on special keys
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
CTRL-A Z for help | 38400 8N1 | NOR | Minicom 2.7.1 | VT102 | Offline | ttyS0
, . , 5 . , . Winbond W25X40BLS02. datasheet , .
. strings level_1_makesureitsnotcorrupted.lod, . ASCII .
O$H
Q9H)
\%6Q
M[h+
r4m:
4i,XJ
CPRS
\.
\\ .
\\ _,.+;)_
.\\;~%:88%%.
(( a `)9,8;%.
/` _) ' `9%%%?
(' .-' j '8%%'
`"+ | .88%)+._____..,,_ ,+%$%.
:. d%9` `-%*'"'~%$.
___( (%C `. 68%%9
." \7 ; C8%%)`
: ."-.__,'.____________..,` L. \86' ,
: L : : ` .'\. '. %$9%)
; -. : | \ \ "-._ `. `~"
`. ! : | ) > ". ?
`' : | .' .' : |
; ! .' .' : |
,' ; ' .' ; (
. ( j ( ` \
"""' ""' `"" mh Congratulations! To solve this challenge patch those values: Address: 0x00c, data:0b1b Address: 0xbce, data:002149f249f800219fa049f245f89e48
@<H
|XY?W
??kFK
?B?>y1
Ykb!=
l.y^ZV:
VKwF
, . , Raspberry Pi SPI flash . , Male-Female , Male-Male Female-Female . Raspberry Pi, flash , . , , . , , , 1 Male-Male , 4 8 ( ), . . - . , GND . - , , , . Winbond - .
flashrom c SPI, , \-. - , Raspberry Pi . , . !
Flashrom
. , (ff ff2 :D) hex-, level_1_makesureitsnotcorrupted.lod, flashrom.
, , , LEVEL2.
Friends, if you are interested in such material, put the plus signs. The whole process, one way or another, will not fit in one post.
Subscribe to @ o.tkachuk instu