Breaking down an encrypted interview disc from RedBalloonSecurity. Part 0

Based on





Dark side

, . , : , , . , - . , , " ?". , -, - . , . .





, ( - , , ). , , , , - . , . security research . , - buffer-overflow', , . e-mail , 2 . 16- . hex-, , e-mail . , . - , , , , . , -, , , . UPS , .





?

UPS, , , . , SATA-USB3, , , 3,5" HDD .





, :





  1. ,





  2. , 0.1337 BTC





  3. , , ,





  4. .





  5. 1 " ".





  6. 3 - IC, Winbond Flash Chip,





  7. , SATA power & SATA data, 4 pina





Debian-, , 4 . 1 , , 3 . 4 . , , , .





root@ubuntu:~# dmesg
...
[ 4718.927084]  sdb: sdb1 sdb2 sdb3 sdb4
[ 4718.927140] sdb: p2 start 20480000 is beyond EOD, truncated
[ 4718.927140] sdb: p3 start 40960000 is beyond EOD, truncated
[ 4718.927140] sdb: p4 start 81920000 is beyond EOD, truncated
[ 4718.928123] sd 3:0:0:0: [sdb] Attached SCSI disk
...
      
      



LEVEL0

:





root@ubuntu:/media/user/LEVEL0# file *
level0_instructions.txt: UTF-8 Unicode text
level1.md5:              ASCII text
seaflashlin_rbs:         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, stripped
      
      



root@ubuntu:/media/user/LEVEL0# cat level0_instructions.txt
Hereโ€™s where the challenge starts.
1. Flash level_1.lod using the seaflash tool.
2. Maybe a serial console to the drive would be useful?
      
      



root@ubuntu:/media/user/LEVEL0# cat level1.md5 
cbf06ad97efb847d040d178ae953715c  ../2020-10-13-lods//1//level_1.lod
      
      



, , , . rbs - , . virustotal.com . !





. FAT32. testdisk, . /dev/sdb1, .





TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P FAT32                    0   0  1  1337  63 31    2740223 [LEVEL0]
Directory /

>-rwxr-xr-x     0     0       139 21-Oct-2020 00:35 level0_instructions.txt
 -rwxr-xr-x     0     0    104280 21-Oct-2020 00:35 seaflashlin_rbs
 -rwxr-xr-x     0     0   1014784 21-Oct-2020 00:42 level_1_makesureitsnotcorrupted.lod
 -rwxr-xr-x     0     0   1014784 21-Oct-2020 00:42 level_1_thankyoumd5.lod
 -rwxr-xr-x     0     0        69 21-Oct-2020 00:42 level1.md5

      
      



level_1_makesureitsnotcorrupted.lod level1.md5 , . , . , , SCSI. seaflashlin_rbs /dev/sg1. - .





root@ubuntu:/home/user/Desktop# ./seaflashlin_rbs -i
================================================================================
 Seagate Firmware Download Utility v0.4.6 Build Date: Oct 26 2015
 Copyright (c) 2014 Seagate Technology LLC, All Rights Reserved
 Tue Mar 23 20:49:37 2021
================================================================================
ATA       /dev/sg0 MN: APPLE SSD SM0256F       SN: S1K4NYBF685537       FW: JA1Q
ST325031  /dev/sg1 MN: 2AS                     SN: 2F6112500220         FW: 0   
StoreJet  /dev/sg2 MN: Transcend               SN: C3C3P79A1HXW         FW: 0   
APPLE     /dev/sg3 MN: SD Card Reader          SN: 00000000             FW: 3.00
      
      



root@ubuntu:/home/user/Desktop# ./seaflashlin_rbs -f level_1_makesureitsnotcorrupted.lod -d /dev/sg1 
================================================================================
 Seagate Firmware Download Utility v0.4.6 Build Date: Oct 26 2015
 Copyright (c) 2014 Seagate Technology LLC, All Rights Reserved
 Tue Mar 23 19:25:42 2021
================================================================================
Flashing microcode file level_1_makesureitsnotcorrupted.lod to /dev/sg1
 .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  :  !
Microcode Download to /dev/sg1 SUCCESSFUL
      
      



, 10 . , , . ! USB-to-SATA , , SCSI . .





LEVEL1

1 - , 4 pina, . . , GND, TX, RX.





UART ( ). , , Raspberry Pi 3b+. GPIO , UART.





, :

RPI TX  (pin #10)   ->   HDD RX

RPI RX  (pin #08)   ->   HDD TX

RPI GND (pin #06)   ->   HDD GND








Female-Female . , . , SATA data, , .





, UART , . , Login Prompt Raspbian. , :

 1.           raspi-config

 2.            Interface Options

 3.            Serial Port

 4. ""   Would you like a login shell to be accessible over serial?

 5. ""    Would you like the serial port hardware to be enabled?

 6.       Raspberry Pi








, minicom Serial . , , (, ). Serial :





root@rpi ~ # minicom -b 38400 -D /dev/ttyS0
      
      



, - .






Welcome to minicom 2.7.1

OPTIONS: I18n 
Compiled on Aug 13 2017, 15:25:34.
Port /dev/ttyS0, 21:05:41

Press CTRL-A Z for help on special keys
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!
RBS Challenge! Human, patch me you must!

CTRL-A Z for help | 38400 8N1 | NOR | Minicom 2.7.1 | VT102 | Offline | ttyS0                                        

      
      



, . , 5 . , . Winbond W25X40BLS02. datasheet , .





. strings level_1_makesureitsnotcorrupted.lod, . ASCII .





        O$H
Q9H)
\%6Q
M[h+
r4m:
4i,XJ
CPRS
        \.
                                                              \\      .
                                                       \\ _,.+;)_
                                                     .\\;~%:88%%.
                                                  (( a   `)9,8;%.
                                                /`   _) ' `9%%%?
                                              (' .-' j    '8%%'
                                               `"+   |    .88%)+._____..,,_   ,+%$%.
                                :.   d%9`             `-%*'"'~%$.
                           ___(   (%C                 `.   68%%9
                        ."        \7                  ;  C8%%)`
                        : ."-.__,'.____________..,`   L.  \86' ,
                       : L    : :            `  .'\.   '.  %$9%)
                      ;  -.  : |             \  \  "-._ `. `~"
                        `. !  : |              )  >     ". ?
                             `'  : |            .' .'       : |
                                 ; !          .' .'         : |
                                ,' ;         ' .'           ; (
                               .  (         j  (            `  \
                              """'          ""'             `"" mh  Congratulations! To solve this challenge patch those values: Address: 0x00c, data:0b1b Address: 0xbce, data:002149f249f800219fa049f245f89e48        
 @<H
|XY?W
??kFK
?B?>y1
Ykb!=
l.y^ZV:
VKwF

      
      



, . , Raspberry Pi SPI flash . , Male-Female , Male-Male Female-Female . Raspberry Pi, flash , . , , . , , , 1 Male-Male , 4 8 ( ), . . - . , GND . - , , , . Winbond - .





flashrom c SPI, , \-. - , Raspberry Pi . , . !





Flashrom

. , (ff ff2 :D) hex-, level_1_makesureitsnotcorrupted.lod, flashrom.





, , , LEVEL2.





Friends, if you are interested in such material, put the plus signs. The whole process, one way or another, will not fit in one post.





Subscribe to @ o.tkachuk instu








All Articles