MrARM

{
   "meta":{
      "theme":"elegant"
   },
   "basics":{
      "name":"Jordan Bush",
      "label":"Embedded system developer",
      "image":"https://bush.ax/photograph.jpg",
      "summary":"I am a full-stack engineer working on embedded systems, I have experience with IoT radio equipment, object-classification systems.",
      "website":"https://bush.ax",

MrARM

SecDSM April 2023 CTF Writeup

I took part in the SecDSM MiniCTF in April of 2023 which involved some DNS OSINT, encrypted 7-zips, TOR knowledge and printer pwning.

At 12 PM, the website with the challenge was released. The site read:

Henry Hacker is in jail and is looking to fly the coop. You're in cahoots on the outside. He's printing the instructions for where/when you need to meet him. He's managed to sneak some information on chickenfliesthecoop.hackmeinc.com. It's a place where you've exchanged messages in the past.

Part 1. Direction finding

My first instinct was to try to visit that domain in my web browser, that didn't work. Thinking the site was down, me and a few other people hopped into a Discord voice chat to try and understand what was going on. Eventually we tried to find hidden domains using Dns Spy, I brute forced for domains using Lepus as well as scanning the HTTP directory with dirbuster on the challenge page.

MrARM

# Notes, file size seems to cap around 4 mb, if you go over, the flash fails and you have to do a SPI flash (or find a way in the uart console)
import base64
import json
import math
import requests
import time
import os

MrARM

DFM17 USB Pinout

Requirements

• Micro USB cable to salvage
• A USB ttl cable, This cable from adafruit is what I recommend

Instructions

• Cut the usb cable and seperate the wire pairs on the micro USB side, scrap or reuse the other side.
• Wire the cable as follows

MrARM

24 52 4d 32 35 4e 00 01 00 39 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 0c 24 2c 3c 3c 3c c2 cf 39 24 c5 fe 54 60 01 1c a9 
24 52 4d 31 35 4e 00 02 00 39 0d 03 be c0 19 fa b7 17 dd 82 09 de 5e 1f fe 38 0f fe 25 1b de c9 11 fc 43 03 be d5 03 be c9 03 be d1 03 be cd 00 00 00 46 6f df cd c5 8c 55 27 44 76 b3 17 c1 7d f5 8e 01 29 20 
24 52 4d 32 35 4e 00 02 00 39 0d 03 be c0 19 fa b7 17 dd 82 09 de 5e 1f fe 38 0f fe 25 1b de c9 11 fc 43 03 be d5 03 be c9 03 be d1 03 be cd 00 00 00 46 6f df cd c5 8c 55 27 44 76 b3 17 c1 7d f5 8e 01 5b f7 
24 52 54 32 35 4e 00 02 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b d3 

24 52 4d 31 35 4e 00 03 00 39 0d 03 be ba 19 fa b9 17 dd 85 09 de 52 1f fe 39 0f fe 26 1b de c9 11 fc 44 03 be d2 03 be d4 03 be d5 03 be d9 00 00 00 bb 12 d1 6d 37 1a 9c 52 b0 00 16 4d 47 68 24 00 01 8e dd 
24 52 4d 32 35 4e 00 03 00 39 0d 03 be ba 19 fa b9 17 dd 8

MrARM

# ------------------------------------[UPDATE]--------------------------------------
# Title: Sony Block List
# Expires: 14 day
# Total number of network filters: 8
# ------------------------------------[FILTERS]-------------------------------------
0.0.0.0 api-p014.ribob01.net
0.0.0.0 apicdn-p014.ribob01.net
0.0.0.0 artcdnsecure.ribob01.net
0.0.0.0 asm.np.community.playstation.net
0.0.0.0 auth.np.ac.playstation.net

MrARM

̷̷̷̷̷̷̧̧̧̧̧̧̟̭̺͕̜̦̟̭̺͕̜̦̟̭̺͕̜̦̟̭̺͕̜̦̟̭̺͕̜̦̟̭̺͕̜̦̔̏̊̍ͧ͊́̔̏̊̍ͧ͊́̔̏̊̍ͧ͊́̔̏̊̍ͧ͊́̔̏̊̍ͧ͊́̔̏̊̍ͧ͊́̚̕̚̕̚̕̚̕̚̕̚̕͞͞͞͞͞͞

MrARM

#LOG 1

build_id: 15A372
sysname: Darwin
nodename: iPad-Air
release: 17.0.0
version: Darwin Kernel Version 17.0.0: Fri Sep  1 14:59:18 PDT 2017; root:xnu-4570.2.5~167/RELEASE_ARM64_S5L8960X
machine: iPad4,1
unknown kernel build. If this is iOS 11 it might still be able to get tfp0, trying anyway
message size for kalloc.4096: 2956