Skip to content

Instantly share code, notes, and snippets.

@darkarnium

darkarnium/exploit.sh

Created May 24, 2020 15:26
Show Gist options
  • Save darkarnium/7101e7043708ddb7b317901b70d87179 to your computer and use it in GitHub Desktop.
Save darkarnium/7101e7043708ddb7b317901b70d87179 to your computer and use it in GitHub Desktop.
Download ZIP
magicbus
Raw
exploit.sh
(ctf) [darkarnium::Callisto MagicBus][0]$ ipython3 --no-banner -i magic_bus.py
[x] Opening connection to bus.satellitesabove.me on port 5041
[x] Opening connection to bus.satellitesabove.me on port 5041: Trying 18.222.201.16
[+] Opening connection to bus.satellitesabove.me on port 5041: Done
[*] Sent b'^93+00+00+35+.' to bus
[*] Sent b'^93+00+00+45+.' to bus
[*] Sent b'^93+00+00+55+.' to bus
[*] Sent b'^93+00+00+75+.' to bus
[*] Sent b'^93+00+00+85+.' to bus
[*] Sent b'^93+00+00+a5+.' to bus
[*] Got [0x56, 0x01] data chunk
[*] Got [0x56, 0x01] data chunk
[*] Got [0x56, 0x01] data chunk
[*] Got [0x56, 0x01] data chunk
[*] Got [0x56, 0x01] data chunk
[*] Got [0x56, 0x01] data chunk
[!] flag{quebec65854quebec:GA7avHnYEEDa8zhDgc5QPOyaCdDML5gNTrp-IBEPeyZc9FEDrqwwzeN7w6_My-kIFheYjdJakhz1W5H1EmejdSo}
In [1]:
Raw
flagger.py
import sys
import binascii
from pwn import *
TICKET = "ticket{quebec65854quebec:GHpbhquFdHUCf15aID5DlcdoHsIrBfisgpFey9tVBozA6JwFzPjwJ3SfNIAhkohmmA}"
# https://stackoverflow.com/questions/22388866/python-list-set-value-at-index-if-index-does-not-exist
class FillList(list):
def __setitem__(self, index, value):
try:
super().__setitem__(index, value)
except IndexError:
for _ in range(index-len(self)+1):
self.append(None)
super().__setitem__(index, value)
def process_line(line, flag_parts):
if line.startswith(b'^56+01'):
log.info('Got [0x56, 0x01] data chunk')
line = line.replace(b'^', b'').replace(b'+', b'').replace(b'.', b'')
line = binascii.a2b_hex(line)
offset = line[2]
for idx, i in enumerate(line[3:]):
flag_parts[int(offset+idx)] = chr(i)
flag_parts = FillList()
context.log_level = 'info'
# Connect and iterate until we have everything.
r = remote("bus.satellitesabove.me", 5041)
r.recvline() # ticket pls
r.sendline(TICKET)
# Addresses (?) to read.
addresses = [
0x35,
0x45,
0x55,
0x75,
0x85,
0xa5,
]
# Capture first chunk before pause.
buffer = r.recvuntil(b'.')
buffer += r.recvuntil(b'^92+00+00+3d')
buffer += r.recvuntil(b'.')
try:
# Read data from the addresses we care about.
for address in addresses:
reader = bytes('^93+00+00+{0:02x}+.'.format(address), 'utf-8')
r.send(reader)
log.info('Sent %s to bus', reader)
# Read back the results.
buffer += r.recvuntil(b'.') # Echo back.
buffer += r.recvuntil(b'.') # Response (?)
buffer += r.recvuntil(b'.') #
buffer += r.recvuntil(b'.') #
buffer += r.recvuntil(b'.') # Data!
buffer += r.recvuntil(b'.') # Trailer (?)
buffer += r.recvuntil(b'.') #
# ...Then read the rest of the data in the exchange.
while True:
buffer += r.recvuntil(b'.')
except:
pass
# Process the last chunk of data - if required.
for command in buffer.split(b'.'):
process_line(command, flag_parts)
# Find the flag
flag_start = None
flag_end = None
for idx,_ in enumerate(flag_parts):
# Find the start of the flag.
try:
if flag_parts[idx] == 'f' and \
flag_parts[idx+1] == 'l' and \
flag_parts[idx+2] == 'a' and \
flag_parts[idx+3] == 'g':
flag_start = idx
# Find the end of the flag.
if flag_parts[idx] == '}' and \
flag_parts[idx+1] == '\x00':
flag_end = idx
if flag_start and flag_end:
break
except IndexError:
continue
flag = ''
flag_index = flag_start
while flag_index <= flag_end:
if flag_parts[flag_index]:
flag += flag_parts[flag_index]
else:
flag += '*'
flag_index += 1
# get_flag
log.warning(flag)
@dreadn0ught
Copy link

How did you work out what packet format to send?

@darkarnium
Copy link
Author

darkarnium commented May 25, 2020
edited
Loading

Basically, by hating ourselves for a few hours when searches were coming up dry for potential protocol formats. Here are my notes, which may be varying levels of readable.

@bsmt identified the start and end sentinels for each "packet" (^, and . respectively). After that the focus was on identifying which parts of the data were present in other packets, and parts of the packet that were the same on ones with differing data. After that it was basically trying to identify whether there was any fields which corresponded with the location of the overlapping data between each packet, and the distance between them.

Not exactly very scientific, but hey! When the only tool you have is a hammer... :)

(ctf) [darkarnium::Callisto MagicBus][0]$ git diff HEAD~1
diff --git a/dump.hex b/dump.hex
index 78b9b39..884f0c1 100644
--- a/dump.hex
+++ b/dump.hex
@@ -4,8 +4,8 @@
 00000030: 5440 4cce a040 9b4b 40c1 8939 a0c0 13e4  T@L..@.K@..9....
 00000040: e73f 5601 326e d66a 60a7 0560 e18e 19e0  .?V.2n.j`..`....
 00000050: 6d6c 1d4a 666c 6167 7b71 7565 6265 6336  ml.Jflag{quebec6
-00000060: 3538 3534 7175 6562 6563 3a47 4333 5454  5854quebec:GC3TT
-00000070: 3344 6b93 0000 3d92 0000 3d00 0000 3df7  3Dk...=...=...=.
+00000060: 3538 3534 7175 6562 6563 3a47 4b42 3564  5854quebec:GKB5d
+00000070: 3671 6e93 0000 3d92 0000 3d00 0000 3df7  6qn...=...=...=.
 00000080: 3f41 2256 8abb 3c8e 9f40 0584 3fc1 fc23  ?A"V..<..@..?..#
 00000090: a1c0 fa41 e63f 9200 003d 0000 003d f73f  ...A.?...=...=.?
 000000a0: 4122 568a bb3c 8e9f 4005 843f c1fc 23a1  A"V..<..@..?..#.
@@ -50,10 +50,10 @@
 00000310: 008f 9640 41b3 0ea2 bcd9 919f 40ed cb3f  ...@A.......@..?
 00000320: c1d9 b3a0 c047 41e7 3f93 0000 3f92 0000  .....GA.?...?...
 00000330: 3f00 0000 0914 4041 9c6d 5340 e82d a140  ?.....@A.mS@.-.@
-00000340: 34d9 3fc1 917b a0c0 5fc5 e43f 5601 8761  4.?..{.._..?V..a
-00000350: 6a39 434e 5a69 6969 4555 4d69 4e31 4c4d  j9CNZiiiEUMiN1LM
-00000360: 6d59 6353 572d 6573 596c 7143 4271 7865  mYcSW-esYlqCBqxe
-00000370: 7049 7778 6c4a 777d 005d 3e3b 9300 003d  pIwxlJw}.]>;...=
+00000340: 34d9 3fc1 917b a0c0 5fc5 e43f 5601 875a  4.?..{.._..?V..Z
+00000350: 3763 444a 4567 4537 4b5a 4344 4954 5857  7cDJEgE7KZCDITXW
+00000360: 5251 4f7a 706c 4d53 5145 4c54 4c45 4a48  RQOzplMSQELTLEJH
+00000370: 6375 5855 7446 597d 005d 3e3b 9300 003d  cuXUtFY}.]>;...=
 00000380: 9200 003d 0000 00a4 f83f 41d6 6c71 bc2a  ...=.....?A.lq.*
 00000390: 05a0 406b f43f c1a8 b6a0 c0fa d0e7 3f92  ..@k.?........?.
 000003a0: 0000 3d00 0000 a4f8 3f41 d66c 71bc 2a05  ..=.....?A.lq.*.
@@ -107,7 +107,7 @@
 000006a0: 08bd 89c7 9f40 8f8b 3fc1 3ebe 9ec0 7e85  .....@..?.>...~.
 000006b0: e23f 9300 003f 9200 003f 0000 00d1 b33f  .?...?...?.....?
 000006c0: 4184 b952 4065 5ba0 40ac b53f c159 22a0  A..R@e[.@..?.Y".
-000006d0: c014 8de4 3f56 01a8 7049 7778 6c4a 777d  ....?V..pIwxlJw}
+000006d0: c014 8de4 3f56 01a8 6375 5855 7446 597d  ....?V..cuXUtFY}
 000006e0: 005d 3e3b b3c5 422f 2d9d 07f6 40e6 7e4f  .]>;..B/-...@.~O
 000006f0: 4a75 6963 7920 4461 7461 2030 3300 5b34  Juicy Data 03.[4
 00000700: bc99 6f6f 5eb1 9f8c 4fa6 828f 8d00 dece  ..oo^...O.......

Capture Notes:

---- START ----

    ^92+00+00+3d+00+00+00+ 98+5b+ 40+41+ 5d+63+01+3c+22+09+a1+ 40+17+b3+3f+ c1+dd+cb+9e+ c0+f5+5f+e2+ 3f+.

^93+00+00+3f+.
    ^92+00+00+3f+00+00+00+ 64+8b+ 40+41+ c9+f2+54+40+4c+ce+a0+ 40+9b+4b+40+ c1+89+39+a0+ c0+13+e4+e7+ 3f+.
        ^56+01+ 32+ 6e+ d6+6a+60+a7+05+60+e1+8e+19+e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+65+63+36+35+38+35+34+71+75+65+62+65+63+3a+47+42+54+50+67+56+73+72+.
                                                                  \__FLAG__/
^93+00+00+3d+.
    ^92+00+00+3d+00+00+00+ 7c+f2+ 3f+41+ 3d+dd+ae+bc+6d+f0+9f+ 40+12+15+40+ c1+a1+87+9f+ c0+c7+e1+e4+ 3f+.
    ^92+00+00+3d+00+00+00+ 7c+f2+ 3f+41+ 3d+dd+ae+bc+6d+f0+9f+ 40+12+15+40+ c1+a1+87+9f+ c0+c7+e1+e4+ 3f+.

^93+00+00+3f+.
    ^92+00+00+3f+00+00+00+ 93+80+ 3f+41+ fc+bb+54+40+bf+3a+a1+ 40+6e+f2+3f+ c1+ee+80+a0+ c0+c6+c9+e4+ 3f+.
        ^56+01+ 32+ 6e+ d6+6a+60+a7+05+60+e1+8e+19+e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+65+63+36+35+38+35+34+71+75+65+62+.
                                                                  \__FLAG__/
^93+00+00+3d+.
    ^92+00+00+3d+00+00+00+ 50+c7+ 3f+41+ 05+12+95+bc+1d+5d+a0+ 40+0c+7e+40+ c1+82+78+9f+ c0+b5+2c+e5+ 3f+.
    ^92+00+00+3d+00+00+00+ 50+c7+ 3f+41+ 05+12+95+bc+1d+5d+a0+ 40+0c+7e+40+ c1+82+78+9f+ c0+b5+2c+e5+ 3f+.

^93+00+00+3f+.
    ^92+00+00+3f+00+00+00+ af+33+ 40+41+ 59+2f+52+40+5f+34+a1+ 40+93+32+40+ c1+d1+3c+a1+ c0+7b+45+e7+ 3f+.
        ^56+01+18+9b+ 00+3a+89+b9+ff+df+53+3d+1c+0a+c1+a7+52+ca+44+fe+04+f8+ca+90+c9+b4+42+eb+b9+6e+d6+6a+60+a7+05+60+e1+8e+19+e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+65+63+36+35+38+35+34+71+75+65+62+65+.

---- START ---

----- END ----

^93+00+00+3d+.
    ^92+00+00+3d+00+00+00+ 8f+96+ 40+41+ b3+0e+a2+bc+d9+91+9f+ 40+ed+cb+3f+ c1+d9+b3+a0+ c0+47+41+e7+ 3f+.
    ^92+00+00+3d+00+00+00+ 8f+96+ 40+41+ b3+0e+a2+bc+d9+91+9f+ 40+ed+cb+3f+ c1+d9+b3+a0+ c0+47+41+e7+ 3f+.

^93+00+00+3f+.
    ^92+00+00+3f+00+00+00+ 09+14+ 40+41+ 9c+6d+53+40+e8+2d+a1+ 40+34+d9+3f+ c1+91+7b+a0+ c0+5f+c5+e4+ 3f+.
        ^56+01+ 87+ 46 +4d+36+78+65+6f+78+4c+30+30+32+55+6e+79+31+56+68+49+2d+4d+52+48+6b+78+51+30+5f+30+52+76+6a+4b+51+44+62+4a+6c+57+4b+59+7d+00+5d+3e+3b+.
                                                                                                                           \_______________}\x00_/
^93+00+00+3d+.
    ^92+00+00+3d+00+00+00+ e0+08+ 40+41+ 4c+bd+08+bd+89+c7+9f+ 40+8f+8b+3f+ c1+3e+be+9e+ c0+7e+85+e2+ 3f+.
    ^92+00+00+3d+00+00+00+ e0+08+ 40+41+ 4c+bd+08+bd+89+c7+9f+ 40+8f+8b+3f+ c1+3e+be+9e+ c0+7e+85+e2+ 3f+.

^93+00+00+3f+.
    ^92+00+00+3f+00+00+00+ d1+b3+ 3f+41+ 84+b9+52+40+65+5b+a0+ 40+ac+b5+3f+ c1+59+22+a0+ c0+14+8d+e4+ 3f+.
        ^56+01+ a8+ 44+ 62+4a+6c+57+4b+59+7d+00+5d+3e+3b+b3+c5+42+2f+2d+9d+07+f6+40+e6+7e+4f+4a+75+69+63+79+20+44+61+74+61+20+30+33+00+5b+34+bc+99+6f+6f+5e+b1+9f+8c+4f+a6+82+8f+8d+00+de+ce+cd+43+24+.
                        \_______________}\x00_/
----- END ----

Annotated capture:

^56+01 :: 27 = 39 (35 bytes below / 4 remainder)
    44+fe+04+f8+ca+90+c9+b4+42+eb+b9+6e+d6+6a+60+a7+05+60+e1+8e+19+e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+.

^56+01 :: 32 = 50 (46 bytes below / 4 remainder)
    6e+d6+6a+60+a7+05+60+e1+8e+19+e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+65+63+36+35+38+35+34+71+75+65+62+65+63+3a+47+47+34+76+4d+52+4d+4d+.

^56+01 :: 37 = 55 (47 bytes below / 8 reminder)
    05+60+e1+8e+19+e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+65+63+36+35+38+35+34+71+75+65+62+65+63+3a+47+47+34+76+4d+52+4d+4d+75+50+4e+6a+68+49+.

^56+01 :: 3c = 60 (57 bytes below / 3 remainder)
    e0+6d+6c+1d+4a+66+6c+61+67+7b+71+75+65+62+65+63+36+35+38+35+34+71+75+65+62+65+63+3a+47+47+34+76+4d+52+4d+4d+75+50+4e+6a+68+49+51+6a+4e+51+71+71+32+6f+30+6a+37+45+37+62+41+.

^56+01 :: 57 = 87 (34 bytes below / 53 remainder)
    3a+47+47+34+76+4d+52+4d+4d+75+50+4e+6a+68+49+51+6a+4e+51+71+71+32+6f+30+6a+37+45+37+62+41+6e+72+44+4a+.

^56+01 :: 7c = 124 (39 bytes below / 85 remainder)
    59+49+2d+46+62+41+7a+30+45+4f+32+56+59+6c+77+52+52+6e+4e+4c+32+75+4b+62+69+66+38+6f+4f+53+65+75+48+69+62+67+70+71+77+.

^56+01 :: 9f = 159 (37 bytes below / 122 remainder)
    67+70+71+77+54+37+57+74+39+43+37+7a+6b+41+6f+63+7d+00+5d+3e+3b+b3+c5+42+2f+2d+9d+07+f6+40+e6+7e+4f+4a+75+69+63+.

@DeathsPirate
Copy link

Nice write up. Looked like some sort of I2C protocol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment