telecastr

Welcome to Norzh Flight !

The starting point for this challenge is a flight-booking website. The goal is to book a particular flight from VNE to CTF on May 21. The catch is that apparently there are no seats available on that flight. 😕

telecastr

#!/usr/bin/env python

import requests
import sys
import argparse
import os
import sqlite3
import traceback
import re
# disable insecurerequestwarning

telecastr

Discovery

• Port 31227 -> Basic Auth, no luck with admin/admin, ... & user admin+ rockyou.txt

• Port 32544 -> AMQP, requires auth, no luck with guest/guest & user admin+rockyou.txt

• Ports change with restart of Docker-container + Services of other challanges are running on the same IP but different port ...

• The authentication form tells us, this is a AppWeb Embedded Server

  • Found common vuln for app web: https://lab.wallalarm.com
  • Found working exploit for user admin at https://vulners.com:

telecastr

Off the grid

• Given is a data-stream to an SH1306-OLED display

• SH1306 is slightly different to well known SSD1306, differences in Protocol

• Basic explanation of SSD1306 display: lastminuteengineers.com

• SSD1306 datasheet: adafruit.com

• SH1306 seems to only support page addressing mode. This can also be seen on the data stream itself - 128 Bytes are transmitted in one go = 128 Lines*8 Rows at 1 bit 'color-depth' (black/white)

• Correct Settings for Saleae Logic can be determined from the capture itself or the shematic given by HTB:

• After exporting the Saleae Logic analyser result as .csv, the protocol can be reversed/display can be emulated and the pixel-stream can be saved to an image file