반응형
문제 정보
One of these firmware files received a surprise injection from a rogue agent. It’s super stealth, like buried under a mountain of hex.
Your job? Dive into the GUI, break the binary open, and reverse engineer the sucker. Somewhere in there is a function dropping a CAN message with a custom arbitration ID.
Decode it, trace it, snatch the payload, and show that spy who's boss.
Hint:
1. James Bond
2. ASCII codes
Flag Format hint: bh{the_flag}
7 files are provided:
1. telematics_...
2. power_ma...
3. infotainme...
4. lighting_m...
5. spy_decoder
6. hvac_contr...
7. headlight_...
문제 풀이 요약
1. spy_decoder 파일을 실행하고 007을 입력하면 headlight_firmware.zip 문자열이 출력됨
• spy_decoder 파일을 decompile하면 pyi 문구가 있으며 pyinstallerextractor로 해제 가능
• secret.txt 내에 base64 문자열이 있으며 decode하면 headlight_firmware.zip 문자열 확인 가능
2. headlight_firmware.zip은 암호가 설정되어 있으며 zip2john과 hashcat을 이용해 password crack 성공
3. headlight_firmware.zip 압축 해제 시 headlight_firmware.bin이라는 Lzma 압축 형식의 바이너리가 나오며 확장자를 .lzma로 바꾸고 lzma 압축 해제
4. elf 형식의 headlight_firmware 파일이 추출되며 리눅스에서 실행 시 Flag가 출력됨
문제 풀이 상세
1. 문제에서 주어진 spy_decoder 파일을 실행하고 James Bond라는 힌트에 맞게 007을 입력하니 headlight_firmware.zip 문자열이 출력되었습니다.
• headlight_firmware.zip이 문제의 파일이라고 명시해주는 것 같습니다.
2. 그러나 너무 쉽게 뭔가 나와서 spy_decoder 파일을 추가 분석하였습니다.
• 먼저 파일을 디컴파일러를 이용해 정적 분석을 진행한 결과 PYI라는 문자열들이 식별되었습니다.
• pyinstxtractor를 이용하여 해당 바이너리를 추출하였습니다.
• 추출된 파일들 중 secret.txt 파일이 있고 내용으로는 base64값이 있었습니다. 해당 내용을 base64 decode하면 headlight_firmware.zip 문자열이 됩니다.
• spy_decoder.pyc 파일도 정적 분석이 가능했지만 그저 007을 입력하면 headlight_firmware.zip을 출력하는 파일이었던 것으로 보입니다.
3. headlight_firmware.zip 파일은 암호가 걸려있었으며 john2zip과 hashcat을 이용하여 password cracking이 가능하였습니다.
• pw : 1l0v3elizabethwithallmyheart
$ hashcat -m 13600 -a 0 ./hash.txt ../pw_dict.txt --backend-ignore-cuda
hashcat (v6.2.5) starting
...
Dictionary cache built:
* Filename..: ../final_combo.txt
* Passwords.: 29606011
* Bytes.....: 294047725
* Keyspace..: 29605980
* Runtime...: 1 sec
$zip2$*0*1*0*c8f251b7218a973b*ce7d*96c*47a899cc8aa76272f4493fb1f66d7ae550ab436e7d7b5de29d901e9f1c5fde0d50235f91fe8559913cddb02c1dda2470195a9fe52bef283635b92b7a5839d6e662750d4380e6e8ef09d4d45708e477bd26089254ceb7a26b175d369a3923aef83278a1f8ce23aca5cdbc42568b20b93d90fa6bf98f6b763d86ebe37fda8f77531af95b5dfbfd70051de9a69c63591b4fd88866bb443e31c0dc2906e4fc44c5900fe529d155e1c52022f8f4ef6c45fadde3df88d098f1b4459b4ccf421562857eafeb090a82b2fc78cfad248f6c99e4b9b9e05f16e9370cc762887a4d12349bde9eb148281a826741620fa6775f383de8b141dc614036d00196b1bd85d46b9b46897e124b5c70e04a6187a58ece65e5e201d76243f4dc42618fd0e8bb34cfa81af559c2d83417c8f1519610c11e59d99f4b47f301a1eacb73720491b2066ea5d5e2066618a685c2547e6338f340592d3dc8b19b22001c2c502b4901b7aadae825ca20dd32dc2aa98114204e7007006a9c4ddf080146155ba6e014b19d83d025e24320d90dc45b5e05166c4b4fcbffdccda378bed8cf9f4ef50c23156883970dc81e1a0a80f0c6a22c9dc80689e96b5d600c34ec827105a7fd9a9130fe79878e9df2757abe717d43caffb0d0f4fbb88db24a1515a0715ff771619303dffafa8db1896a24c818507b8496c40a6a324c961fc7486a979e8e09d2840e02813f316d7c3e3638c28cf8718b817a75d08756d13cde7d124b443f750759774cdad092742e2a330b740278229c35200eb8835a28c48bf1a05057df89ea7f981fbb6ada9a503190d1ee72ffdb7c1d4184b2287b65e74de4f348ea0f3c79e9286e6f087dafc6a3bbc1ef1d19e36c994cf1311bd6240ed8d1e6cb21aa1ce4ffce19154526c3b38096cd8ac75ab9b12ae839d38765ac50ab16a9839016f327a39ee5b2bcaca3331038b63df1c18fb169fa2ea70a878bc28901bfd3af85dc041bcf7205eaa4454aea3a3e7002e7467d186c6b5d1cfd40f57cb64667ca27c6ab8152b4cc65cfabe138bd6242aad6c9ffd96d02097577aeb489819c9023315dbba1676f2a447e45fc44e32355f5de24f98705c55bbba4eeabdadee9cbc05b9a4857d0fa3873e00a2df3946a2ce606288c80ccf083f3aab2fd2f38caa45f499d750cd97523a31b74deb55c55e79552da5b5b0e7df9166fbc2ddf072cce17280390c68a60d3476035ddc4b40cb78db23db98fc700e5dcd972e35762ef305a16dc1fdf9c10749e669ae2d5edf279a2bac7cbffc8d55294ea551dcd19891ccb6a909c1bf0210ead1ed7bbbeb4b37038a982856d238b46a4e655e63d988f044192cecec92785c65aaf0649d874ac7563dd8a920dc646d71250546cf67f98cf5e8792d43fd85a5ffa60d70df65cbd8f2aa77ba9436dbd7d99585d2ccddf8d72765fd8a6b3e3385d9885806d72fd3f6dd0d8086e849e473b50e21406e9865981ee466baae6a258b352343194048baccc5bf2cf3c6d603be0e924be744e2bdcf8b8b91cc44bcdc059874aa2351bd2850f471bc4f8cd6441be61e83f009da982ba9830faa6d8b2fbccde6704334431bafe192f7bd187d9a2a82a8df14b7918f3ae4e9fe1b67808b35f4667df451e80bbe9e934e95d18aa0a732b85567533c14567bab124e4122f111c36191c3426731094451fae5170ac7392e941f3fd0423820f8deb9e60470179c23cd325b4304dea08912aa2dc6d572f07d40d1ed80724689f67fa69700d015ea2a9780cb83f84723ea948bf3b957d9ef55229821f54f450dbb5968ee075e8144ff23308cbb03c87664d4fa4cb2be3548cea16462297a3432856cd90ddde8d614eaab2d35f7d72d51ca0976c5ea9423a2c8a91af03683d90f09fe27892fec1e884e7bd497efe728679b4f707c039d492158e26ca4c636d24b5538aefd4877b4f79a353b1e6b86bed3034e06edaf748bf129bfc988834838bc23ea7c2213bda3f6d087e8acab1c3378cbecd9728de70b173a695d6466c8fe41f7c7f4fe16fa781be1d310db11a06aeebea4319316fcff3d1caf0e4715ea900a69f2826bfeffffaa8e05be8ca959c0b49c33929e4115bcf4eceb466729e593e9467de8408b1c29e1c60293b7899bcc41be3eb1913241f97126b33e70e354090b1e3abaa8cd8619aff7046d4546c697ac391a6a66a95df2b123e3a772091bf4bbd6f27c2ddd88666fa8700e22d159a072cd8e4d88791e8c1b669d6e354aa9cdd58dfec105ff6eb04fcd8d95cf0b5811fcc4d7866046289f3fc901378473ec25933cb5570d0edb42a6e0a44c912bb6be7007335fd22271ae79e13aa0c2934ac0cfc9903b121d80aa0297cd9154a46f3d1eb3cfd7aec7707d4de0c137007cd5ba03b01fdfd46e509cc0d9eb4260cb34e2b62c7b63a1a3cc10db2e00fbd38ee2811debbf1ee913025136b93b750cb2af67355b5298134c228bce2e73e038b31adbf4e06ba4510e21ada779d44f57fcdbba7464d3ef52203957f77544a6ca9968c544d031f0ebfef869ddec29d2e811be6b0cdff5fa65ff739a100bc0da26417efe75f646b5384a9fc55b3f2606aebe991aca493d1a86ff77f91444ca0ebc32e83f97dd7a80718510df34eee96c9ea944490e4830a821ef596f3f6b7979f39471e8efdb1d25fbe0ff032b76491352117bbc35b04a8440f418a1ddc13511fcb306da8b2401558e31d894a60816e4820c8954735754bcea527eb82eef3617b59aa1bb218ae2d360f973d50b018f0545d69e9fe1fca92e64cf36ee61e1b080568ac4fac3499107f2e5cd7ad461c17d7f03e0c8aa5ba49856ec88f2b82bcd62926a9f23bba00405fdde8217fcd69b18c04c3a9a70afb9c387575e1ea926b1f97b307777db8855e80c8c617e82dbbf6eee70e291a40263868a6c539ba3e28d828dcc88ed7072017b053be49d931d7ff31a72f2a2abcaddf9e2c514bfd79ef25f3aa5ef79d3d0d252919445cb65d6c1c6d48bcead8c9487369ecc6824a18847aea685f82e84383c6ac54cfc99cba2857cf57cf54e05c5635e9d5cf59b42d6bc583a302e4cb01a0c2403b63300d0a99fdd03d0c981a4b02d3fd040a1077b4de71a1863a6f7082a48595be243943771a84e58827dc4f5a5a069fa585c2d0d6add1e027a35f2a20679319f901be139dc05e73271f00909818bf1a18e468081970a61848e4eca8b4d11eb7298813013907b35b1cda6d1a56c7def2340a53bfbc74806add54c473994cb0f3e113416c8e1a00e1d30dad87951406d1e60afaac0f6d7b404d95f3939d2a61a4f77739d85dcf065453a3fc1b04a74665b75a16d7e1ff36b04a7d5fd4b1744f93bb0de4dd22f8735eacda210aa42fb2bdedcc15b9b16358ea9c1f6810affab6095d4d541b077e96856e147c00ef2babb08338f3e126*0787fdbaf82eddb74ec6*$/zip2$:1l0v3elizabethwithallmyheart
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13600 (WinZip)
Hash.Target......: $zip2$*0*1*0*c8f251b7218a973b*ce7d*96c*47a899cc8aa7.../zip2$
Time.Started.....: Sat Aug 23 11:16:46 2025 (2 secs)
Time.Estimated...: Sat Aug 23 11:16:48 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (../final_combo.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1124.4 kH/s (7.04ms) @ Accel:4 Loops:999 Thr:256 Vec:1
Speed.#2.........: 501.2 kH/s (7.25ms) @ Accel:2 Loops:999 Thr:256 Vec:1
Speed.#*.........: 1625.7 kH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2478080/29605980 (8.37%)
Rejected.........: 0/2478080 (0.00%)
Restore.Point....: 2291712/29605980 (7.74%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-999
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-999
Candidate.Engine.: Device Generator
Candidates.#1....: 1995sage -> 1ilove...
Candidates.#2....: 1ilove? -> 1 NEWCOM
Hardware.Mon.#1..: Temp: 58c Fan: 0% Util: 6% Core:2520MHz Mem:10251MHz Bus:4
Hardware.Mon.#2..: Temp: 41c Util: 4% Core:1410MHz Mem:1512MHz Bus:16
Started: Sat Aug 23 11:16:35 2025
Stopped: Sat Aug 23 11:16:49 2025
4. 압축이 풀린 파일 내에는 LZMA로 압축된 headlight_firmware.bin 파일이 있었으며 확장자를 .lzma로 바꾼 뒤 lzma로 해제할 수 있었습니다.
$ file headlight_firmware.bin
headlight_firmware.bin: LZMA compressed data, streamed
$ cp headlight_firmware.bin headlight_firmware.lzma
$ lzma -d headlight_firmware.lzma
$ ls
headlight_firmware headlight_firmware.bin
5. 이후엔 ELF 64-bit 바이너리인 headlight_firmware을 얻을 수 있었고 실행하여 Flag를 획득하였습니다.
• FLAG : bh{h3aDL!ght$_FirmWaR3}
$ file headlight_firmware
headlight_firmware: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=de90299b9c42cef8778bda3dbee39f1f839d60ed, not stripped
$ ./headlight_firmware
Sending CAN message with arbitration ID 0x1C0:
Data: 62 68 7B 68 33 61 44 4C 21 67 68 74 24 5F 46 69 72 6D 57 61 52 33 7D
ASCII: bh{h3aDL!ght$_FirmWaR3}
반응형