Insomni’hack 2013 : Armory wargame

As arm CPU are getting more and more used, we decided to create an arm-based wargame consisting of 4 challenges.

The first one, described here, is a reverse engineering challenge that will give you the credentials to access the actual raspberry pi box.

Here is the beginning of the disassembled code:

arm-disass

As you can see, the first check is done again the strlen that must match 6
Then the program parses argv[1][0] and add it to argv[1][1], the result should be 0xa6
Then argv[1][2] is substracted to argv[1][1], the result should be 5.

Here is the c code for all the checks:

[code language=”cpp”]if (strlen(argv[1]) != 6)
exit(-42);
if (argv[1][0]+argv[1][1] != 166)
exit(42);
if (argv[1][1]-argv[1][2] != 5)
exit(-42);
if (argv[1][2]+argv[1][3] != 157)
exit(42);
if (argv[1][3]-argv[1][4] != -66)
exit(-42);
if (argv[1][4]+argv[1][5] != 163)
exit(42);
if (argv[1][5]-strlen(argv[1]) != 43)
exit(-42);
[/code]

So, we can either try to guess the correct sequence or start from the end as strlen(argv[1]) is known. This gives the string

4rm0r1

After that, the real challenge was to be able to run the program without having to reverse the decrypt function 🙂
Any armv6 compatible system could have been used, and we even validated the challenge for the team unable to run the program.

That gave you:
# ./armory 4rm0r1
Nice, you now have access to the armory!
There are 5 available terminals to get your weapons:

ssh://raspberry1.insomni.hack
ssh://raspberry2.insomni.hack
ssh://raspberry3.insomni.hack
ssh://raspberry4.insomni.hack
ssh://raspberry5.insomni.hack

Login is : level1
Pass is : In33dmoarweap0ns

Be nice, those hosts are based on low cost raspberry Pi !
Use 'who' and try to get one not in use

Be careful with your exploits on this host, don't let someone else steal your flags :-)

Your flag for this challenge:
2ea108cdfa288d2fb66bde68d4f74348bc2799acbdc324ba613368ca1f7fe727168745632e6b6c
972a194dc12589d087cb2819cd46890f7a0527c868b41d6d1a

Now, if you want to be able to run the raspberry pi system in order to try the challenges, there are 3 ways:

  • Qemu-user emulation in chroot
  • Qemu-system emulation
  • On an actual raspberry pi

Qemu-user chroot:
The archive is made for x86_64 systems but it should be easy to make it work on x86 architecture by reading http://www.gentoo.org/proj/en/base/embedded/handbook/?part=1&chap=5

You need the binmft_misc kernel module to make it work. Simply untar the following archive somewhere :
http://www.insomnihack.ch/images/raspberry.tgz

Once untargz’ed go inside the directory and run chroot.sh. If all goes well, you should be chrooted inside a full arm environment and be able to run native arm code on your x86_64 system

Qemu-system with the image:

Download http://www.insomnihack.ch/images/image.img.gz and http://xecdesign.com/downloads/linux-qemu/kernel-qemu
Gunzip the image and launch qemu with :
qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -append "root=/dev/sda3" -hda image.img -display sdl

You will have some errors about missing kernel module but the console prompt will come eventually.
User is root and password is toor

Native raspberry pi:
Should be pretty straightforward, just download http://www.insomnihack.ch/images/image.img.gz and copy it over a sdcard (in this case /dev/mmcblk0) like this :
dd if=image.img of=/dev/mmcblk0 bs=10M
User is root and password is toor

It might take a while to launch the ssh daemon but it is due to the dns name resolution.