Kaspersky CTF Backdoor PI

This is the second I solved during Kaspersky CTF 2017. This challenge is mix of both reverse engineering and forensics.

The challenge

We are doing an project for a school competition in which we need to use a Raspberry Pi to make an IOT prototype. We received SD cards from the professor, and because we lost ours we asked another group to give us a copy of their card, I know it’s been modified because the original hash doesn’t match. Could you please investigate and tell me if everything is ok? Here is some parts of the file system:


download this file

Once I extracted the file system first thing I went to check was the .bash_history file, It got some interesting commands inside of it

vim exploit.py
cat /etc/passwd
userdel U_n33d_th3_fl4g
sudo userdel U_n33d_th3_fl4g
sudo useradd b4ckd00r_us3r

I couldn’t find the file exploit.py, and /etc/passwd seemed to be normal, so I tried to grep the whole root directories with interesting strings like backdoor, backd00r, flag, fl4g,.. I think this is not the best way to do it, if you know about a better way please let me know. Anyway, I found something interesting that contains the word fl4g it was binary file.

$ file back
back: python 2.7 byte-compiled

That one sounds interesting, As far as I know, there isn’t any python pre-compiled code that is shipped with any Linux distro, so I decompiled it with uncompyle6.

import sys
import os
import time
from flask import Flask
from flask import request
from flask import abort
import hashlib

def check_creds(user, pincode):
    if len(pincode) <= 8 and pincode.isdigit():
        val = '{}:{}'.format(user, pincode)
        key = hashlib.sha256(val).hexdigest()
        if key == '34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e':
            return 'Congr4ts, you found the b@ckd00r. The fl4g is simply : {}:{}'.format(user, pincode)
    return abort(404)

app = Flask(__name__)

def hello():
    return '<h1>HOME</h1>'

def backdoor():
    user = request.args.get('user')
    pincode = request.args.get('pincode')
    return check_creds(user, pincode)

if __name__ == '__main__':
    app.run(threaded=True, host='', port=3333)

What the backdoor script do is it runs a flask app to port 3333 and asks for username and password and checks the sha256 of the combination “username:password”, We also knows that password is at most 8 characters all digits. I quickly wrote a script to bruteforce the password and I tried username = b4ckd00r_us3r,

from Crypto.Hash import SHA256
user = "b4ckd00r_us3r"
for i in xrange(99999999+1):
    val = '{}:{}'.format(user, i)
    key = SHA256.new(val).digest().encode("hex")
    if key == '34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e':
        print 'KLCTF{'+ '{}:{}'.format(user, i)+'}'

I ran it and it quickly gave me the flag: KLCTF{b4ckd00r_us3r:12171337}.