Task 2.1 - Disarm Capability
“Thanks to your hard work we were able to eventually geolocate the device and work with military partners to retrieve the system for further analysis. It turned out to be a test system that one of the IED developers had been using in lieu of a live device. We provided the system to a team of software reverse engineers and their preliminary assessment is that we have a fully functional copy of the IED software, a key file, and a dummy driver that emulates the various IED states. Analysts believe that this key file contains the information needed to authenticate to a real IED (somewhere in the field) and send commands to it. Presumably this test system was used to validate the software and key file before it was deployed to an actual IED. Since the key file appears to be encrypted, we are going to need your help to figure out a way to decrypt it. This should enable us to disarm the fielded IED that uses this key, though we will still need to figure out exactly how it is being used for authentication (next task). The goal of this task is for you to obtain the decrypted contents of the key file.”
After the recon stages, I was asked to begin working on the capability to disarm one of the IED’s. The first step in this task provided me with three files. A server binary, a test driver and an encrypted key file. The first step I took was to run strings on the server binary. This output a TON of lines. 14,847 to be exact (s/o to wc for not making me do that manually). I took a quick scroll through the lines lines looking for anomalies. In the middle of the output I noticed a big block of text that, upon closer investigation, was an RSA private key block.
I figured that this might be useful so I copied it into a text file and tried a simple OpenSSL decryption on the key file we were provided using it. Lo, and behold it actually decrypted the file! What I found was what looked like a protocol designation
otpauth:// along with a path to
/totp/791507179 along with the url parameter
“secret=6Z2F47DXRF5WMHXCPZ4ATZBJ4VNVBLU4XGYK2DP5WM75HSVJHR6Q.” This should all come in handy for the next stage!
Full File Contents: otpauth://totp/791507179?secret=6Z2F47DXRF5WMHXCPZ4ATZBJ4VNVBLU4XGYK2DP5WM75HSVJHR6Q
Task 2.2 - Disarm Capability
“Perfect! Now that we have the key file we can work on a disarm capability. Several intelligence reports suggest that terrorists use a secure token (i.e., small hardware device) for generating unique one-time codes for authenticating to the IED when sending commands. We believe these codes change over time and are only valid for a certain time window and for specific device serial numbers. Based on previous signatures you provided, we have located the armed IED that is using the same version of software and key serial number from Task 3 and we need to disarm it ASAP. We do not have the secure token that corresponds to the device, but we still need to be able to authenticate to it with the correct code in order to disarm it. Your objective for this task is to figure out how to generate valid one-time codes and provide one that we can use to disarm the IED. The decrypted key file you provided earlier should help with this part.”
I found this task to be interesting and challenging. I actually spent a lot of time on what turned out to be dead ends in an attempt to figure out the OTP. The challenge for me was recognizing what the secret key was and how it was being used for a OTP. I, unfortunately, spent a great deal of time thinking the challenge was to reverse engineer the driver and thought that the OTP would be coming from that (like a yubikey or something). This was just an effect of my lack of experience with oauth and OTP’s. I’m glad I did spend the time doing this, even if it was ultimately the wrong path, because I got the chance to learn about linux driver ioctl function calls!
After spending a few hours in a day trying to reverse engineer the driver, I decided it was best to take a break. The next day, I decided to approach the problem as an investigation into how the key was being used and what actually TOTP is. I had originally believed it to be something that was special to the challenge application, however upon further research I learned that it is a time based OTP. After realizing this, I found a utility called oathtool which was able to generate TOTP authenticators for me to use in the client! The final command only required me to tell the tool that the string was encoded in base32 and to use the
—totp flag. I was then able to use the disarm command!
Final Token (or how to generate it): oathtool --totp -b <token>