diff --git a/IoT/Lain_Br34kC0r3/README.md b/IoT/Lain_Br34kC0r3/README.md index 667cf3c..7e53e1f 100755 --- a/IoT/Lain_Br34kC0r3/README.md +++ b/IoT/Lain_Br34kC0r3/README.md @@ -1,28 +1,48 @@ -# LAIN_Breakcore — Solution +# Lain_Br34kC0r3 -**Difficulty:** Medium | **Category:** IoT | **Flag:** `ECW{LAIN_Br34k_CryPT0}` +| Field | Value | +|-------|-------| +| Category | IoT | +| Difficulty | Medium | +| Points | 500 | +| Author | neverhack | +| CTF | Espilon 2026 | -## Overview +--- -UART hardware/crypto/reverse challenge. Connect to the router's UART interface: +## Description -- **TX (port 1111)**: Read only — device output -- **RX (port 2222)**: Write only — send commands +This challenge emulates a UART interface on a Lain router. +Open both connections, interact as if it was real hardware. -## Available Commands +- **TX**: Read only +- **RX**: Write only -```text -help — list basic commands -flag — get the AES-encrypted flag -dump_bin — dump the firmware (XOR'd with the key) -settings — display the XOR key used for the firmware -whoami — current user info -show config — show device configuration -``` +Maybe Lain can help you? -## Steps +--- -### 1. Connect +## TL;DR + +Connect to the split UART interface. Use `settings` to get the XOR key, `dump_bin` to get +the obfuscated firmware, de-obfuscate to extract the AES key and IV from `.rodata`, then +use `flag` to get the ciphertext and AES-CBC decrypt it to recover the flag. + +--- + +## Tools + +| Tool | Purpose | +|------|---------| +| `nc` | Split UART connection | +| Python 3 + `pycryptodome` | XOR decoding and AES-CBC decryption | +| `strings` / Ghidra | Static analysis of deobfuscated firmware | + +--- + +## Solution + +### Step 1 — Connect ```bash # Terminal 1 — TX (read output) @@ -32,7 +52,17 @@ nc 1111 nc 2222 ``` -### 2. Get the XOR key +> 📸 `[screenshot: both terminals open, TX showing the device banner]` + +### Step 2 — List available commands + +```text +help +``` + +Commands available: `help`, `flag`, `dump_bin`, `settings`, `whoami`, `show config` + +### Step 3 — Get the XOR key ```text settings @@ -40,13 +70,15 @@ settings Returns the XOR key used to obfuscate the firmware dump. -### 3. Dump and deobfuscate the firmware +> 📸 `[screenshot: settings command returning the XOR key]` + +### Step 4 — Dump and deobfuscate the firmware ```text dump_bin ``` -Save the hex output, then XOR each byte with the key from `settings`: +Save the hex output from TX, then deobfuscate: ```python key = bytes.fromhex("") @@ -56,23 +88,28 @@ with open("firmware.bin", "wb") as f: f.write(firmware) ``` -### 4. Reverse the firmware to extract AES key and IV +### Step 5 — Extract AES key and IV from firmware + +Quick method: ```bash -strings firmware.bin | grep -iE "key|iv|aes|lain" +strings -n 10 firmware.bin | grep -iE "key|iv|aes|lain" ``` -Or open in Ghidra/Binary Ninja and locate the AES key/IV in `.rodata`. +Or open in Ghidra with Xtensa architecture, navigate to `app_main()` → AES setup +functions → locate `therapy_aes_key` and associated IV in `.rodata`. -### 5. Get the encrypted flag +> 📸 `[screenshot: strings output showing the AES key and IV]` + +### Step 6 — Get the encrypted flag ```text flag ``` -Returns the ciphertext in hex. +Returns the ciphertext as a hex string on TX. -### 6. Decrypt the flag +### Step 7 — Decrypt the flag ```python from Crypto.Cipher import AES @@ -83,13 +120,14 @@ iv = b"" # 16 bytes ciphertext = bytes.fromhex("") cipher = AES.new(key, AES.MODE_CBC, iv) -print(unpad(cipher.decrypt(ciphertext), AES.block_size).decode()) +plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size) +print(plaintext.decode()) ``` +> 📸 `[screenshot: Python script printing the decrypted flag]` + +--- + ## Flag `ECW{LAIN_Br34k_CryPT0}` - -## Author - -neverhack