1.9 KiB
Executable File
1.9 KiB
Executable File
LAIN_Breakcore — Solution
Difficulty: Medium | Category: IoT | Flag: ECW{LAIN_Br34k_CryPT0}
Overview
UART hardware/crypto/reverse challenge. Connect to the router's UART interface:
- TX (port 1111): Read only — device output
- RX (port 2222): Write only — send commands
Available Commands
help — list basic commands
flag — get the AES-encrypted flag
dump_bin — dump the firmware (XOR'd with the key)
settings — display the XOR key used for the firmware
whoami — current user info
show config — show device configuration
Steps
1. Connect
# Terminal 1 — TX (read output)
nc <host> 1111
# Terminal 2 — RX (send commands)
nc <host> 2222
2. Get the XOR key
settings
Returns the XOR key used to obfuscate the firmware dump.
3. Dump and deobfuscate the firmware
dump_bin
Save the hex output, then XOR each byte with the key from settings:
key = bytes.fromhex("<key_from_settings>")
firmware_enc = bytes.fromhex("<dump_from_dump_bin>")
firmware = bytes(b ^ key[i % len(key)] for i, b in enumerate(firmware_enc))
with open("firmware.bin", "wb") as f:
f.write(firmware)
4. Reverse the firmware to extract AES key and IV
strings firmware.bin | grep -iE "key|iv|aes|lain"
Or open in Ghidra/Binary Ninja and locate the AES key/IV in .rodata.
5. Get the encrypted flag
flag
Returns the ciphertext in hex.
6. Decrypt the flag
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
key = b"<key_from_firmware>" # 16 or 32 bytes
iv = b"<iv_from_firmware>" # 16 bytes
ciphertext = bytes.fromhex("<hex_from_flag_command>")
cipher = AES.new(key, AES.MODE_CBC, iv)
print(unpad(cipher.decrypt(ciphertext), AES.block_size).decode())
Flag
ECW{LAIN_Br34k_CryPT0}
Author
neverhack