ESPILON-CTF-2026-Writeups/IoT/Lain_Br34kC0r3/README.md

# LAIN_Breakcore — Solution

**Difficulty:** Medium | **Category:** IoT | **Flag:** `ECW{LAIN_Br34k_CryPT0}`

## Overview

UART hardware/crypto/reverse challenge. Connect to the router's UART interface:

- **TX (port 1111)**: Read only — device output
- **RX (port 2222)**: Write only — send commands

## Available Commands

```text
help        — list basic commands
flag        — get the AES-encrypted flag
dump_bin    — dump the firmware (XOR'd with the key)
settings    — display the XOR key used for the firmware
whoami      — current user info
show config — show device configuration
```

## Steps

### 1. Connect

```bash
# Terminal 1 — TX (read output)
nc <host> 1111

# Terminal 2 — RX (send commands)
nc <host> 2222
```

### 2. Get the XOR key

```text
settings
```

Returns the XOR key used to obfuscate the firmware dump.

### 3. Dump and deobfuscate the firmware

```text
dump_bin
```

Save the hex output, then XOR each byte with the key from `settings`:

```python
key = bytes.fromhex("<key_from_settings>")
firmware_enc = bytes.fromhex("<dump_from_dump_bin>")
firmware = bytes(b ^ key[i % len(key)] for i, b in enumerate(firmware_enc))
with open("firmware.bin", "wb") as f:
    f.write(firmware)
```

### 4. Reverse the firmware to extract AES key and IV

```bash
strings firmware.bin | grep -iE "key|iv|aes|lain"
```

Or open in Ghidra/Binary Ninja and locate the AES key/IV in `.rodata`.

### 5. Get the encrypted flag

```text
flag
```

Returns the ciphertext in hex.

### 6. Decrypt the flag

```python
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = b"<key_from_firmware>"   # 16 or 32 bytes
iv  = b"<iv_from_firmware>"    # 16 bytes
ciphertext = bytes.fromhex("<hex_from_flag_command>")

cipher = AES.new(key, AES.MODE_CBC, iv)
print(unpad(cipher.decrypt(ciphertext), AES.block_size).decode())
```

## Flag

`ECW{LAIN_Br34k_CryPT0}`

## Author

neverhack