64 lines
1.5 KiB
Markdown
64 lines
1.5 KiB
Markdown
# ESP Start — Solution
|
|
|
|
**Difficulty:** Easy | **Category:** ESP | **Flag:** `ESPILON{st4rt_th3_w1r3}`
|
|
|
|
## Overview
|
|
|
|
Flash the provided firmware onto an ESP32. On boot, the device outputs an
|
|
XOR-encrypted flag along with the XOR key via UART at 115200 baud.
|
|
|
|
## Step 1 — Flash the firmware
|
|
|
|
```bash
|
|
esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 460800 write_flash -z \
|
|
0x1000 bootloader.bin \
|
|
0x8000 partition-table.bin \
|
|
0x10000 hello-espilon.bin
|
|
```
|
|
|
|
## Step 2 — Read the UART output
|
|
|
|
```bash
|
|
screen /dev/ttyUSB0 115200
|
|
# Or:
|
|
minicom -D /dev/ttyUSB0 -b 115200
|
|
```
|
|
|
|
The device prints:
|
|
|
|
```text
|
|
=== Hello ESP ===
|
|
System ready.
|
|
|
|
Encrypted flag: 09 12 19 07 00 0E 07 35 3F 35 7D 3C 38 1E 3D 26 7F 1E 3E 7F 3E 72 34
|
|
XOR Key: 4C 41 49 4E
|
|
```
|
|
|
|
## Step 3 — Decrypt the flag
|
|
|
|
XOR key is `LAIN` (`4C 41 49 4E`). Apply it cyclically:
|
|
|
|
```python
|
|
enc = bytes([0x09,0x12,0x19,0x07,0x00,0x0E,0x07,0x35,
|
|
0x3F,0x35,0x7D,0x3C,0x38,0x1E,0x3D,0x26,
|
|
0x7F,0x1E,0x3E,0x7F,0x3E,0x72,0x34])
|
|
key = b"LAIN"
|
|
flag = bytes(b ^ key[i % len(key)] for i, b in enumerate(enc))
|
|
print(flag.decode())
|
|
# ESPILON{st4rt_th3_w1r3}
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
- **ESP32 flashing**: `esptool.py` writes bootloader, partition table, and application at their respective offsets
|
|
- **UART monitoring**: ESP32 default baud rate is 115200, 8N1
|
|
- **XOR cipher**: Simple symmetric cipher — key is broadcast in plaintext here as an intro challenge
|
|
|
|
## Flag
|
|
|
|
`ESPILON{st4rt_th3_w1r3}`
|
|
|
|
## Author
|
|
|
|
Eun0us
|