AND!XOR DC28 Badge

Project Logs

Collapse

CTF Results & Walkthrough (Part 4)
Hyr0n • 08/16/2020 at 05:56 • 0 comments
MORE FLAGS!!! WUT?!

The remaining flags were sprinkled throughout the internet, the badge, and other places throughout the year. Here's what you may have found or missed...I

Found code: PCB QR Code

Go ahead scan it...see what happens...

Found code: Twitter 1

https://twitter.com/ANDnXOR/status/1291615817440694272

Found code: Twitter 2

https://twitter.com/ANDnXOR/status/1291874479723827200

Found code: Twitter 3

https://twitter.com/ANDnXOR/status/1283615391504142336

Found code: Github

Do you watch our repository update status? Seems we pushed something to the DC24 badge a couple of months ago...Look at it in it's RAW form...

https://github.com/ANDnXOR/ANDnXOR_DC24_Badge/blob/master/README.md

Found code: About

Scroll to the bottom of the About section on the badge menu, it takes a while...

Found code: BASFUK.BAS

Did you think the Brainfuck interpreter was broken? Well yes it was, but if you fix the code compared to the original in MYBASIC samples...

Found code: POST

Take a close look in the Power On Self Test UART at start up. Normally you were on /dev/ttyACM0, this would be /dev/ttyACM1 (however its quick you may miss it). Better circumvent the RTOS providing middleware and just go directly to the UART breakout...on back... solder some RX, TX, and GND header pins

Found code: Scoreboard

Take a look at the source, there's a really weird comment...

Found code: Release Video

There's a secret in the TP. Can you find it?

Video

Found code: Release Video

We sure do like floppy disks...

Video

Found code: Release Video

Damn hipsters...

Video

Found code: T-Shirt

Did you look closely at the Shirts or the Sticker Swag included? Check out the print on the black wire...

sOXMxT

In Closing...

This was probably the largest amount of challenges and easter eggs we've ever done in one of our CTFs. He'll getting some of the badges via drops (which is outside the scope of the CTF obviously) had tons of create juices behind the various drop proxies across the land of hax0r. All that being said to pull this off takes a village. The Matt Damon Village. With that, we will leave you with a view of the header code of BENDER so you can see behind the scenes how this worked. It will be posted to github, but in short the framework for BENDER was made generic and all challenge content is kept in a source file. Here's what it looks like. Enjoy this while we work on the overall project post mortem.
```
/*****************************************************************************
 * Made with beer and late nights in California.
 *
 * (C) Copyright 2017-2020 AND!XOR LLC (https://andnxor.com/).
 *
 * PROPRIETARY AND CONFIDENTIAL UNTIL AUGUST 11th, 2020 then,
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * ADDITIONALLY:
 * If you find this source code useful in anyway, use it in another electronic
 * conference badge, or just think it's neat. Consider buying us a beer
 * (or two) and/or a badge (or two). We are just as obsessed with collecting
 * badges as we are in making them.
 *
 * Contributors:
 *     @andnxor
 *     @zappbrandnxor
 *     @hyr0n1
 *     @bender_andnxor
 *     @lacosteaef
 *      @f4nci3
 *      @Cr4bf04m
 *****************************************************************************/

#ifndef WH_BENDER_H
#define WH_BENDER_H

#include <zephyr.h>

#define URL_LEADERBOARD         "bit.ly/3egadD5"
#define URL_SLACK             "bit.ly/3eRTR4B"
#define URL_END             "bit.ly/2Aw1s9C"
#define MAP_CHAR_PLAYER         "☻"...
```
Read more »
CTF Results & Walkthrough (Part 3)
Hyr0n • 08/15/2020 at 16:34 • 0 comments
What are the Lulz Quizzes?

These are small point value Q&A. If you get it right +5, if you get it wrong -10. How do you dig out of that hole? Well different flags are provided if you got it "right" vs "wrong." So you reset the badge, re-randomize the CTF, go find them again...grind grind grind... and you can mitigate -10 to -5 worst case. Come out +5 points for each, best case. Some complained that our results for the lulz were subjective. This is hardly the case, because we are right and you are wrong :)

LULZ QUIZ 0
```
~LULZ QUIZ~ (0)EMACS (1)VIM (2)NANO
```
Flag: hack flag wit 1

What Did You Learn Today: VIM DUH!

LULZ QUIZ 1
```
~LULZ QUIZ~ Did Carole Baskin kill her OM? (0)Yes (1)No
```
Flag: hack flag wit 0

What Did You Learn Today: Carole Fucking Baskin

LULZ QUIZ 2
```
~LULZ QUIZ~ Pineapple on pizza? (0)Yes (1)No
```
Flag: hack flag wit 0

What Did You Learn Today: Its the best kind of pizza

LULZ QUIZ 3
```
~LULZ QUIZ~ (0)OSX (1)Windows (2)Linux (3)BSD
```
Flag: hack flag wit 2

What Did You Learn Today: Linux > Windows > OSX > Dumpster Fire > BSD

LULZ QUIZ 4
```
~LULZ QUIZ~ (0)Red Team (1)Blu Team (2)Purpl Team
```
Flag: hack flag wit 2

What Did You Learn Today: Your assessments don't mean shit unless you work together to fix it.

LULZ QUIZ 5
```
~LULZ QUIZ~ (0)Spaces (1)Tabs
```
Flag: hack flag wit 1

What Did You Learn Today: Finally this debate has been settled once and for all

LULZ QUIZ 6
```
~LULZ QUIZ~ (0)Drop 0-Day (1)Notify Vendor
```
Flag: hack flag wit 1

What Did You Learn Today: Responsible disclosure

LULZ QUIZ 7
```
~LULZ QUIZ~ (0)Hack (1)Slp (2)Et (3)showR
```
Flag: hack flag wit 3

What Did You Learn Today: Yeah. Shower. For the good of everyone.

LULZ QUIZ 8
```
~LULZ QUIZ~ (0)tst n devlpmnt (1)tst n production (2)dun tst
```
Flag: hack flag wit 2

What Did You Learn Today: YOLOSEC

LULZ QUIZ 9
```
~LULZ QUIZ~ (0)Buffer Underflow (1)Buffer Overflow
```
Flag: hack flag wit -1

What Did You Learn Today: LOLOLOLOLOLOLOLOL

COMPLETION 100%
```
3d 5f 32 23 5e 46 21 2c 43 35 2b 43 5d 34 32 40 56 26 74 69 41 53 72 57 24 47 41 5c 4f 38 45 62 75 71 3c 40 3c 2d 49 38 42 6c 37 51 2b 2d 36 51 63 3f 45 63 2c 48 21 2b 3d 38 34 4f 44 64 6d 58 2c 42 6d 4f 3f 24 2b 3d 38 34 41 2b 44 75 3d 33 43 68 37 24 71 2b 45 70 53 26 3b 42 52 3b 2f 41 30 3c 57 5d 31 2c 27 68 5b 42 6c 37 52 25 2b 43 65 69 23 41 30 3e 69 22 44 49 64 3c 71 42 6b 26 39 30 42 51 3e 34 60 37 37 4a 43 65 3a 4a 4e 24 56 48 36 3f 5e 2b 44 49 5b 36 6f 41 52 6d 44 47 2f 67 2b 5b 49 44 2e 2e 61 25 2b 45 29 34 31 44 4b 3f 71 2c 2b 3d 38 34 32 2b 43 63 4f 29 40 3c 3c 56 6c 2b 41 73 3e 22 47 39 43 4c 3c 37 34 6f 5d 5f 2b 41 3d 28 73 2b 3e 50 27 62 44 66 51 74 45 40 3c 3f 21 6d 2b 3e 50 27 4c 2b 45 71 61 47 2b 45 56 6d 47 2b 44 47 70 3f 42 6d 4c 6e 32 46 3c 47 2b 26 46 3c 47 64 39 46 43 53 75 2c 42 6d 4c 6e 3c 44 4a 28 29 29 44 66 30 2c 3d 2b 40 4c 2d 5a 46 29 48 28 42 44 2a 55 75 4f 2b 42 33 23 63 45 62 30 3b 37 44 42 4f 25 48 44 27 33 5e 3d 41 30 3e 3c 22 44 65 21 33 6c 48 23 52 68 39 2f 67 2b 29 32 2b 42 39 50 29 46 60 26 66 61 2f 67 2a 47 4b 42 35 29 2d 50
```
When your completion is at 100% (All Main & Lulz Challenges) a bit.ly/2Aw1s9C link appears.

HEX -> BASE85

BONUS CHALLENGES & EASTER EGGS

DEF CON MUD Bonus Challenge

EvilMog was quite a sport and we collaborated a bit between BENDERPISS and the MUD. If you head to the mog.ninja and follow instructs, you can play the DEF CON MUD which is amazing. BENDER draws a lot of its roots from text based adventures and MUDs.

The flag is simple, yet difficult. Head to the woods in the north where you have a quest to hunt animals in the woodland maze. There you will find... hyr0n the gerbil!

"A small light brown furry gerbil. He has a white tummy, and very sharp claws. He is very cute, and quite friendly but scared of strangers. He will probably run from you if you come near him."

Don't fight him, he'll kick your ass! Just look and you will see a flag tied to him. Oh, and he's kinda...
Read more »
CTF Results & Walkthrough (Part 2)
Hyr0n • 08/15/2020 at 05:20 • 0 comments
Continued...

Challenge 4 - Hardware Encoding Morse
```
A lRg comms tower itz n not powered, a PIGEON_HOLE gap exists whch needs somTIN4 cndctvity. l%kin awA U notic som CLOUDS. c%d DIS b d coz of it aL. d rona?
```
Description: So when one completes the tool/target combo, the badge lights up and blinks. Fast. REALLY FAST. Some people just recorded it with their phones and slowed it down to watch the pattern. Others...actually read what it said "woah, d bIrb ComplEtd d cIrcuit! a vanilla iCe trak starts playin &lyts r flashin waaa t% fst. nEd 2 lit'rally netflIx & Chill 2 slothngz dwn b4 i git a hedakE" Let's think about this. Blinking fast, need to "chill" and slow things down. Well if one used the MYBASIC editor they would have noticed there was a TEMP.BAS which describes the location of the thermistor temperature sensor on the badge. Guess what happens when you chill the sensor down? It slows the blinkies down. Do that, and you should notice the dot and dash pattern, which is morse encoding. There's also other hints when you look at the clouds "R thOs clouds? problE not, thOs R chem trails.Dey put a hex on U morse so thN U tink." Anyway, decode the morse and this translates to 5GT0W3RZDuH.
```
...-- .....  ....- --...   ..... ....-   ...-- -----   ..... --...   ...-- ...--   ..... ..---   ..... .-   ....- ....-   --... .....   ....- ---..
```
Tool unlock: hack PIGEON_HOLE wit BIRB

Flag: hack flag wit 5GT0W3RZDuH

What Did You Learn Today: That sometimes embedded systems used peripheral sensors for entropy. And if you have access to hardware you can control that entropy. Which lets you control the logic, such as blink speed or encryption keys...

Challenge 5 - HARDWARE Encoding RS232
```
u c Mt BER cn, sobr thotz :( mAbE U cn cure d rona by putn smTIN inside yo slf.U scratch BUTT whIl tinkiN bout it.
```
Description: This one is very similar to morse encoding, only we encoded it with good ol' RS232 Serial. Because one should know those serial UART adapter blinkies mean something. More importantly this should teach you about how to interpret reading serial on a logic analyzer. The initial description doesn't help much, but once the tool/target hack is completed (which should be obvious because COVID can be killed by inserting a UV Light in you somehow somewhere) you will be told "Yor gutz lite ^ & blink. Itz supa serial 2 stRt tink bout lEst & mstsigNfict tNgs thN stop, cuz DIS mA b d wrng cure."

Super Serial? Think about the least and most significant things? C'mon what better hints could we have given you? Now if you've never worked with serial a quick google on how the protocol works will teach you that charachters are turned into binary, it pads a 0 as the start bit, it INVERTS the LSB/MSB order (so its received correctly), then the end is appended with a 1 as the stop bit. The blink pattern shown would translate to...
```
0100011001 0011100101 0000100101 0000000101 0001100101 0110011001 0001100101 0100110101 0101011001 0000011001 0111011001
```
So you remove the start and stop bits, invert the binary, and the result is: 1NH@L3LY507

Tool unlock: hack BUTT wit UVLIGHT

Flag: hack flag wit 1NH@L3LY507

What Did You Learn Today: How serial encoding on hardware actually works.

Challenge 6 - PHREAKING Elevator
```
U entR a building & wiLCaruana runs awA az U apRch an OpN elvt0r. Yln he hz a:X & dropz a CELL. Thr iz l0kd CALLBOX bElO d flOr btNz.
```
Description: Good ol' Will Caruana. This gentleman is a curator of shenanigans and a dear friend. So we thought we would team up and simulate some elevator phreaking in the form of a badge CTF challenge. The callbox is locked, so unlocking it..calls for a lock pick. Once you get it open you see "Bt hW u caL? Etchd w wot wz problE a hevE gauge wire U c ZXh0LjQxNzc=" also the other item is the cell which Will drops "Therz only 1 fone # n d recnt caL lst 312d3333372d4d41542d492d4f4245592e2e2e4d6179422064726f7020442059"

Translate those encodings... You get...
Read more »
CTF Results & Walkthrough
Hyr0n • 08/14/2020 at 01:44 • 0 comments
DC28 AND!XOR BENDERPISS CTF Stats

132 Players on the Scoreboard / 5 Fake Hacked Players / 60 Flags Possible

21 Main Challenges

3 Bonus Challenges

36 Easter Eggs

Concept

Our CTF has never been about cutthroat competition, its about exploration, learning, and being a hacker. You can take whatever route you want, if you are just trying to bag points, and that makes you happy, then you do you. The BENDER CTF (BENDERPISS variant this year), is multidisciplinary in approach. We always want people out of their comfort zone and having to learn something new, which hopefully drives them to visit villages and learn. Beating a dead horse, its not a demonstration of skill sets you have, but rather giving you an opportunity to acquire some new ones and frendz along the way. That being said, the scoreboard can be misleading, seeing someone in first place and thinking "they won." We've never flat out said the person in first "won" the CTF, rather we take time to watch what people are doing, hide some land mines to detect those who take the easy path of point gathering, but also watch how the participants react to those land mines, as well as socialize withing their new community. We also take this approach, because participants have the badge in hand. What are land mines? Flags hidden in the firmware which could only be obtained by dumping it from the MCU or extracting from the patch. If you entered any of these (which we mix with the actual challenge flags), we know that's what you were doing because there's no other way to get them. Some were negative (-1000) some were positive (+10). We know what u did last summer. You can mitigate this at times with additional hardware security, but its hardware. If you have physical access to hardware there is NOTHING you can do to protect it, firmware can be dumped or even GDB used to step through in real time. Additionally we had to post a necessary patch during the CTF, which some instantly went straight to reversing and string dumps to find flags. Doing this doesn't disqualify one from the CTF, in fact it makes it harder because each land mind awards you -1000 points.

That being said, there are a few categories which we will give shout outs to those who stood out, based on the types of flags they submitted and generally how their discovery went in chat.

Category Champions

TLDR: These few will receive DC29 AND!XOR badges and a beverage in Vegas (if DEF CON isn't canceled).

S@g@n++: Based on discovery, learning, and not taking the easy path. The 3 persons with the most correct flags submitted, without any land mines, and completing the challenges as designed.
- Night [xxxaf6] & 5p0rk[xxxa85] & Babint[xxxa16]
- Comments: Additionally Night used some python wizardry to map a PS4 and DDR floorpad controller, hacked it into the control input, then used it to for the grind of exploring the 8-bit ASCII world overlay.
S@g@n--: Based on discovery, learning, and not taking the easy path. The 3 persons with the most correct flags submitted, without any negative land mines, and dabbled in some firmware RE.
- Down [xxx128] & Bearto[xxxa1c] & Yawg[xxxb92]
- Comments: Completionist, social butterfly on the frendz scale, enough said.
H@x0r: Based on learning the CTF system, exploiting it, and overcoming the negative score. The person with ALL flags submitted (i.e. including the positive and negative land mines & reset), highest score in the positive.
- teHbrw [xxxab0] with a score of 1293
- Comments: You may think with all our concept rant about learning and challenges, we would disqualify those who string dumped the firmware? No, praise actually. This is a different challenge. teHbrw was actually at the top of the score board before firmware was every available, then quickly dropped to the bottom. In the negative of thousands! Most would give up at this point. But they kept at it, learned there was a back door to reset ones score to zero, and re-completed the challenges....
Read more »
RTFM
Hyr0n • 07/25/2020 at 17:07 • 0 comments

Read The F-ing Manual

Made with beer and late nights in California.

TLDR: This year's badge provides bling, an embedded CTF text-based adventure, and a port of MyBASIC extended to the hardware to make it hackable.

AND!XOR (@andnxor)
* @zappbrandnxor
* @hyr0n1
* @bender_andnxor
* @lacosteaef
* @f4nci3
* @Cr4bf04m

Artwork for PCB Silkscreen, Acrylic, Bandanna, & Lanyard: Doc

VOIP Service Puzzle, Greetings, and Lulz: Alethe Denis (@AletheDenis) at Penguin

Puzzle Design & Intern of the Month Award Jun: Will Caruana (@WillCaruana)

Puzzle Design & Beta Testing: Kur3us (@kur3us)

Filming & Editing: Mike Laan (@mlaan)

Sponsors: Urbane Security, Penguin, inspectAR, & Philanthropists

Hackaday: https://hackaday.io/project/173627-andxor-dc28-badge

GitHub: https://github.com/ANDnXOR/ANDnXOR_DC28_Badge

Badge Hardware

Hardware information about the badge

BOM

* PCBA: MacroFab
* Acrylic Faceplate: Ponoko
* MCU: STM32F412RET6
* Screen (OLED): ER-OLED0.96-1.3B-1655
* Screen (TFT): ST7735 128x160
* LEDS: APA-102C-NEW
* Keyboard: Blackberry Q10 (BBKB)
* Keyboard Connector: BM14B(0.8)-24DS-0.4V(53)
* 8 MHz Crystal (STM32): X50328MSB2GI
* USB-C: TYPE-C-31-M-12
* Battery Holder: Keystone 1020

Inspect AR

Want to inspect the badge without disassembling the acrylic faceplate?
We've partnered with InspectAR to leverage augment reality to just do that.
* Website: https://www.inspectar.com/
* Google Play Store: https://play.google.com/store/apps/details?id=com.inspectar.app
* Apple App Store: https://apps.apple.com/us/app/inspectar-pcb-tools/id1478936899
* Nokia Sidekick Store: http://bit.ly/2PToeh

After installing the app on your phone, login and select "Sponsored" projects, search for "AND!XOR DC28," and download.

Badge Interface Usage

* Move Up: SYM+W
* Left: SYM+A
* Down: SYM+S
* Right: SYM+D
* Quit/back: SYM+Q
* Delete: ALT+Backspace
* Use ALT to type alternate characters _(e.g., ALT+B == !)_
* Special Characters
* { : SYM+U
* } : SYM+I
* \ : SYM+G
* = : SYM+L
* [ : SYM+T
* ] : SYM+Y
* % : SYM+P
* ~ : SYM+V
* & : SYM+$
* ^ : SYM+C
* < : SYM+N
* \> : SYM+M
* | : SYM+F
* Bling Rager Mode: SYM+R (while in bling app)

Capture The Flag Scoreboard

https://nevergonnagiveyouupnevergonnaletyoudown.com/

AND!XOR Public Slack

Over the past couple of years, hackers engaged in the CTF have setup slack environments to collaborate and learn from one another. We think this is awesome and decided to setup an open slack to support this. There will be channels dedicated to each badge, i.e. DEF CON 28 (WHICH IS CANCELED, THE SAD LOLZ!) is under #dc28. We ask that you abide by only a couple cardinal rules:

* Rule 0 - Don't be an asshole
* Rule 1 - No spoilers...

So Rule 1 is kind of an extension of Rule 0, but it's the grey area. You're going in to slack for many reasons (which will be explained below, see BENDERPISS "frend"), and one of them may be to ask for hints because you want to learn. If you are gonna just spoil it and another wants to know how you completed a challenge, do the world some good and direct message them. Use the channel to be Socratic, answer questions by asking questions leading in the right direction, critical thinking is key to building your hacking proficiency (but if you just want to give it away, be kind enough to use direct messaging). It's a CTF with a scoreboard, so if you just dump an answer into a chat channel, you're only hurting your own score :P

AND!XOR Public Slack Sign Up: https://bit.ly/3eRTR4B

Badge Enabled Non Directive Enigma Routine Portable Interface SyStem (BENDER~PISS)

A variant of the BENDER CTF has been created such that it can be played standalone with the BBKB, on the badge, without the use of a serial terminal client. However, the back-end magic MITM wizardry which exists allows you to do both, as whatever you do in BENDERPISS is mirrored over the RS232 connect and vice versa. In...
Read more »