BSidesCBR 2017 CTF Write-Up: Mr Robot Returns (Act III)

This is a write-up of the “Mr Robot Returns: Act III”challenge (150 points) from BSides Canberra 2017.

As this challenge involved a physical device unfortunately the challenge is not available online.

Breaking into surveillance systems!
The aim of this challenge was to break into the “Dark Army Surveillance System” and see what we could find. We are given a link to the camera, and are presented with this:

“Secure” login alert

We presumed that we had to bypass the login to get to the contents of the webpage. Cancelling would just show “Access Denied”.

After searching for “IP Camera login bypass” and attempting a variety of methods, we finally find something that worked: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html

We tried the “Pre-Auth Info Leak” which leaked the username and password of the login:

We used the credentials to login, and were presented with this page:

We had no clue what any of the text said (we discovered later the dropdown was for changing the language), and so we selected Chrome, which presented us with a live preview of the camera, as well as the ability to move it around. We ended up spotting a QR code, which we scanned. It took us to a bit.ly link with a file we had to download.

Once we downloaded the file, we viewed the file with xxd to get an idea of the file type of the file:

We spotted /tmp/zpaq, as well as the file header starting with cccc, which doesn’t seem to be a regular file header.

We googled zpaq, which brought us to the homepage of zpaq. We installed zpaq with apt-get install zpaq, renamed the downloaded file to have an extension of zpaq, and tried to extract it:

Zero files were extracted. This was odd, as the zpaq file itself is quite large. From our observation of the file handler, we decided to create a new zpaq file, and compare the headers:

We noticed that the first two bytes differ. We replaced the first two bytes in the downloaded file, and tried to extract it again:

We get a file called zpaq, and view its header:

It’s a PDF! We view the PDF, and get the flag which is contained inside.

A big thank you to the BSidesCBR CTF organisers and also for their encouragement for us to solve the challenges.