Total Pageviews

Thursday, 1 June 2023

Hacktivity 2018 Badge - Quick Start Guide For Beginners

You either landed on this blog post because 
  • you are a huge fan of Hacktivity
  • you bought this badge around a year ago
  • you are just interested in hacker conference badge hacking. 
or maybe all of the above. Whatever the reasons, this guide should be helpful for those who never had any real-life experience with these little gadgets. 
But first things first, here is a list what you need for hacking the badge:
  • a computer with USB port and macOS, Linux or Windows. You can use other OS as well, but this guide covers these
  • USB mini cable to connect the badge to the computer
  • the Hacktivity badge from 2018
By default, this is how your badge looks like.


Let's get started

Luckily, you don't need any soldering skills for the first steps. Just connect the USB mini port to the bottom left connector on the badge, connect the other part of the USB cable to your computer, and within some seconds you will be able to see that the lights on your badge are blinking. So far so good. 

Now, depending on which OS you use, you should choose your destiny here.

Linux

The best source of information about a new device being connected is
# dmesg

The tail of the output should look like
[267300.206966] usb 2-2.2: new full-speed USB device number 14 using uhci_hcd [267300.326484] usb 2-2.2: New USB device found, idVendor=0403, idProduct=6001 [267300.326486] usb 2-2.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [267300.326487] usb 2-2.2: Product: FT232R USB UART [267300.326488] usb 2-2.2: Manufacturer: FTDI [267300.326489] usb 2-2.2: SerialNumber: AC01U4XN [267300.558684] usbcore: registered new interface driver usbserial_generic [267300.558692] usbserial: USB Serial support registered for generic [267300.639673] usbcore: registered new interface driver ftdi_sio [267300.639684] usbserial: USB Serial support registered for FTDI USB Serial Device [267300.639713] ftdi_sio 2-2.2:1.0: FTDI USB Serial Device converter detected [267300.639741] usb 2-2.2: Detected FT232RL [267300.643235] usb 2-2.2: FTDI USB Serial Device converter now attached to ttyUSB0 

Dmesg is pretty kind to us, as it even notifies us that the device is now attached to ttyUSB0. 

From now on, connecting to the device is exactly the same as it is in the macOS section, so please find the "Linux users, read it from here" section below. 

macOS

There are multiple commands you can type into Terminal to get an idea about what you are looking at. One command is:
# ioreg -p IOUSB -w0 -l

With this command, you should get output similar to this:

+-o FT232R USB UART@14100000  <class AppleUSBDevice, id 0x100005465, registered, matched, active, busy 0 (712 ms), retain 20>     |   {     |     "sessionID" = 71217335583342     |     "iManufacturer" = 1     |     "bNumConfigurations" = 1     |     "idProduct" = 24577     |     "bcdDevice" = 1536     |     "Bus Power Available" = 250     |     "USB Address" = 2     |     "bMaxPacketSize0" = 8     |     "iProduct" = 2     |     "iSerialNumber" = 3     |     "bDeviceClass" = 0     |     "Built-In" = No     |     "locationID" = 336592896     |     "bDeviceSubClass" = 0     |     "bcdUSB" = 512     |     "USB Product Name" = "FT232R USB UART"     |     "PortNum" = 1     |     "non-removable" = "no"     |     "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBFamily.kext/Contents/PlugIns/IOUSBLib.bundle"}     |     "bDeviceProtocol" = 0     |     "IOUserClientClass" = "IOUSBDeviceUserClientV2"     |     "IOPowerManagement" = {"DevicePowerState"=0,"CurrentPowerState"=3,"CapabilityFlags"=65536,"MaxPowerState"=4,"DriverPowerState"=3}     |     "kUSBCurrentConfiguration" = 1     |     "Device Speed" = 1     |     "USB Vendor Name" = "FTDI"     |     "idVendor" = 1027     |     "IOGeneralInterest" = "IOCommand is not serializable"     |     "USB Serial Number" = "AC01U4XN"     |     "IOClassNameOverride" = "IOUSBDevice"     |   }  
The most important information you get is the USB serial number - AC01U4XN in my case.
Another way to get this information is
# system_profiler SPUSBDataType  
which will give back something similar to:
FT232R USB UART:            Product ID: 0x6001           Vendor ID: 0x0403  (Future Technology Devices International Limited)           Version: 6.00           Serial Number: AC01U4XN           Speed: Up to 12 Mb/sec           Manufacturer: FTDI           Location ID: 0x14100000 / 2           Current Available (mA): 500           Current Required (mA): 90           Extra Operating Current (mA): 0 

The serial number you got is the same.

What you are trying to achieve here is to connect to the device, but in order to connect to it, you have to know where the device in the /dev folder is mapped to. A quick and dirty solution is to list all devices under /dev when the device is disconnected, once when it is connected, and diff the outputs. For example, the following should do the job:

ls -lha /dev/tty* > plugged.txt ls -lha /dev/tty* > np.txt vimdiff plugged.txt np.txt 

The result should be obvious, /dev/tty.usbserial-AC01U4XN is the new device in case macOS. In the case of Linux, it was /dev/ttyUSB0.

Linux users, read it from here. macOS users, please continue reading

Now you can use either the built-in screen command or minicom to get data out from the badge. Usually, you need three information in order to communicate with a badge. Path on /dev (you already got that), speed in baud, and the async config parameters. Either you can guess the speed or you can Google that for the specific device. Standard baud rates include 110, 300, 600, 1200, 2400, 4800, 9600, 14400, 19200, 38400, 57600, 115200, 128000 and 256000 bits per second. I usually found 1200, 9600 and 115200 a common choice, but that is just me.
Regarding the async config parameters, the default is that 8 bits are used, there is no parity bit, and 1 stop bit is used. The short abbreviation for this is 8n1. In the next example, you will use the screen command. By default, it uses 8n1, but it is called cs8 to confuse the beginners.

If you type:
# screen /dev/tty.usbserial-AC01U4XN 9600
or
# screen /dev/ttyUSB0 9600
and wait for minutes and nothing happens, it is because the badge already tried to communicate via the USB port, but no-one was listening there. Disconnect the badge from the computer, connect again, and type the screen command above to connect. If you are quick enough you can see that the amber LED will stop blinking and your screen command is greeted with some interesting information. By quick enough I mean ˜90 seconds, as it takes the device 1.5 minutes to boot the OS and the CTF app.

Windows

When you connect the device to Windows, you will be greeted with a pop-up.

Just click on the popup and you will see the COM port number the device is connected to:


In this case, it is connected to COM3. So let's fire up our favorite putty.exe, select Serial, choose COM3, add speed 9600, and you are ready to go!


You might check the end of the macOS section in case you can't see anything. Timing is everything.

The CTF

Welcome to the Hacktivity 2018 badge challenge!  This challenge consists of several tasks with one or more levels of difficulty. They are all connected in some way or another to HW RE and there's no competition, the whole purpose is to learn things.  Note: we recommend turning on local echo in your terminal! Also, feel free to ask for hints at the Hackcenter!  Choose your destiny below:    1. Visual HW debugging   2. Reverse engineering   3. RF hacking   4. Crypto protection  Enter the number of the challenge you're interested in and press [ 
Excellent, now you are ready to hack this! In case you are lost in controlling the screen command, go to https://linuxize.com/post/how-to-use-linux-screen/.

I will not spoil any fun in giving out the challenge solutions here. It is still your task to find solutions for these.

But here is a catch. You can get a root shell on the device. And it is pretty straightforward. Just carefully remove the Omega shield from the badge. Now you see two jumpers; by default, these are connected together as UART1. As seen below.



But what happens if you move these jumpers to UART0? Guess what, you can get a root shell! This is what I call privilege escalation on the HW level :) But first, let's connect the Omega shield back. Also, for added fun, this new interface speaks on 115200 baud, so you should change your screen parameters to 115200. Also, the new interface has a different ID under /dev, but I am sure you can figure this out from now on.




If you connect to the device during boot time, you can see a lot of exciting debug information about the device. And after it boots, you just get a root prompt. Woohoo! 
But what can you do with this root access? Well, for starters, how about running 
# strings hello | less

From now on, you are on your own to hack this badge. Happy hacking.
Big thanks to Attila Marosi-Bauer and Hackerspace Budapest for developing this badge and the contests.

PS: In case you want to use the radio functionality of the badge, see below how you should solder the parts to it. By default, you can process slow speed radio frequency signals on GPIO19. But for higher transfer speeds, you should wire the RF module DATA OUT pin with the RX1 free together.



Related links
  1. Hack Tools For Pc
  2. Hacker Tools Windows
  3. Pentest Tools Download
  4. Hacker Hardware Tools
  5. Top Pentest Tools
  6. Hacking Tools Name
  7. Hacker Tools Apk Download
  8. Hacking Tools For Pc
  9. What Are Hacking Tools
  10. Pentest Tools Port Scanner
  11. Pentest Automation Tools
  12. Hacker Tools
  13. Hacks And Tools
  14. Ethical Hacker Tools
  15. Hacker Tools Linux
  16. Hacking Tools For Mac
  17. Hack Tool Apk No Root
  18. Hack Tool Apk
  19. Hacking Tools For Windows Free Download
  20. Termux Hacking Tools 2019
  21. Hack Tools For Windows
  22. Hacking Tools Hardware
  23. Hacking Tools
  24. How To Make Hacking Tools
  25. Nsa Hack Tools
  26. Hacker Tools Apk Download
  27. Hacks And Tools
  28. Pentest Recon Tools
  29. Nsa Hacker Tools
  30. Hack Tools For Pc
  31. Hack Tools 2019
  32. Pentest Tools Subdomain
  33. Hacking Tools For Windows 7
  34. Free Pentest Tools For Windows
  35. Hacking Tools For Beginners
  36. Hacker Techniques Tools And Incident Handling
  37. Tools For Hacker
  38. Hack Tools For Games
  39. Hacking Tools
  40. Hacker Techniques Tools And Incident Handling
  41. Hack Tools 2019
  42. Hacker Tools Online
  43. Pentest Tools Kali Linux
  44. Pentest Tools Website
  45. Hacker Tools For Mac
  46. Pentest Tools For Android
  47. Pentest Tools Website
  48. Hack Tools
  49. Pentest Tools Download
  50. Hack Tools
  51. Growth Hacker Tools
  52. Pentest Tools For Android
  53. Top Pentest Tools
  54. Hacking Tools And Software
  55. Hacking Tools Windows 10
  56. Blackhat Hacker Tools
  57. Hacking App
  58. Hacking App
  59. Pentest Tools Open Source
  60. Pentest Tools Subdomain
  61. Hacking Tools Name
  62. Hacker Tools List
  63. Hacking Tools Name
  64. Hacks And Tools
  65. Hacking Tools Mac
  66. Pentest Tools Download
  67. Termux Hacking Tools 2019
  68. Hacking Tools Download
  69. Pentest Tools Free
  70. Hack Tools
  71. Kik Hack Tools
  72. Tools 4 Hack
  73. Hacking Tools Hardware
  74. Pentest Tools Tcp Port Scanner
  75. Hack Tool Apk No Root
  76. Best Pentesting Tools 2018
  77. Hacking Tools Free Download
  78. Hacker Tools Github
  79. Bluetooth Hacking Tools Kali
  80. Hack Tools Pc
  81. Hacking Tools Pc
  82. Hack Tools For Pc
  83. Hack Tools
  84. Hack Tools
  85. Best Hacking Tools 2019
  86. Pentest Tools For Windows
  87. Hacker Tools Mac
  88. Hack Tools
  89. Hacking Tools For Windows
  90. Usb Pentest Tools
  91. Hacker Tools For Ios
  92. Hacker Tools Hardware
  93. Hacking Tools Free Download
  94. Hack And Tools
  95. Hacker Tool Kit
  96. Hack Tools 2019
  97. Hacking Tools 2020
  98. Bluetooth Hacking Tools Kali
  99. Nsa Hack Tools
  100. Pentest Tools Alternative
  101. Kik Hack Tools
  102. How To Hack
  103. Android Hack Tools Github
  104. Hacker Tools Windows
  105. Hack Tools
  106. Hack Tools For Pc
  107. Hacker
  108. Hack Tools Download
  109. Hak5 Tools
  110. Usb Pentest Tools
  111. Pentest Tools Download
  112. Hacker Search Tools
  113. Hacks And Tools
  114. Hack Tools For Mac
  115. What Is Hacking Tools
  116. Pentest Box Tools Download
  117. Hack And Tools
  118. How To Install Pentest Tools In Ubuntu
  119. Pentest Tools Subdomain
  120. Hack Tools
  121. Usb Pentest Tools
  122. Pentest Tools Linux
  123. Tools 4 Hack
  124. Hack Tools For Ubuntu
  125. Hack Tools For Pc
  126. Hacker Tools Linux
  127. Hacking Tools Windows 10
  128. Pentest Tools Alternative
  129. Hack Tools Download
  130. Hack Tools For Ubuntu
  131. Hacking Tools For Games
  132. Pentest Tools Android
  133. Hack Tools
  134. Hacking Apps
  135. Android Hack Tools Github
  136. Hacking Tools Software
  137. How To Install Pentest Tools In Ubuntu
  138. Hacking Tools Windows 10
  139. Hacking Apps
  140. Hacker Tools Windows
  141. Hack Tools Mac
  142. Hacking Tools Name
  143. Pentest Tools Bluekeep
  144. Underground Hacker Sites
  145. Hacker Tools Apk
  146. Hacking Tools Windows
  147. Hacker
  148. Hacking Tools For Pc
  149. Termux Hacking Tools 2019
  150. Tools Used For Hacking
  151. Pentest Tools Kali Linux
  152. Pentest Tools Review
  153. Hack Tool Apk No Root
  154. World No 1 Hacker Software
  155. Hacker Tools Software
  156. Hacking Tools Github
  157. Hacking Tools For Windows
  158. Hacker Tools 2020
  159. Hacking App
  160. Hack Website Online Tool
  161. Black Hat Hacker Tools
  162. Pentest Tools Find Subdomains
  163. Pentest Tools Find Subdomains
  164. How To Hack
  165. Hacker Tools For Mac
  166. Growth Hacker Tools
  167. Pentest Tools Find Subdomains
  168. Best Hacking Tools 2020
  169. Hacking Tools For Pc
  170. Pentest Tools Subdomain
  171. Install Pentest Tools Ubuntu
  172. Best Hacking Tools 2019
  173. Pentest Tools Alternative
  174. Hacker Tools Apk
  175. Pentest Tools For Android

No comments:

Post a Comment