Tuesday, 20 May 2014

PlaidCTF 2014 For-350 write up

Challenge:

You have traveled back in time, but look, hunting The Plague is tough. You're really just going back to relax for a while without having to worry about all that nonsense. As you walk in the park you stumble across someone's BlackBerry. Wow, people still use BlackBerry phones (time travel gets so confusing)? You figure you should return it to the owner, but you have a hard time getting inside. Figure out what's on the phone, and maybe we'll be able to return it to the rightful owner.

Password is saved as SHA1, and it is located in NVRAM on the device. So in order to find the location of the password, let's set one on our own first, open simulator, do factory reset, so we can set our password and search in memory later on. Let's reset it by entering the password 10 times wrongly.


Let's reset the screen lock password to be "password", and its SHA is 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"



Let's search for in the NVRAM, 9930-nv.dmp, search for "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
the offset is 00053020 (and starting with "3C000000")



Restore the original 9930-nv.dmp, go to the same offset, got the hash "3E270F54C6EB3175B4EF8B20080795EF2EE15589"



Google it, we got "fuckfuckfuckyouhahaha"...


We go back to the BB again and unlock, cool, we can enter it!


From the hints, let's search the contact, and we found Plaid CTF


Open it, and we get the first key, "fuckfuckfucky0uh4h4h4".. but there's another challenge, ok let's download it



From blackberry.dmp, it looks like a full dump, anyway, let's open it with winhex. In order to speed up, we just search for  "3C000000"... first of all, we got "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" again, it's "password", but it does not look like the key :-(...


With more patience... we got another one, we got "AC0CFE7BD0AE22B44722F1A01ECB6CE102CA27C5"


we google it, finally got "BerryGood"



Reference:
http://crackberry.com/security-blackberry-balance
The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key

http://www.forensicfocus.com/Forums/viewtopic/t=7055/
password should be in SHA1

No comments:

Post a Comment