The June MiniCTF at SecDSM was all about an obscure IoT device and the API that controls it.
The challenge starts out on the website for an IOT device called LegitIOT that claims to have the very best security. The site is pretty simple and allows the user to place an order, read the FAQ, and download the firmware.
The first two are useless, so downloading the firmware is the route to go. After downloading the file, the first tool I run is Strings.
Snippet: Strings on firmware-latest.bin file
Enter device name to begin setup
Enjoy your LegitBox
Begin setup by entering your location
Error: Invalid location (City, ST is supported format)
LegitBox setup complete
Enter device name
"name":"%s", "type":"%s", "date":"%s"}
POST %s/%s HTTP/1.0
Above, you'll notice the interesting bits from the firmware file, which includes information for how to interact with the IoT device's API. This is a good time to use a Burp Proxy or any tool you have to manipulate HTTP requests because you'll need to craft a post request to send to the server. I used a Firefox plugin called HTTP Requester on the advice of my coworker, Nick who also worked on the challenge with me. By posting to the API on the register-device endpoint we were able to add our device to the list of registered devices. We validated by GET'ing the list of devices from the devices API endpoint, found using DIRB. On the website for the IoT device, a counter incremented whenever a new device was registered and gave us an opportunity to try some injection.
The tricky part about this challenge was attempting to figure out the greatest date/time possible. It became a race with other teams because the registered devices were listed by latest date/time so whoever had the most recent date/time was prioritized at the top of the list and their code was what was shown on the page.
The listings following the ISO 8601 format, YYYY-MM-DDT00:00+00:00
* This challenge is currently offline *