NSEC24 Motor System - Wed, Jun 19, 2024 - Hellnia Jean Privat

Dance Dance Revolution Injection | Misc Physical | Nsec24

Oh my god, I see the way you shine

I want you to know that I am, as a human being, struggling since the introduction of paper towels dispensers with motion detectors in bathrooms.

For whatever reason, my hands can’t seem to be detected. Either they are too pale, or my soul left my body a long time ago, I don’t know. It doesn’t seem ultra relevant as you are about to read this writeup, but, trust me, it will be.

You sang? I’m overjoyed. Now off you go and dance! 🐜

We are greeted by this message when we start the challenge.

“I hope you are feeling warmed up, because it’s time to move. Our motor system allows movement through connections between muscles and the brain. We know that there are neuron pathways that release a protein called brain-derived neurotrophic factor (BDNF). So by moving, this goes out. We’ve identified a direct link between these pathways and the trouble Mr Wellington has in remembering names. I need you to figure out how BDNF works, then let’s put the motor system to the test! Maybe he’ll remember our names afterwards! Source code is at BDNF. Input mechanism for the eye/brain is located near the stage.”

I’ve never seen anybody do the things you do before

jean began reading the code, because he is a gentleman and a scholar.

The code allowed you to type text using the flag semaphore system.

For example:

hackez la rue

Because Jean is a professional and a Python expert, he very quickly found an injection in it:

subprocess.run('C:\\nsec\\script.bat '+current_string, capture_output=True, timeout=5).stdout.decode()

current_string that we control through the semaphored input is not sanitized or used in a safe way. However, we have no idea of where is the flag nor what kind of command we should execute.

running an interactive shell is out of the question since the user interface make us, make us, make us wanna cry. The system is also air gaped, and protected from physical tampering with a note with hard words.

Now, the technical questions: what Windows command interpreter is used by Python subprocess. What features of this interpreter can be hijacked.

As a Microsoft 4th Dan elite Windows engineer, Jean worked all the night to prepare, install and configure a Windows VM; install Python on the VM; and experiment with various forms of injection.

The goal was to find a first short injection with few complex characters. He chose a five movements payload “ |dir”, note that the space is important because parsing is hard in the Windows world.

Note: the challenge borrows most of its code from https://github.com/everythingishacked/Semaphore, with very few change. One of them being

   (180, 0): {'a': "r", 'n': "-"},
   (225, 0): {'a': "s", 'n': "."},
-  (90, 45): {'a': "t", 'n': "`"},
+  (90, 45): {'a': "t", 'n': "|"},
   (135, 45): {'a': "u", 'n': "/"},
   (225, 90): {'a': "v", 'n': '"'},

Therefore, confirming that the pipe payload was a good idea.

Take your hands, my dear

jean, having found the injection, began to prepare the payload I would dance, which was basically something really well done and easy to understand, I lost the picture. He was the brain and I was the muscles.

He setup a personal muscle-brain motor system: his laptop, on an empty box of Club Mate, on an unstable chair. A power adapter to the too far outlet. All stuck between a wall and a Hubert Hacker doing cryptanalysis (hi Lix!).

Funny note: the setup was so impressive and professional that some dude went and started dancing in front of our webcam. We are not sure if he thought this was the official setup or new kind of TikTok challenge. We informed him this was our personal setting. He looked oblivious and troubled, then flied away without a word. Open bar is both a blessing and a curse.

And look me in my eyes

years of training in karate and classical dance were about to pay off. I repeated our dance moves for a solid amount of time (20 minutes?), 5 symbols, smooth transitions, soft like a reed, steady like a surgeon. All thanks to Jean’s helpful instructions: higher the leg, wave your body, follow the rhythm, smile more, move for me, move for me, move for me, eh-eh-eh…

And low and behold, our first payload worked… not! The camera had hard time to detect our clumsy moves and the morning light causing issues.

We relayed Jean and me in front of the infernal machine (printers are demons, everybody knows that, and webcams are eyes of the devil) before it spats the listing of its evil internal motor system:

And now I beg to see you dance just one more time

life is like a box of chocolates, but sometimes, life is also just a big sign in the middle of a one-way road saying: “ThisIsTheFlag.txt”.

We need a second payload, the real one that give the flag. Our payload was the following: “ |type ThisIsTheFlag.txt

So, I prepared my beautiful hand drawn instructions:

as you can see, to make the capital letters, you have to open your hands as you do the actual semaphore for the letter. The circles on the sticks indicates when the hands should be open.

Remember when I said that my hands were not picked up by paper towel dispensers? This curse was not lifted by the powerful magic of the CTF. My hands were never picked up by the software on our setup. Hand must be visible, directly facing the camera, fingers slightly apart.

So I tied a nice black hoodie around my waist and I opened my hands slowly to make the capital letters, one by one…

we repeated… We wanted the show to be epic…

The second payload was longer, but with practice, the movements became fluid and precise, the symbols harmonious and graceful, the capital letters majestic and uppercased, and above all, recognized by the software.

We knew that we had no room for error: the slightest wrong move or glitch in the software would force us to give up and start the queue all again.

We were proud…

You know you stopped me dead

Pop quiz, what was our mistake? (Hint: look at the source for the solution)

windows is case insensitive and we are ding dongs

And when you fumble, I’ll make you do it all again

we went upstairs and began dancing in front of the other teams. It was a bit nerve-wracking as we didn’t know how long it would take and a few other teams were waiting their turn. After failing 6 times and being gently poked by the challenge designer for our capital mistake… we got it.

By the way, here is what it actually looked like

There was a satisfying bzrrp sound which came from the printer, and I was sure we had failed because no paper seemed to have come out.

Jean went to retrieve what was actually small piece of paper with flag, and we were out of breath and still as clumsy.

Back to Home