DC 26 AND!XOR’s B.E.N.D.E.R. Write-Up So Far… (Still missing EAST -_-)

AND!XOR B.E.N.D.E.R. Write-Up

Wow.. this was a draft for my site for over a year… Mine as well post it! 🙂

The AND!XOR B.E.N.D.E.R. game ended this past weekend, which means no prizes for completion. I’ve put a number of hours into the game, collaborated with strangers and coworkers and learned various infosec skills. I haven’t completed the EAST & HOME area, but am still open for collaboration! DM me on twitter! @sqearlsalazar

I can’t guarantee i found all of the unlocks, but this walkthrough will get you 4 beers and hints about the EAST area.

HOME:

We start at the home village:

We see a couple things of interest while looking around, we’ll start with the TERMINAL

Look at TERMINAL

Looks like we’re not ready for this challenge yet, need more booze…

Our first beer starts with:

Steal BOTTLE_OPENER

And we also:

Look at VODKA_BOTTLE

The message is md5 hashes, we when decode them we get:

800618943025315f869e4e1f09471012 : F
a87ff679a2f3e71d9181a67b7542122c : 4
8d9c307cb7f3c4a32822a51922d1ceaa : N
0d61f8370cad1d412f80b84d143e1257 : C
dd7536794b63bf90eccfd37f9b147d7f : I
eccbc87e4b5ce2fe28308fd9f2a7baf3 : 3
6966277c536759a4bcc3c0a4e1eaa160 : DRANK
56e591f0c8e18fcd60303753c16b7a43 : EVERYTHING
ede57168ad3a5db2c29903150fd6f950 : MAKING
6222ba386bcc675dab6063afba7235f1 : FANCY
ee3f0f452b9342ec4b6d0e3fb54ecb01 : BOATS
2c2624a5059934a947d6e25fe8332ade : FIRST
c86ee0d9d7ed3e7b4fdbf486fa6c0ebb : IN
45ac78bf3d4882ac520f4e7fb08d55c5 : EAST
907ec71a28d71811a0e37f08b15c2109 : THEN
2bf8f791695c70efa9c14e6f1c326403 : NORTH

That’s all I found in this area for now, so we’ll begin our journey NORTH:

NORTH:

Look

First things first, grab Trevor:

Look at BADGES

We can interact with the PIN_PAD, and know that we need a 4 digit number using only 1-2-3-4

Apparently this was a hardware hacking area…I wasn’t sure how to approach this, so after some time, I decided to manually brute force the PIN. I attempted to create a script/macro to do this for me, but after some failed attempts, I manually brute forced the number. After starting with 1111 and working my way to 4444, I finally found the PIN!

After resetting my badge, it seems the PIN has changed. Maybe it is random and needs to be brute forced…

We take the EMMC_ADAPTER and get WHAT BEER DO WE GET?????

West Location:

Need wifi cactus for APP:

Hack APP with FINGER:

I used my alfa wifi adapter (AWUS036ACH) to sniff for packets

airodump-ng wlan0

If we issue “hack APP with FINGER” a client attempts to connect to probe “DRONELIFE.” After a short time, the beacon dies.

I used wifiphisher to create a fake AP called DRONELIFE, which served DHCP and resolved requests.

When we issue “hack APP with FINGER” we see the badge reach out to the following site:

Browsing to the site reveals:

We then hack the APP with the password we found:

We steal the burner_phone and pickup a new beer!

For another bling unlock, we use the cockroach we found with the areas MILKSHAKE:

“hack milkshake with COCKROACH”

We can use the BURNER_PHONE obtained from WEST on the PHONE_RECYCLE_BIN in North. It displays the following text

If we call the number (510-858-1337), we reach a voicemail which ends with Morse code. I recorded the code, then played it back on an online decoder to reveal:

F4NXX2K

We can use this in the unlock section of the badge to get some new BLING. After that, we’re done with this area.

We’re done with this area.

SOUTH:

We can look at the menu and graffiti, but I didn’t find it particularly useful…

LOOK at MENU
LOOK at GRAFITTI

Look at SALSA

An additional clue to the file we’re looking for on the SD:
Look at TOUCHSCREEN

We see the reference “Taco Corp TacOS”, and on the SD card included with the badge we find:

If we run strings on the file, we get a few clues.. Looks like it’s asking for 3 passwords

I’m a noob when it comes to RE. A coworker looked at this and walked me through his discovery process. Shout out to Daniel Quach

Let’s open the program in IDA and select the “main” function

In the graph view we see clues to the first password:

If we convert the binary to strings we get:
00110101 = 5
and the first password is 555

If we use the graph view for password 2, we get trolled:

If we try any variation of the strings listed, it fails

It seems like the program is completing some type of loop, so we should step through that

I ended up using EDB to jump to where the 2nd password is compared to the correct string (strncmp in IDA) and stepped through the instructions manually

I pause the program when it asks for password 2

I enter a password “test”, hit ENTER and start stepping through the program(F7/F8 in edb)

When we’re stepping through, we eventually hit  “mov byte’s,” which is our decoy

Each step adds the letters we found in IDA (picklerickPICKLEROCKmorty). We can also see my “test” attempt:

If we keep stepping through, another string reveals itself:

This is the seconds password, so far so good!

We essentially do the same thing for the third password… I enter “test” and step through the program as it executes, looking in memory/stack for any info.

Eventually, we find the last password: BLU3PanC@K3$

Let’s try these passwords!
1st: 555
2nd: CorrectHorseBatteryStaple
3rd: BLU3PaNC@K3$

Hack TOUCHSCREEN with *****

If we look around again, the text changes a bit:

And we can steal USB_CABLE

We can use the USB_CABLE to hack d4rkm4tter in the West area for some extra botnet points

EAST:

I have to figure out EAST. I found hints, and heard from the challenge creator that I was close, but…

Not sure what the terminal prompt is expecting, I’ve tried every combination of available words in the text game

We can also hack BIG_RED_BUTTON with FINGER, and the badge lights up red and green pulses.

Figured this was Morse code:

….-|—..|..—|—-.|…–|—–|..—|….-|.—-|-….|.—-|….-|.—-|.—-|.—-|.—-

Which decodes to:

4 8 2 9 3 0 2 4 1 6 1 4 1 1 1 1

I tried a many ways to decipher and/or associate these numbers with anything. I tried 1’s & 0’s instead of Morse code, as many difference ciphers I could find online, formatting them in whatever way I could think, converting to GPS coordinates… Nothing. I scanned bluetooth, Wifi and used my SDR to look for additional signals and nothing…

Somehow this information must lead us to input for the TERMINAL

If anyone has an idea about the number DM me on Twitter @sqearlsalazar

Leave a Reply

Your email address will not be published. Required fields are marked *