こんとろーるしーこんとろーるぶい

週末にカチャカチャッターン!したことを貼り付けていくブログ

Syskron Security CTF Writeup - My servo drive is getting mad

Question

My servo drive sends strange parameters. Can you decode them? I have to go for lunch.

mqtt.ctf.syskron-security.com:1883

Solution

MQTTで接続するようなので、簡単な受信スクリプトを書く。

過去の問題ではMQTT over WebSocketだったが、今回は普通のMQTT。
過去のWriteupは以下。
hxp CTF 2018 Writeup - time for h4x0rpsch0rr? - こんとろーるしーこんとろーるぶい

import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, respons_code):
  print('connected')
  client.subscribe('#')

def on_message(client, userdata, msg):
  print(msg.topic + ' ' + str(msg.payload))

client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.connect('mqtt.ctf.syskron-security.com', 1883, keepalive=60)

実行する。

(venv3) root@kali:/mnt/CTF/Contest/Syskron Security CTF# python mqtchall.py 
connected
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'153'
servo/rpm b'147'
servo/rpm b'158'
servo/rpm b'152'
servo/rpm b'132'
servo/rpm b'151'
servo/rpm b'154'
servo/rpm b'147'
servo/rpm b'143'
servo/rpm b'160'
servo/rpm b'146'
servo/rpm b'154'
servo/rpm b'160'
servo/rpm b'207'
servo/rpm b'138'
servo/rpm b'139'
servo/rpm b'130'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
servo/rpm b'0'
(snip)

ASCII文字になりそう。

data = "153 147 158 152 132 151 154 147 143 160 146 154 160 207 138 139 130"
decoded = ""
for i in data.split(" "):
    decoded += (chr(int(i) ^ 0xff))
print(decoded)

実行する。

(venv3) root@kali:/mnt/CTF/Contest/Syskron Security CTF# python decode.py 
flag{help_me_0ut}