We are doing an project for a school competition in which we need to use a Raspberry Pi to make an IOT prototype. We received SD cards from the professor, and because we lost ours we asked another group to give us a copy of their card, I know it’s been modified because the original hash doesn’t match. Could you please investigate and tell me if everything is ok? Here is some parts of the file system:

FLAG FORMAT: KLCTF{flag}

download this file: https://s3.eu-central-1.amazonaws.com/klctf/fs.zip

So, we are given some Raspberry Pi files. Let’s check what we actually have.

It seems that we are given the root directory. Since we are looking for a backdoor, I checked crontab first.

There is nothing interesting here. Let’s look at the home directory.

We have a user folder of the user pi here. Let’s look inside.

Here we have .bash_history file. Let’s see which commands had been executed before it was given to us. Since the file is too long, I skipped some lines to emphasize the important part.

Oh! He deleted the user U_n33d_th3_fl4g, then added new user b4ckd00r_us3r. How about checking the user specific crontabs?

We have two crontabs for the users b4ckd00r_us3r and pi respectively. We will check them both.

They both execute a python script named back at the startup. He put it under the /bin directory to make it less suspicious.

It is a compiled python file which is compiled with python 2.7. I decompiled it using Easy Python Decompiler which is a tool based on uncompyle2.

It is a web application created with Flask which runs on the port 3333. However, this application has a hidden interface at /backdoor page. This page requires username and pincode to grant access. It says our flag is the correct username and pincode in the format username:pincode. In addition, the sha256 hash of the flag (username:pincode) is 34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e. We already have the username which is b4ckd00r_us3r. We know that pincode is consist of digits only and its length is less than or equal to 8 digits. Thus, we can brute force the pincode in a short amount of time.

Here is the python script I created to brute force the pincode.

Let’s run it and get the correct pincode.

Here we have the flag KLCTF{b4ckd00r_us3r:12171337}.