Capture-The-Flag (CTF) are riddles that involve reverse engineering, cracking a cipher, exploiting security vulnerabilities in software and hardware, etc.
"Shitty Add-On" is an unofficial standard for conference badge add-ons. I combined the two to create the CTF Shitty Add-On - a small, portable riddle that you can proudly attach to your conference badge.
In this blog post I present the challenge, explain about the hardware it runs on, and show how you can build your own version using off-the-shelf components and try to solve this riddle (and maybe win a prize!). Before we dive into the details, here is some important background:
Custom-made electronic badges are so much fun! When I designed my own smart conference badge, one of the friends I worked with in the project suggested that we add a "Shitty Add-On" connector.
- "A Shitty Connector?", I asked.
Benny explained that this was a standard for DefCon 26 badge add-ons, and sent me a link to an Hackaday article that explained everything about this so called "standard". As the name implies, the specification for these add-ons is pretty minimal. In fact, the first version appeared as a tweet:
The four pins on the Shitty Add-On connector provide power (VCC and GND pins), as well as I²C protocol communication (SCL and SDA pins).
Shitty Add-Ons come in many sizes and shapes, and many of them are artistic and feature LEDs in various colors. Some of them also include a small processor that controls the lighting patterns of the LEDs.
Minimal Design, Maximum Challenge
Unlike most of the other badge add-ons produced, the Tiny CTF add-on has a very minimal design. It is a 2mm round board with an ATtiny85 microcontroller, a RESET button, and a single red LED:
We initially planned to have these distributed in together with our smart badges, but as we had a tight schedule and almost failed to deliver the badges on time, we only started assembling and testing the Tiny CTF boards after the conference. Unsurprisingly, the board had a "little" design error - we crossed the SCL and SDA pins ?
After I got the above prototype to work and wrote the code for the challenge, I ordered a batch of 20 assembled boards from PCBWay, who did a great job producing them. I programmed the boards using a SOIC-8 programmer clip (thanks Benny for the tip!):
I put a few units up for sale on Tindie.
Are You Up to The Challenge? ?
When you plug the Tiny CTF into a conference badge, it listens on I²C address 0x23. You can interact with it by sending data bytes to this address (and reading from it).
For instance, if you use Arduino, the following code will write some data to the Tiny CTF:
Wire.beginTransmission(0x23); Wire.write("Hello There!"); Wire.endTransmission();
Or, if you prefer CircuitPython (which we use in our badge):
i2c.try_lock() i2c.writeto(0x23, "Hello There!") i2c.unlock()
You don't really need a smart badge to communicate with the Tiny CTF, just give it 3.3V and connect the SCL/SDA pins to the respective pins on your device (e.g. A5 and A4 on Arduino Uno), and you are good to go.
The Firmware that runs on the Tiny CTF is open sourced, and you will probably want to have a look at the code before biting you teeth into this challenge. It is also very handy to have the ATtiny8x Datasheet open when you try to solve this challenge.
If you want to build the Tiny CTF yourself, scroll down to the section called "DiY Tiny CTF". Otherwise, let's dive in!
The First Milestone (and some rules)
For starters, you need find a way to turn on-board red LED on! ?
The rules are:
- No hardware modifications!
- Obviously, you can't change anything in the Tiny CTF firmware code or upload new code to the chip through the serial programming / high-voltage programming interface.
- Use of debugWIRE is not allowed.
- The solution has to be reproducible, and you have to be able to explain how it works.
- The LED is connected to pin 6 of the ATtiny (a.k.a PB1)
- There is a good chance that your attempt will crash the firmware and the chip will stop responding to your commands. That's why we put the Reset button there.
Are You Ready For More?
Have you found the way to turn the LED on through the I²C interface?
Great! There are even more challenges waiting for you:
The Secret Flag ⛳
The Firmware contains a hidden string. If you look at the source code, there is a placeholder string "$FLAG:SECRET", which is replaced with the actual flag when I program the devices (each device has a different flag value!). Can you find a way to read this flag from the device?
The Blinking Rootkit ??
Find a way to remotely execute code on the ATtiny85 chip, making the LED blink in a constant rate.
The code that makes the LED blink has to run on the ATtiny chip, so it will keep blinking even if you cut the I²C communication with the Tiny SAO.
The Ultimate Challenge - Replace The Flag ️?♂️
Replace the secret flag string with your name. Remember, you are not allowed to modify the firmware by means of serial programming / high-voltage programming.
There is a good chance of bricking the firmware when you try replacing the flag, so you have to be really careful. That's part of the challenge!
Build Your Own Tiny CTF Hardware from Scratch
Building your own Tiny CTF is pretty straightforward. You need an ATtiny85 chip, a 220Ω (or more) resistor, an LED, as well as a small breadboard and a few jumper wires.
You can use any Arduino board to program the ATtiny85 and upload the Tiny CTF firmware. Check out the README for the complete details how to build the firmware, and open an issue if you need help with that.
After programming the chip, you can connect it to Arduino as illustrated below:
At this point you can start communicating with the CTF using I²C, as explained above. Alternatively, you can connect the ATtiny to your favorite badge's Shitty Addon connector, or to a Raspberry PI. Just make sure to connect pin 7 (yellow wire in the schematic) to SCL, and pin 5 (blue wire) to SDA. Good luck!
And there is a prize, too! ?
To make this challenge even more interesting, the first person to solve each milestone of the challenge gets a free Tiny CTF board as a prize!
In addition, the first person to solve the second and the third milestones (find the flag / rootkit), will get a free personalized Wokwi Uno board (59$ value).
Update: All four milestones have been solved. Congratulations to the winners: Tal Ofer and Blake Burkhart!
You can send your solutions to email@example.com until December 1st, 2019. Remember that your solutions have to be reproducible (so I can test them), and that you need to be able to explain how they work. Let the fun begin!