NahamCon CTF 2024 Walkthrough: iDoor

ctf Jun 11, 2024

This challenge is a fun one. The name of this one is iDoor, and is a cheeky reference to all of the small "Super Secure" IoT appliances you can find on Shodan.

Loading the website, we see we have loading into Customer 11's web interface.

Going by the description, one can infer the objective. Use SHA256 to snoop on other people's cameras. Too easy. The hash up in the URL bar looks like it could be SHA256, and we have a vital piece of information to check it to, the current Customer ID of 11. So, we can input the id of '11' into an online encryption tool and see if it matches.

So, now we know how the website is organized. Simply encrypt the wanted Customer ID into SHA256 and you have access to their camera. I'll show you a few examples here:

'3' encrypts to '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'

'12' encrypts to '6b51d431df5d7f141cbececcf79edf3dd861c3b4069f0b11661a3eefacbba918'
Although that is correct, the challenge designer is nudging you to go the other way by not adding any cameras above the starting ID of 11.

'1' encrypts to '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'

Of course, we know that 1 isn't where it ends. Unless you're a MatLab enthusiast or simply *wrong*, we know that arrays start at 0. So let's give that a shot.

'0' encrypts to '5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9'

There we have it. Not exactly as "Active" as the Camera Status indicates but hey, a flag is a flag.

This challenge highlights the ease of exploiting poorly secured IoT devices. It shows that basic cryptographic techniques, like SHA-256 encryption, are ineffective when using simple inputs such as 1- or 2-digit IDs. The challenge emphasizes the need for strong security measures, proper authentication, and secure coding practices. For cybersecurity professionals, it demonstrates the real-world impact of security flaws and an over-reliance on encryption standards.

Tags