Tag List
Sign In

compromised

By: simmsb

19/04/2021

hardware htb-cyber-apocalypse

compromised

Similarly to serial_logs we've been given a .sal file.

Opening this up in Saleae Logic we see two channels with data in:

When playing around with the analyzers earlier I noticed that the I2C analyzer takes input from two channels, so I tried that. It seemed to decode correctly and showed a sequence of writes to two different addresses.

Guessing that the data written should be grouped by the address written to, I wrote a quick python script to do this:

from collections import defaultdict

x = [
    (0x34, 0x73), (0x34, 0x65), (0x34, 0x74), (0x34, 0x5F), (0x34, 0x6D), (0x34, 0x61), (0x2C, 0x43), (0x34, 0x78), 
    (0x2C, 0x48), (0x34, 0x5F), (0x34, 0x6C), (0x2C, 0x54), (0x34, 0x69), (0x34, 0x6D), (0x2C, 0x42), (0x2C, 0x7B),
    (0x34, 0x69), (0x34, 0x74), (0x2C, 0x6E), (0x34, 0x5F), (0x34, 0x74), (0x2C, 0x75), (0x34, 0x6F), (0x2C, 0x31),
    (0x34, 0x3A), (0x2C, 0x31), (0x34, 0x31), (0x34, 0x30), (0x2C, 0x5F), (0x34, 0x73), (0x34, 0x65), (0x2C, 0x37),
    (0x2C, 0x33), (0x34, 0x74), (0x34, 0x5F), (0x2C, 0x32), (0x34, 0x6D), (0x34, 0x69), (0x2C, 0x6D), (0x34, 0x6E),
    (0x2C, 0x31), (0x34, 0x5F), (0x2C, 0x6E), (0x34, 0x6C), (0x34, 0x69), (0x2C, 0x34), (0x34, 0x6D), (0x34, 0x69),
    (0x2C, 0x37), (0x2C, 0x30), (0x34, 0x74), (0x34, 0x5F), (0x2C, 0x32), (0x34, 0x74), (0x34, 0x6F), (0x2C, 0x35),
    (0x34, 0x3A), (0x2C, 0x5F), (0x34, 0x31), (0x2C, 0x63), (0x34, 0x30), (0x34, 0x2B), (0x34, 0x1D), (0x34, 0x5D),
    (0x34, 0x3C), (0x34, 0x2B), (0x34, 0x2F), (0x2C, 0x34), (0x34, 0x7E), (0x2C, 0x6E), (0x34, 0x72), (0x34, 0x5E),
    (0x2C, 0x5F), (0x34, 0x79), (0x34, 0x7A), (0x2C, 0x38), (0x2C, 0x32), (0x34, 0x47), (0x34, 0x62), (0x2C, 0x33),
    (0x34, 0x62), (0x34, 0x22), (0x2C, 0x34), (0x34, 0x23), (0x2C, 0x6B), (0x34, 0x55), (0x2C, 0x5F), (0x34, 0x16),
    (0x34, 0x03), (0x2C, 0x34), (0x34, 0x2B), (0x34, 0x4A), (0x2C, 0x5F), (0x2C, 0x35), (0x34, 0x01), (0x34, 0x0D),
    (0x2C, 0x33), (0x34, 0x4D), (0x34, 0x0E), (0x2C, 0x32), (0x34, 0x42), (0x2C, 0x31), (0x34, 0x00), (0x2C, 0x34),
    (0x34, 0x42), (0x34, 0x12), (0x2C, 0x31), (0x34, 0x64), (0x34, 0x56), (0x2C, 0x5F), (0x2C, 0x35), (0x34, 0x07),
    (0x34, 0x20), (0x2C, 0x79), (0x34, 0x53), (0x34, 0x05), (0x2C, 0x35), (0x34, 0x42), (0x2C, 0x37), (0x34, 0x6B),
    (0x2C, 0x33), (0x34, 0x1D), (0x34, 0x1A), (0x34, 0x31), (0x34, 0x56), (0x34, 0x05), (0x34, 0x51), (0x34, 0x78),
    (0x2C, 0x6D), (0x34, 0x14), (0x2C, 0x21), (0x34, 0x6A), (0x34, 0x16), (0x2C, 0x40), (0x34, 0x60), (0x34, 0x51),
    (0x2C, 0x35), (0x2C, 0x32), (0x34, 0x79), (0x34, 0x71), (0x2C, 0x29), (0x34, 0x74), (0x34, 0x25), (0x2C, 0x23),
    (0x34, 0x20), (0x2C, 0x40), (0x34, 0x35), (0x2C, 0x25), (0x34, 0x6D), (0x34, 0x64), (0x2C, 0x7D), (0x34, 0x53),
    (0x34, 0x16),
]

d = defaultdict(list)

for k, v in x:
    d[k].append(chr(v))

for k, v in d.items():
    print(k, "".join(v))

Running this prints the flag:

λ python lol.py
MBBdV SBk1VQxj`Qyqt% 5mdS_min_limit_to:10+]<+/~r^yzGbb"#U+J
44 CHTB{nu11_732m1n47025_c4n_8234k_4_532141_5y573m!@52)#@%}