Amongst all the things you could discover at MCH2022, there were being a several CTFs (Capture The Flag workouts) – in unique, every badge contained an software that you could check out and split into – only two teams have cracked this a single! [Joachim “dojoe” Fenkes] was part of 1 of them, and he has composed an intensive reverse-engineering tale for us – complete with Ghidra disassembly of Xtensa code, distant code execution tries, ROP gadget development, and no detail still left apart.
There was a catch: badges handed out to the individuals didn’t have the genuine flag. You had to build an exploit working with your personal badge that only contained a placeholder flag, then go to the badge tent and utilize your exploit in excess of the community to a single of the number of badges with the actual flag on them. The app in query turned out to be an echo server – sending back all the things it received notably, specific messages designed it crash. 1 man’s crashes are one more man’s exploit choices, and right after a number of hacking classes, [Joachim]’s group received their nicely-deserved place on the scoreboard.
If you usually thought that firmware reverse-engineering appears awesome, and you also take place to very own a MCH2022 badge, you need to try out and stick to the intricately documented measures of [Joachim]’s writeup. Even for people today with small reduced-degree programming encounter, repeating this hack is reasonable many thanks to his substantial explanations, and you will go away with way far more reverse-engineering knowledge than you had right before.
The MCH2022 badge is a featureful development of intricate engineering, with the ESP32 portion only getting component of the badge – we’re keen to listen to about what you have achieved or are about to achieve supplied almost everything it has to present!