DC540 hacking challenge 0x00002 [MicroPython CTF].

The SEAL Team 8 message has been successfully decoded, and we have learned that the entire “Dark Eyes” physical infrastructure is designed solely with MicroPython. The specific hardware of choice is the Raspberry Pi Pico microcontroller which contains the frozen MicroPython bytecode within the .elf and .uf2 firmware images that Dr. Rinn and her team have developed.

Natalia Agapov, a “Dark Eyes” Infrastructure Engineer, sympathetic to the extensive damage the SolarWinds hacks have done around the world captured a screen-shot of a collection of hand-written post-it notes outside Dr. Rinn's private study on her burner phone. She then obtained and copied the bc0.h, firmware.elf and firmware.uf2 files to a usb drive which was the specific firmware for 1337 Gate from Dr. Rinn's laptop.

She then went directly to the one and only way in or out of the elaborate compound which is located at Gate 1337. She escaped the "Dark Eyes" underground compound and managed to make her way to Vladivostok, Russia by means of the Trans-Siberian Railway. Along the way she came across the Internet-Magazin where she found a hardwired laptop inside an abandoned building and downloaded the Tor Browser. She navigated to http://emailondeck.com where she created a temporary e-mail address and reached out to the "Five Eyes" HQ, Pine Gap, in Alice Springs, Australia sharing her physical coordinates in the hopes she might be rescued out of Russia. Her goal was simple: hand off her burner phone with the image and her usb drive containing the .elf and .uf2 firmware of the 1337 Gate firmware. Upon receiving the coordinates from Natalia at “Five Eyes” HQ, Bets Fielding was tasked with sneaking on board the DBS Cruise Ferry which was now used for cargo shipments after the Covid pandemic. Her mission was to find Natalia and bring her safely back to Sakaiminato, Japan where she would get her a new identity with the help of the allied forces.

It was hard to leave Natalia in Japan, but Bets knew it was what Natalia wanted. Bets asked Natalia to reach out if she ever needed anything again, and left Natalia for the long journey home to Northern Virginia.

When Bets arrived back home, she and her team met in their newly constructed classified field office to begin reverse engineering the .elf binary. They successfully extracted the capture.png containing Natalia's screenshot of Dr. Rinn's hand-written notes in addition to a copy of the Gate 1337 firmware in both .elf and .uf2 formats as well as a bc0.h file, but they were unsure of its purpose.

They flashed the .uf2 on a Raspberry Pi Pico to see how specifically the firmware operated and ran an unsuccessful string analysis as all of the relevant strings were encrypted with the world's most advanced encryption referred to as the Rinn Encryption.

The team cloned the latest Radare2 repo and built from source at https://github.com/radareorg/radare2. They used an Ubuntu distro. First they ran radare2 -w arm -b 16 firmware.elf. Then they ran aaaa and began to search the strings by typing iz ~.. However, they found no usable strings. They made some changes to the MicroPython bytecode, ran elf2uf2 firmware.elf firmware.uf2, and finally flashed the .uf2 to the Pico. To date they have not been able to crack the 1337 Gate password and are struggling to find next steps.

Bets also reviewed the QSTR MicroPython Documentation to get familiar with how MicroPython handled strings located at https://docs.micropython.org/en/latest/develop/qstr.html.

You have been selected by the DC540 ANGELS OF DEATH to be the Reverse Engineer on this mission. Your task is to review the attached capture.png and bc0.h to find clues of where to begin reverse engineering the .elf binary. Your mission is to flash a Raspberry Pi Pico with the firmware.uf2 firmware and see how it operates. Review the firmware.elf firmware and hack the MicroPython bytecode using Radare2 and use the elf2uf2 conversion utility get a new firmware.uf2 and re-flash the Raspberry Pi Pico to get the entrance flag and report back to, "Master Assembler" with your results by sending a private Discord DM to @P4R4D0X in the DC540 Discord channel listed above.

"You will know you have the flag as it will end with, for processing..."

Apache License, Version 2.0