It's Oops PM

This VHDL code defines a system with four main components: ckey, encryption, backdoor, and tpm. The system appears to be performing encryption while incorporating a hidden backdoor mechanism. Below is a detailed explanation of how each part functions and how they interact.

1. Component: `backdoor`

This component checks if the input D matches a specific 16-bit pattern: 👉 "1111111111101001" (0xFFE9 in hex).

If D is equal to this pattern, it sets B to '1'.
Otherwise, it sets B to '0'.

Code Analysis:

entity backdoor is
    Port 
        D : in STD_LOGIC_VECTOR(15 downto 0); -- 16-bit input
        B : out STD_LOGIC  -- 1-bit output (flag)
    );
end backdoor;

D is the data being checked.
B acts as a flag indicating whether the pattern was matched.

architecture Behavioral of backdoor is
    constant pattern : STD_LOGIC_VECTOR(15 downto 0) := "1111111111101001"; -- Secret pattern
begin
    process(D)
    begin
        if D = pattern then
            B <= '1';  -- Flag set if pattern matches
        else
            B <= '0';  -- Otherwise, flag remains 0
        end if;
    end process;
end Behavioral;

🔹 Purpose: This is a backdoor detection module—if a specific data pattern is received, it triggers the B signal.

2. Component: `encryption`

This module encrypts the input data D using a key K with a combination of XOR operations and selective bit inversions.

Code Analysis:

entity encryption is
    Port (
        D, K : in STD_LOGIC_VECTOR(15 downto 0); -- 16-bit data and key inputs
        E : out STD_LOGIC_VECTOR(15 downto 0)   -- 16-bit encrypted output
    );
end encryption;

D is the plaintext.
K is the encryption key.
E is the encrypted output.

architecture Behavioral of encryption is
begin
    process(D, K)
    begin
        for i in 1 to 15 loop
            E(i) <= D(i) XOR K(i); -- XOR each bit of D with K
        end loop;

        E(0) <= NOT K(0);  -- Flip specific key bits (0, 6, 13)
        E(6) <= NOT K(6);
        E(13) <= NOT K(13);
    end process;
end Behavioral;

🔹 Purpose: This module implements a basic encryption function where:

Most bits are encrypted using XOR.
Three key bits (K(0), K(6), K(13)) are flipped instead of XOR-ing.

3. Component: `ckey`

This module generates a constant encryption key.

Code Analysis:

entity ckey is
    Port (
        K : out STD_LOGIC_VECTOR(15 downto 0) -- 16-bit encryption key output
    );
end ckey;

architecture Behavioral of ckey is
    constant key : STD_LOGIC_VECTOR(15 downto 0) := "0110001111100001"; -- Fixed key
begin
    K <= key;
end Behavioral;

🔹 Purpose:

This module hardcodes a key "0110001111100001" (0x63E1 in hex) that will be used for encryption.
There is no dynamic key generation, meaning the encryption is always done with this same key.

4. Component: `tpm` (Trusted Platform Module?)

This module integrates the other components to either encrypt data or leak the secret key if the backdoor is triggered.

Code Analysis:

entity tpm is
    Port (
        Data : in STD_LOGIC_VECTOR(15 downto 0); -- Input data
        Output : out STD_LOGIC_VECTOR(15 downto 0) -- Output data
    );
end tpm;

Data is the input data.
Output is the final processed data.

Internal Signals:

signal Key : STD_LOGIC_VECTOR(15 downto 0); -- Stores the encryption key
signal Encrypted : STD_LOGIC_VECTOR(15 downto 0); -- Stores encrypted data
signal B: STD_LOGIC; -- Stores backdoor flag

Instantiation of Components:

component ckey
    port (K : out STD_LOGIC_VECTOR(15 downto 0));
end component;

component encryption
    port (D, K : in STD_LOGIC_VECTOR(15 downto 0);
          E : out STD_LOGIC_VECTOR(15 downto 0));
end component;

component backdoor 
    port (D : in STD_LOGIC_VECTOR(15 downto 0);
          B : out STD_LOGIC);
end component;

The ckey component provides the constant encryption key.
The encryption component encrypts Data using Key.
The backdoor component checks if Data matches "1111111111101001".

Mapping Components to Signals:

ck : ckey port map(Key); -- Assigns Key value from ckey
enc: encryption port map (Data, Key, Encrypted); -- Encrypts Data
bd: backdoor port map (Data, B); -- Detects the backdoor pattern

Process:

process(Key, Encrypted, B)
begin
    case B is
        when '1' =>
            for i in 0 to 15 loop
                Output(i) <= Key(i); -- If backdoor is triggered, leak the encryption key
            end loop;
        when others =>
            for i in 0 to 15 loop
                Output(i) <= Encrypted(i); -- Otherwise, return encrypted data
            end loop;
    end case;
end process;

If B = '1' (i.e., backdoor condition is met), the output is the encryption key instead of encrypted data.
Otherwise, it returns the encrypted data.

🔎 Key Observations

Encryption Implementation:
- XOR-based encryption is simple but can be easily broken.
- Selective bit inversion adds minor obfuscation.
Backdoor Mechanism:
- If the input Data matches "1111111111101001", the module exposes the secret encryption key instead of returning encrypted data.
- This is a severe security vulnerability, possibly intentional.
Hardcoded Key (ckey Component):
- The encryption key is not dynamically generated; it is always "0110001111100001", making it easy to decrypt the data.

🛑 Potential Security Concerns

This system contains a deliberate backdoor:

If an attacker inputs "1111111111101001", the system reveals the encryption key.
With this key, all encrypted messages can be decrypted, breaking the confidentiality.

🔹 If used in real applications, this could be a security risk, allowing unauthorized decryption of sensitive data.

Host is up (0.18s latency).

PORT      STATE SERVICE VERSION
42244/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL, RPCCheck: 
|     The input must be a binary signal of 16 bits.
|     Input :
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     The input must be a binary signal of 16 bits.
|     Input : Error : Invalid length of bits.
|     Input : Error : Invalid length of bits.
|     Input :
|   Help, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     The input must be a binary signal of 16 bits.
|     Input : Error : Invalid length of bits.
|_    Input :
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port42244-TCP:V=7.95%I=7%D=2/24%Time=67BCB5B5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,37,"The\x20input\x20must\x20be\x20a\x20binary\x20signal\x20of\x2016
SF:\x20bits\.\n\nInput\x20:\x20")%r(GenericLines,89,"The\x20input\x20must\
SF:x20be\x20a\x20binary\x20signal\x20of\x2016\x20bits\.\n\nInput\x20:\x20E

From this scan result ,it seems that the port expects some input from the user with the statement The input must be a binary signal of 16 bits and error message Input : Error : Invalid length of bits.

m going to use netcat to try and establish a connection to this machine and IP and see if we trigger the said backdoor


dante@Archie ~ $ nc 83.136.255.243
nc: missing port number
dante@Archie ~ $ nc 83.136.255.243 42244
The input must be a binary signal of 16 bits.

Input : 1111111111101001
Output: 0110001111100001

You triggered the backdoor here is the flag: HTB{4_7yp1c41_53cu23_TPM_ch1p}

dante@Archie ~ $ cls

PreviousKerberos NextWeb Vulnerabilities Methodology

Last updated 11 months ago

hashtag1. Component: backdoor

hashtagCode Analysis:

hashtag2. Component: encryption

hashtagCode Analysis:

hashtag3. Component: ckey

hashtagCode Analysis:

hashtag4. Component: tpm (Trusted Platform Module?)

hashtagCode Analysis:

hashtag🔎 Key Observations

hashtag🛑 Potential Security Concerns

1. Component: `backdoor`

Code Analysis:

2. Component: `encryption`

Code Analysis:

3. Component: `ckey`

Code Analysis:

4. Component: `tpm` (Trusted Platform Module?)

Code Analysis:

🔎 Key Observations

🛑 Potential Security Concerns