#@ck3r
  • Welcome
  • Administrator
    • ActiveDirectory
      • Methodology
    • LDAP
    • Kerberos
  • HTB_CTF
    • It's Oops PM
  • πŸ•ΈοΈ Pentesting Web
    • Web Vulnerabilities Methodology
      • Reflecting Techniques - PoCs and Polygloths CheatSheet
        • Web Vulns List
    • 2FA/MFA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning via URL discrepancies
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
      • Cookie Tossing
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
  • Dangling Markup - HTML scriptless injection
  • Dependency Confusion
  • Deserialization
    • NodeJS - __proto__ & prototype Pollution
      • Client Side Prototype Pollution
      • Express Prototype Pollution Gadgets
      • Prototype Pollution to RCE
    • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    • Exploiting __VIEWSTATE without knowing the secrets
    • Python Yaml Deserialization
    • JNDI - Java Naming and Directory Interface & Log4Shell
    • Ruby Class Pollution
  • Page 1
Powered by GitBook
On this page
  • 1. Component: backdoor
  • 2. Component: encryption
  • 3. Component: ckey
  • 4. Component: tpm (Trusted Platform Module?)
  • πŸ”Ž Key Observations
  • πŸ›‘ Potential Security Concerns
  1. HTB_CTF

It's Oops PM

This VHDL code defines a system with four main components: ckey, encryption, backdoor, and tpm. The system appears to be performing encryption while incorporating a hidden backdoor mechanism. Below is a detailed explanation of how each part functions and how they interact.

1. Component: backdoor

This component checks if the input D matches a specific 16-bit pattern: πŸ‘‰ "1111111111101001" (0xFFE9 in hex).

  • If D is equal to this pattern, it sets B to '1'.

  • Otherwise, it sets B to '0'.

Code Analysis:

entity backdoor is
    Port 
        D : in STD_LOGIC_VECTOR(15 downto 0); -- 16-bit input
        B : out STD_LOGIC  -- 1-bit output (flag)
    );
end backdoor;

  • D is the data being checked.

  • B acts as a flag indicating whether the pattern was matched.

architecture Behavioral of backdoor is
    constant pattern : STD_LOGIC_VECTOR(15 downto 0) := "1111111111101001"; -- Secret pattern
begin
    process(D)
    begin
        if D = pattern then
            B <= '1';  -- Flag set if pattern matches
        else
            B <= '0';  -- Otherwise, flag remains 0
        end if;
    end process;
end Behavioral;

πŸ”Ή Purpose: This is a backdoor detection moduleβ€”if a specific data pattern is received, it triggers the B signal.

2. Component: encryption

This module encrypts the input data D using a key K with a combination of XOR operations and selective bit inversions.

Code Analysis:

entity encryption is
    Port (
        D, K : in STD_LOGIC_VECTOR(15 downto 0); -- 16-bit data and key inputs
        E : out STD_LOGIC_VECTOR(15 downto 0)   -- 16-bit encrypted output
    );
end encryption;

  • D is the plaintext.

  • K is the encryption key.

  • E is the encrypted output.

architecture Behavioral of encryption is
begin
    process(D, K)
    begin
        for i in 1 to 15 loop
            E(i) <= D(i) XOR K(i); -- XOR each bit of D with K
        end loop;

        E(0) <= NOT K(0);  -- Flip specific key bits (0, 6, 13)
        E(6) <= NOT K(6);
        E(13) <= NOT K(13);
    end process;
end Behavioral;

πŸ”Ή Purpose: This module implements a basic encryption function where:

  • Most bits are encrypted using XOR.

  • Three key bits (K(0), K(6), K(13)) are flipped instead of XOR-ing.

3. Component: ckey

This module generates a constant encryption key.

Code Analysis:

entity ckey is
    Port (
        K : out STD_LOGIC_VECTOR(15 downto 0) -- 16-bit encryption key output
    );
end ckey;

architecture Behavioral of ckey is
    constant key : STD_LOGIC_VECTOR(15 downto 0) := "0110001111100001"; -- Fixed key
begin
    K <= key;
end Behavioral;

πŸ”Ή Purpose:

  • This module hardcodes a key "0110001111100001" (0x63E1 in hex) that will be used for encryption.

  • There is no dynamic key generation, meaning the encryption is always done with this same key.

4. Component: tpm (Trusted Platform Module?)

This module integrates the other components to either encrypt data or leak the secret key if the backdoor is triggered.

Code Analysis:

entity tpm is
    Port (
        Data : in STD_LOGIC_VECTOR(15 downto 0); -- Input data
        Output : out STD_LOGIC_VECTOR(15 downto 0) -- Output data
    );
end tpm;

  • Data is the input data.

  • Output is the final processed data.

Internal Signals:

signal Key : STD_LOGIC_VECTOR(15 downto 0); -- Stores the encryption key
signal Encrypted : STD_LOGIC_VECTOR(15 downto 0); -- Stores encrypted data
signal B: STD_LOGIC; -- Stores backdoor flag

Instantiation of Components:

component ckey
    port (K : out STD_LOGIC_VECTOR(15 downto 0));
end component;

component encryption
    port (D, K : in STD_LOGIC_VECTOR(15 downto 0);
          E : out STD_LOGIC_VECTOR(15 downto 0));
end component;

component backdoor 
    port (D : in STD_LOGIC_VECTOR(15 downto 0);
          B : out STD_LOGIC);
end component;

  • The ckey component provides the constant encryption key.

  • The encryption component encrypts Data using Key.

  • The backdoor component checks if Data matches "1111111111101001".

Mapping Components to Signals:

ck : ckey port map(Key); -- Assigns Key value from ckey
enc: encryption port map (Data, Key, Encrypted); -- Encrypts Data
bd: backdoor port map (Data, B); -- Detects the backdoor pattern

Process:

process(Key, Encrypted, B)
begin
    case B is
        when '1' =>
            for i in 0 to 15 loop
                Output(i) <= Key(i); -- If backdoor is triggered, leak the encryption key
            end loop;
        when others =>
            for i in 0 to 15 loop
                Output(i) <= Encrypted(i); -- Otherwise, return encrypted data
            end loop;
    end case;
end process;

  • If B = '1' (i.e., backdoor condition is met), the output is the encryption key instead of encrypted data.

  • Otherwise, it returns the encrypted data.

πŸ”Ž Key Observations

  1. Encryption Implementation:

    • XOR-based encryption is simple but can be easily broken.

    • Selective bit inversion adds minor obfuscation.

  2. Backdoor Mechanism:

    • If the input Data matches "1111111111101001", the module exposes the secret encryption key instead of returning encrypted data.

    • This is a severe security vulnerability, possibly intentional.

  3. Hardcoded Key (ckey Component):

    • The encryption key is not dynamically generated; it is always "0110001111100001", making it easy to decrypt the data.

πŸ›‘ Potential Security Concerns

This system contains a deliberate backdoor:

  • If an attacker inputs "1111111111101001", the system reveals the encryption key.

  • With this key, all encrypted messages can be decrypted, breaking the confidentiality.

πŸ”Ή If used in real applications, this could be a security risk, allowing unauthorized decryption of sensitive data.

Host is up (0.18s latency).

PORT      STATE SERVICE VERSION
42244/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL, RPCCheck: 
|     The input must be a binary signal of 16 bits.
|     Input :
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     The input must be a binary signal of 16 bits.
|     Input : Error : Invalid length of bits.
|     Input : Error : Invalid length of bits.
|     Input :
|   Help, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     The input must be a binary signal of 16 bits.
|     Input : Error : Invalid length of bits.
|_    Input :
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port42244-TCP:V=7.95%I=7%D=2/24%Time=67BCB5B5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,37,"The\x20input\x20must\x20be\x20a\x20binary\x20signal\x20of\x2016
SF:\x20bits\.\n\nInput\x20:\x20")%r(GenericLines,89,"The\x20input\x20must\
SF:x20be\x20a\x20binary\x20signal\x20of\x2016\x20bits\.\n\nInput\x20:\x20E

From this scan result ,it seems that the port expects some input from the user with the statement The input must be a binary signal of 16 bits and error message Input : Error : Invalid length of bits.

m going to use netcat to try and establish a connection to this machine and IP and see if we trigger the said backdoor


dante@Archie ~ $ nc 83.136.255.243
nc: missing port number
dante@Archie ~ $ nc 83.136.255.243 42244
The input must be a binary signal of 16 bits.

Input : 1111111111101001
Output: 0110001111100001

You triggered the backdoor here is the flag: HTB{4_7yp1c41_53cu23_TPM_ch1p}

dante@Archie ~ $ cls

PreviousKerberosNextWeb Vulnerabilities Methodology

Last updated 3 months ago