Omega Stonks was a 50 point misc challenge in UIU-CTF 2020!

Challenge

alt text

Plan of attack

You can type !work in the chat with IsabelleBot to earn stonks + it’s late at night, and I need to get 8 hours of sleep = automate sending !work to IsabelleBot.

In High School I used to make costume controllers for our robotics team using Arduino Boards (essentially they would mimic a keyboard), so for nostalgia’s sake (and because I didn’t want to look into making a Discord bot), I grabbed my old friend DigiSpark (with an ATTINY85) and started automating!

Setup

DigiSpark ships with a library called DigiKeyboard which lets you send keystrokes over USB.

alt text

So after adding the http://digistump.com/package_digistump_index.json to my board manager URLs under Arduino Preferences, all I had to do is write the code to spam !work.

Code

#include "DigiKeyboard.h"

void setup() {

}

void print(char *str) {
  char c = str[0];
  byte i = 0;
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0); //this is generally not necessary but with some older systems it seems to prevent missing the first character after a delay
  while (c != 0) {
    if (c==' ')
      DigiKeyboard.sendKeyStroke(KEY_SPACE);
    if (c>='A' && c<='Z')
      DigiKeyboard.sendKeyStroke(KEY_A+(c-'A'), MOD_SHIFT_LEFT);
    if (c>='a' && c<='z')
      DigiKeyboard.sendKeyStroke(KEY_A+(c-'a'));
    if (c=='0')
      DigiKeyboard.sendKeyStroke(KEY_0);
    if (c>='1' && c<='9')
      DigiKeyboard.sendKeyStroke(KEY_1+(c-'1'));
    if (c == '!')
      DigiKeyboard.sendKeyStroke(KEY_1, MOD_SHIFT_LEFT);
    i++;
    c = str[ i ];
  }
}

void println (char *str) {
  print(str);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
}
void sleep(int seconds) { 
  delay(seconds * 1000); 
}
void loop() {
  println ("!work");
  sleep(17);
}

Issues

The code took a few tries to upload to the board. I suspect it’s because my Mac only has USB-C ports, and using a converter makes it go funky; however, after a few plug cycles, it started working, so I stayed with the DigiSpark. Alternatively, you could use an Arduino UNO. However, you would have to put it in DFU mode and flash a custom firmware, which I didn’t feel like doing.

It’s Alive!!

Ignore the chewed up USB-C dongle, my dog managed to get to it the day before. Now it’s a matter of leaving it running overnight.

alt text

My AtTiny Got in trouble

The next morning I noticed that I was muted from the chat, with got about 450,000 (you needed 500,000 for the flag). So close! What happened? Was automation against the rules? (I should mention I didn’t really look into the challenge that much). Did my little Arduino mess up and started sending bad words?

I opened a ticket with the CTF organizers, and after telling them honestly that my Arduino was doing most of the typing, and that it shall go to Android Hell for all of its wrongdoings, we were back in business.

alt text

And they even let me keep using it!!

Final Push

After re-plugging the DigiSpark into my computer and having it run for a little longer, we finally got enough Stonks to buy the flag!

To avoid looking like a 🤖, I added a few random delays.

#include "DigiKeyboard.h"

void setup() {

}

void print(char *str) {
  char c = str[0];
  byte i = 0;
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0); //this is generally not necessary but with some older systems it seems to prevent missing the first character after a delay
  while (c != 0) {
    if (c==' ')
      DigiKeyboard.sendKeyStroke(KEY_SPACE);
    if (c>='A' && c<='Z')
      DigiKeyboard.sendKeyStroke(KEY_A+(c-'A'), MOD_SHIFT_LEFT);
    if (c>='a' && c<='z')
      DigiKeyboard.sendKeyStroke(KEY_A+(c-'a'));
    if (c=='0')
      DigiKeyboard.sendKeyStroke(KEY_0);
    if (c>='1' && c<='9')
      DigiKeyboard.sendKeyStroke(KEY_1+(c-'1'));
    if (c == '!')
      DigiKeyboard.sendKeyStroke(KEY_1, MOD_SHIFT_LEFT);
    i++;
    c = str[ i ];
  }
}

void println (char *str) {
  print(str);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
}
void sleep(int seconds) { 
  delay(seconds * 1000); 
}
void loop() {
  println ("!work");
  sleep(16 + random(1,4));
}

And we get the flag!

alt text

Conclusion

Main takeaway, ask admins about automating something before doing it. But if you are going to do it Arduino HID emulation >>>>> Any other kind of scripting

If I had a Raspberry Pi doing the automation, I could have said that my ARM was doing the typing… 🤖