Close
0%
0%

Building the MiniBox CTF Trainer on the ESP8266

If you’re passionate about cybersecurity and love the thrill of Capture the Flag (CTF) challenges, then this project is right up your alley.

vasilis-ieropoulosVasilis Ieropoulos
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Similar projects worth following
156 views
0 comments
60 followers
View Gallery
What is MiniBox CTF Trainer?

The MiniBox CTF Trainer is a compact, wireless CTF environment that fits in the palm of your hand. Using the versatile ESP8266, we’ve created a web-based interface packed with various challenges that test your skills in cryptography, web exploitation, and wireless hacking. The idea is simple: provide a challenging yet accessible platform that anyone can use to improve their cybersecurity skills on the go.

Features of MiniBox CTF Trainer

Here’s what you can expect from this nifty little device:

  • LED Control Challenge: Turn the onboard LED on or off through a web interface. Sounds simple, but there’s more to it than meets the eye.
  • Client Monitoring: View and analyze the number of devices connected to the ESP8266’s access point. Could there be a hidden flag lurking in the client list?
  • Wireless Scanning: Explore available Wi-Fi networks. This challenge could serve as a gateway to discovering more hidden features.
  • Buzzer Challenge: Play a melody through a connected buzzer. If you’re musically inclined, you might just hear a hint.
  • Caesar Cipher Flag: Solve a cryptographic puzzle to unveil a hidden flag. Who doesn’t love a good old Caesar cipher?
  • Customizable Difficulty: Choose between easy and hard modes, with the latter adding a layer of HTTP authentication to ramp up the challenge.
  • Portable and Standalone: Powered by the ESP8266, this CTF environment is entirely self-contained, requiring no external infrastructure.

Building the MiniBox CTF Trainer

Building this project is straightforward and can be done with minimal components:

Hardware Requirements:

  • ESP8266 (NodeMCU or Wemos D1 Mini)
  • Buzzer (optional for sound challenges)
  • LEDs (optional for visual challenges)

Software Requirements:

  • Arduino IDE
  • ESP8266 Board Package for Arduino IDE
  • Essential Libraries: ESP8266WiFi, ESP8266WebServer

Steps to Build:

  1. Set up your ESP8266 with the Arduino IDE.
  2. Upload the MiniBox CTF Trainer code to your ESP8266.
  3. Connect to the MiniBox CTF Wi-Fi network generated by your ESP8266.
  4. Access the web interface via your browser at http://192.168.4.1.
  5. Start solving challenges and submit flags through the web interface.

The Challenges

Each API endpoint in the MiniBox CTF Trainer offers a unique challenge:

  • LED Control: Simple commands to control the LED, but there’s a hidden twist. Pay attention to the responses.
  • Client Monitoring: Explore the connected clients. Information is key—there might be more here than just MAC addresses.
  • Buzzer Melody: It’s not just about playing a tune; listen closely—there could be a hint embedded in the sound.
  • Caesar Cipher: A classic cryptography challenge where decoding a cipher reveals the hidden flag.
  • Hard Mode: Adds randomized HTTP authentication, making it more challenging to access the APIs.

Why Build a CTF Platform on ESP8266?

The ESP8266 is perfect for this project because it’s small, affordable, and highly capable. It’s widely supported in the maker community, making it easy to find resources and support. By using the ESP8266, we’ve created a CTF platform that’s not only portable but also versatile, allowing you to train anywhere, anytime.

  • 1 × ESP8266
  • 1 × ROTARY ENCODER
  • 1 × LED Fiber Optics / Emitters
  • 1 × Buzzer
  • 1 × 128x64 OLED

View all 6 components

  • 1
    MiniBox CTF Trainer Walkthrough

    Welcome to the MiniBox CTF Trainer walkthrough! This guide will provide a step-by-step solution to each challenge implemented in the ESP8266 code, as well as explain how similar vulnerabilities can be found and exploited in real-life scenarios.

    Overview

    The MiniBox is an ESP8266-based device that sets up a Wi-Fi access point and provides various web-based challenges. Participants connect to the Wi-Fi network and interact with the device's APIs to discover flags hidden within responses, headers, or behaviors.

    Setup Details

    • SSID: MicroBox
    • Password: 12345678
    • Default Credentials (for some endpoints in EASY mode):
      • Username: admin
      • Password: password

    Difficulty Levels

    • EASY: Default mode with standard challenges.
    • HARD: Activated by holding down the button during startup. Hard mode introduces authentication and more complex challenges.

    Challenges

    1. API LED Control Endpoint (FLAG_1)

    Endpoint: /api/led/on

    Discovery

    1. Enumerate Endpoints: Use tools like DirBuster, DirSearch, or simply try common API endpoints manually.
    2. Observation: Accessing /api/led/on returns a JSON response.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/api/led/on
    • Response: 
      {
  "message": "API LED is ON",
  "flag": "CTF{Mayb3_Th1s_1s_Th3_Fl4g}"
}
    • Flag: CTF{Mayb3_Th1s_1s_Th3_Fl4g}

    Real-Life Scenario

    • Unsecured IoT Endpoints: Devices exposing control endpoints without authentication can be manipulated by attackers.
    • Data Leakage: Sensitive information (like flags or secrets) returned in responses.

    2. Connected Clients Information (FLAG_2)

    Endpoint: /api/clients

    Discovery

    1. API Exploration: After finding /api/led/on, check for other /api/ endpoints.
    2. Access Endpoint: Navigate to /api/clients.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/api/clients
    • Response: 
      {
  "client_count": 1,
  "clients": [
    {"mac": "AA:BB:CC:DD:EE:FF"}
  ],
  "flag": "CTF{May_the_flag_be_with_you}"
}
    • Flag: CTF{May_the_flag_be_with_you}

    Real-Life Scenario

    • Privacy Concerns: Devices revealing connected client information can lead to privacy breaches.
    • Network Mapping: Attackers can map out connected devices for further exploitation.

    3. Wi-Fi Network Scan (FLAG_3)

    Endpoint: /api/scan

    Discovery

    1. Continued API Enumeration: Testing standard endpoints like /api/scan.
    2. Access Endpoint: Navigate to /api/scan.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/api/scan
    • Response: 
      {
  "network_count": 5,
  "networks": [
    {"ssid": "Network1", "rssi": -40},
    // ...
  ],
  "flag": "CTF{Th3_Fl4g_1s_H3r3}"
}
    • Flag: CTF{Th3_Fl4g_1s_H3r3}

    Real-Life Scenario

    • Information Disclosure: Devices scanning and revealing nearby networks can aid attackers in identifying potential targets.
    • Regulatory Issues: Unauthorized scanning may violate regulations in some jurisdictions.

    4. Buzzer Control (FLAG_5)

    Endpoint: /api/buzzer/play

    Discovery

    1. API Exploration: Testing endpoints related to hardware control.
    2. Access Endpoint: Navigate to /api/buzzer/play.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/api/buzzer/play
    • Response: 
      {
  "message": "Buzzer tested",
  "flag": "CTF{The_Big_Daddy_Flag}"
}
    • Flag: CTF{The_Big_Daddy_Flag}

    Real-Life Scenario

    • Unauthorized Access: Controlling hardware components can lead to physical disruptions.
    • Security Risks: Manipulating devices remotely without proper authentication.

    5. Hash Validation Challenge (FLAG_6)

    Endpoint: /api/hashiklis

    Discovery

    1. Access the Endpoint: Navigate to /api/hashiklis.
    2. Read the Hint: The response provides a riddle.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/api/hashiklis
    • Response: 
      {
  "message": "In my world, 32 characters I be, the sum of my parts, a hash you'll see. Seek me out in the land of MD5, and send me back for a reply."
}
    • Interpretation:
      • The hint refers to an MD5 hash.
    • Generate an MD5 Hash: 
      echo -n "test" | md5sum

      Output: 098f6bcd4621d373cade4e832627b4f6

    • Submit the Hash: 
      curl -X POST -d "plain=098f6bcd4621d373cade4e832627b4f6" http://192.168.4.1/api/hashiklis
    • Response: 
      {
  "flag": "CTF{Noob_with_a_Flag}"
}
    • Flag: CTF{Noob_with_a_Flag}

    Real-Life Scenario

    • Input Validation: Systems that expect specific input formats can be tricked if validation is weak.
    • Hash Length Extension Attacks: Understanding hash functions can help in exploiting cryptographic weaknesses.

    6. Caesar Cipher Challenge (FLAG_10)

    Endpoint: /TimeNewRoman

    Discovery

    1. Endpoint Naming: The endpoint name is a play on "Times New Roman", suggesting something with text.
    2. Access the Endpoint.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/TimeNewRoman
    • Response: 
      {
  "ciphered_flag": "FWH{GRQW_WRXFK_PB_IODJ}"
}
    • Decipher the Flag:
      • Recognize it's a Caesar cipher with a shift.
      • Since C shifted by 3 becomes F, the shift is +3.
      • Decipher using a tool or script: 
        echo "FWH{GRQW_WRXFK_PB_IODJ}" | tr 'A-Za-z' 'D-ZA-Cd-za-c'
      • Deciphered Flag: CTF{DONT_TOUCH_MY_FLAG}
    • Flag: CTF{DONT_TOUCH_MY_FLAG}

    Real-Life Scenario

    • Weak Encryption: Simple ciphers are not secure but can be used to obfuscate data.
    • Cryptanalysis: Understanding basic encryption helps in decrypting and analyzing secure communications.

    7. Hidden UDP Broadcast (FLAG_9)

    Behavior: The device broadcasts a UDP packet containing the flag.

    Discovery

    1. Network Scanning: Use tools like Wireshark to monitor network traffic.
    2. Observation: Notice UDP packets being broadcasted to port 1337.

    Solution

    • Capture the UDP Packet:
      • Start Wireshark or tcpdump on the interface connected to the MicroBox.
      • Filter for UDP traffic on port 1337: 
        udp.port == 1337
    • Examine Packet Content:

      The UDP packet contains the flag: CTF{Th3_Fl4g_1s_1n_Th3_C0d3}

    Flag

    CTF{Th3_Fl4g_1s_1n_Th3_C0d3}

    Real-Life Scenario

    • Eavesdropping: Unencrypted broadcasts can be intercepted by attackers.
    • Information Leakage: Sensitive data should not be transmitted over unsecured channels.

    8. User-Agent Header Challenge (FLAG_11)

    Endpoint: /specialAgent

    Discovery

    1. Endpoint Guessing: Try accessing endpoints that suggest special handling.
    2. Access Endpoint: Navigate to /specialAgent and receive a 403 Forbidden message.

    Solution

    • Modify User-Agent:
      • The endpoint name suggests the need for a special User-Agent.
      • Send Request with Custom User-Agent: 
        curl -H "User-Agent: secret-agent" http://192.168.4.1/specialAgent
    • Response: 
      {
  "flag": "CTF{UserAgent_Flag}"
}
    • Flag: CTF{UserAgent_Flag}

    Real-Life Scenario

    • User-Agent Filtering: Servers may provide different content based on the User-Agent.
    • Bypassing Controls: Modifying headers can bypass simple security measures.

    9. Cookie Challenge (FLAG_12)

    Endpoint: /cookieMonster

    Discovery

    1. Access Endpoint: Navigate to /cookieMonster and observe the response.
    2. Response Indicates: "Cookie required" and sets a cookie.

    Solution

    • Inspect Cookies:
      • The server sets auth=challenge.
    • Send Request with Modified Cookie:
      • The goal is to change auth to letmein.
      • Send Request with Custom Cookie: 
        curl -H "Cookie: auth=letmein" http://192.168.4.1/cookieMonster
    • Response: 
      {
  "flag": "CTF{Cookie_Monster_Flag}"
}
    • Flag: CTF{Cookie_Monster_Flag}

    Real-Life Scenario

    • Session Hijacking: Modifying cookies can grant unauthorized access.
    • Poor Authentication: Relying solely on client-side data is insecure.

    10. Host Header Challenge (FLAG_17)

    Endpoint: /hostSecret

    Discovery

    1. Access Endpoint: Navigate to /hostSecret and receive a 403 Forbidden message.
    2. Consider Host Header Manipulation.

    Solution

    • Modify Host Header:
      • The endpoint likely checks for a specific Host header.
      • Send Request with Custom Host: 
        curl -H "Host: secret.local" http://192.168.4.1/hostSecret
    • Response: 
      {
  "flag": "CTF{Host_Header_Flag}"
}
    • Flag: CTF{Host_Header_Flag}

    Real-Life Scenario

    • Host Header Attacks: Manipulating the Host header can lead to cache poisoning or access to unintended content.
    • Virtual Host Misconfigurations: Servers serving different content based on the Host header.

    11. Timing Attack Challenge (FLAG_18)

    Endpoint: /timingAttack (POST request)

    Discovery

    1. Access Endpoint: Observe that the server responds differently based on input timing.
    2. Suspect a Timing Attack Vulnerability.

    Solution

    • Understand the Challenge:
      • The server delays response based on correct characters.
    • Automate the Attack:
      • Write a script to measure response times for different inputs.
      • Example in Python: 
        import requests
import time

url = "http://192.168.4.1/timingAttack"
charset = "CTF{ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_}"
discovered = ""

while True:
    max_time = 0
    next_char = ''
    for c in charset:
        test_input = discovered + c
        start_time = time.time()
        response = requests.post(url, data={'input': test_input})
        elapsed = time.time() - start_time
        if elapsed > max_time:
            max_time = elapsed
            next_char = c
    discovered += next_char
    print(f"Discovered so far: {discovered}")
    if next_char == '}':
        break
    • Flag: CTF{Timing_Is_Everything}

    Real-Life Scenario

    • Timing Attacks: Exploiting time differences in responses to extract sensitive information.
    • Cryptographic Weaknesses: Systems not using constant-time operations are vulnerable.

    12. Hex Encoding Challenge (FLAG_16)

    Endpoint: /superSecret

    Discovery

    1. Access Endpoint: Navigate to /superSecret.
    2. Response Contains Hex Data.

    Solution

    • Access the Endpoint: 
      curl http://192.168.4.1/superSecret
    • Response: 
      {
  "data": "4354467b4865785f4861636b65727d"
}
    • Decode the Hex String: 
      echo "4354467b4865785f4861636b65727d" | xxd -r -p
    • Decoded Flag: CTF{Hex_Hacker}

    Real-Life Scenario

    • Data Encoding: Sensitive data may be encoded in various formats.
    • Data Extraction: Understanding encoding schemes aids in data recovery.

    13. CAPTCHA Challenge (FLAG_13)

    Endpoint: /captcha

    Discovery

    1. Access Endpoint: Navigate to /captcha and receive a math question.

    Solution

    • Get the Question: 
      curl http://192.168.4.1/captcha
    • Response: 
      {
  "question": "What is 7 + 3?"
}
    • Calculate Answer:

      7 + 3 = 10

    • Submit the Answer: 
      curl -X POST -d "answer=10" http://192.168.4.1/captcha
    • Response: 
      {
  "flag": "CTF{Captcha_Cracked}"
}
    • Flag: CTF{Captcha_Cracked}

    Real-Life Scenario

    • CAPTCHA Bypassing: Simple CAPTCHAs can be bypassed with automation.
    • Bot Protection: Implementing stronger CAPTCHAs or alternative verification methods.

    14. UDP Packet Challenge (FLAG_20)

    Behavior: Sending a specific UDP packet to receive a flag.

    Discovery

    1. Port Scanning: Notice that the device listens on UDP port 1337.
    2. Attempt to Communicate: Send data to the port and observe responses.

    Solution

    • Send the Specific Packet: 
      echo -n "pleaseSendFlag" | nc -u -w1 192.168.4.1 1337
    • Receive the Response:

      The device sends back CTF{UDP_Secret_Unveiled}

    • Flag: CTF{UDP_Secret_Unveiled}

    Real-Life Scenario

    • Hidden Services: Devices may have undocumented services listening on non-standard ports.
    • Service Enumeration: Comprehensive scanning can reveal such hidden services.

    15. Unauthenticated Access in Hard Mode (FLAGS_4, FLAG_7, FLAG_8, etc.)

    Behavior: In HARD mode, certain information requires authentication.

    Discovery

    1. Authentication Requirement: Upon accessing certain endpoints, the server requests authentication.
    2. Brute Forcing Not Feasible: Credentials are randomly generated.

    Solution

    • Physical Access: Since the device is in your possession, you can observe the display.
    • Read Credentials:
      • The OLED display shows the username and password.
    • Use Credentials:
      • Use the displayed credentials to authenticate.
    • Access Restricted Endpoints:
      • Proceed to explore and find remaining flags.

    Real-Life Scenario

    • Physical Security: Devices should not display sensitive information.
    • Local Attacks: Attackers with physical access can extract data from devices.

View all instructions

Enjoy this project?

Share

Discussions

Similar Projects

You will learn how to use the Tuya Smart system to connect all your devices to the internet.
Project Owner Contributor

How to create an IoT table light with Tuya

diego-moreiraDiego Moreira

A user-friendly and customizable intranet of things framework that makes home automation a breeze. Automate your home with no code!
Project Owner Contributor

Serenity - Web Based Automation Framework

cfaCFA

Using JSON to define embedded software interfaces.
Project Owner Contributor

Jsoknit

daniel-sikarDaniel Sikar

A framework for building a distributed network of small interactive art pieces
Project Owner Contributor

Distributed Art

adam-phelpsAdam Phelps

Does this project spark your interest?

Become a member to follow this project and never miss any updates

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "Building the MiniBox CTF Trainer on the ESP8266", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.