iHack 2021 Writeup - The Onion Things

iHack 2021 Writeup - The Onion Things


As part of the iHack 2021 CTF, Miu built an IOT track that was a nice continuation to her workshop during the conference.

The Onion Things (@Miu)
│   ├── 1 - Firmware Analysis Things 1/3 (75)
│   ├── 2 - Firmware Analysis Things 2/3 (75)
│   ├── 3 - Firmware Analysis Things 3/3 (75)
│   ├── 4 - Wallet Things 1/2 (100)
│   ├── 5 - Wallet Things 2/2 (100)
│   ├── 6 - LCD Thing (125)
│   ├── 7 - You shall experience my adventure ! (200)
|   └── 8 - Binary Kung Fu (250)

I got to this track at the very end of the competition. My teammates had already solved some of the flags. But I decided to give it a shot for the last hour.

The first thing to do was to download the firmware that Miu provided and extract the file system. Luckily I knew from the talk that binwalk was probably the tool to use for that.

$ file the-onion-thing.bin 
the-onion-thing.bin: u-boot legacy uImage, MIPS OpenWrt Linux-4.14.81, Linux/MIPS, OS Kernel Image (lzma), 1614170 bytes, Tue Jul 14 21:51:14 2020, Load Address: 0x80000000, Entry Point: 0x80000000, Header CRC: 0x34756B90, Data CRC: 0xCF6EDD01

$ binwalk -e the-onion-thing.bin

0             0x0             uImage header, header size: 64 bytes, header CRC: 0x34756B90, created: 2020-07-14 21:51:14, image size: 1614170 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0xCF6EDD01, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-4.14.81"
64            0x40            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5111620 bytes

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'' might not be installed correctly

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'' might not be installed correctly
1614234       0x18A19A        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8003064 bytes, 2144 inodes, blocksize: 262144 bytes, created: 2021-06-18 06:54:13

$ ls
the-onion-thing.bin  _the-onion-thing.bin.extracted

$ ls _the-onion-thing.bin.extracted 
18A19A.squashfs  40  40.7z  squashfs-root

$ ls _the-onion-thing.bin.extracted/squashfs-root 
bin  dev  etc  lib  mnt  overlay  proc  rom  root  sbin  sys  tmp  usr  var  welcome  www

It gave me some warnings, but the file system was extracted. I started looking around, and I found a program called flag in the /bin folder.

$ file bin/flag 
bin/flag: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-mipsel-sf.so.1, with debug_info, not stripped

I remembered that one of the challenges was about running a program.

You will need the firmware in attachment to the challenge : Firmware Analysis Things 1/3.

Given the architecture of the device, this binary can't be executed on your machine. Well.. That's actually not true ! There is a way : Emulation.

Let's use all the informations we gathered so far and find a way to do so.

The description says to use emulation to run the program. The workshop was about how to do this with Docker and QEMU. But I was too lazy to do that. Plus I probably did not have enough time to setup my machine for that.

So I decided to try to reverse the executable. I loaded it in Ghidra and it identified MIPS correctly. I looked at the main function.

Main Function

There are two things that look promising. The string @N%Me}di|agfA{N}f and the call to the function encryptDecryptXOR.

Next, I looked at encryptDecryptXOR.


This function takes the parameter it received, go through all characters from the string and XOR it with 8.

To get the flag, I did the same thing with a CyberChef recipe.

It gave me the flag ‘HF-EmulationIsFun’. I submitted it 10 minutes before the end of the CTF and it gave us 200 points.