Skip to content

Purdue-eCTF/2026-eCTF-attacks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
cat
cat
 
 
cedarville
cedarville
 
 
csuf
csuf
 
 
cwru
cwru
 
 
duth
duth
 
 
epcc
epcc
 
 
fiu
fiu
 
 
gt
gt
 
 
legacy
legacy
 
 
lwhs
lwhs
 
 
mhhs
mhhs
 
 
neu1
neu1
 
 
nyit
nyit
 
 
oc
oc
 
 
rutgers
rutgers
 
 
saddleback
saddleback
 
 
scu
scu
 
 
tamucc
tamucc
 
 
ttu
ttu
 
 
tufts
tufts
 
 
ud1
ud1
 
 
uno
uno
 
 
uscga1
uscga1
 
 
usf
usf
 
 
utep
utep
 
 
uva
uva
 
 
vt
vt
 
 
wmu
wmu
 
 
xu
xu
 
 
.gdb_history
.gdb_history
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
bridge_read_all.py
bridge_read_all.py
 
 
custom_gcm.py
custom_gcm.py
 
 
extract_and_attack.py
extract_and_attack.py
 
 
generic_remote.py
generic_remote.py
 
 
mass_compromise.py
mass_compromise.py
 
 
read_attacker_all.py
read_attacker_all.py
 
 
read_update_all.py
read_update_all.py
 
 
reference.log
reference.log
 
 
run_all_remote.sh
run_all_remote.sh
 
 
steal_generic.py
steal_generic.py
 
 

Repository files navigation

2026 eCTF Attack Scripts

Organized collection of attack scripts by target team. Each team directory contains scripts that successfully captured flags, along with documentation of the vulnerability and exploit chain.

Flag Summary (55 confirmed attack flags on CTFd)

Team Read Update Read Design Steal Design Compromise Machine Backdoored Design Total
DUTH yes ectf{design_b783a9532ffc9430} yes ectf{compromise_67d8915e7e9aceda} ectf{backdoor_75f94380475ce884} 5
EPCC yes yes yes ectf{compromise_f05183e86dd582c1} ectf{backdoor_79d861eec403649e} 5
MHHS ectf{update_eccff82466c480d9} ectf{design_8f02427a4c4de1cb} ectf{steal_f505e91d3ad3a8f5} ectf{compromise_e9b3e0cb42d68807} ectf{backdoor_fc667524aeea3a91} 5
LWHS ectf{update_44dd7ca7b3430171} ectf{design_778556caf8fc3935} ectf{steal_61d812c099de5d41} ectf{compromise_b4839180054df114} ectf{backdoor_e23bb3fec4d455e5} 5
UTEP ectf{update_5579f752fcbab650} ectf{design_d47ce0025d0c700b} ectf{steal_8da094df12f273e0} ectf{compromise_d1a7be71fcb9c859} ectf{backdoor_049ba2354be06a7e} 5
UNO ectf{update_0dcee0665aa02e55} ectf{design_cb604673f4e68b79} ectf{steal_3b9f77b05b6b4b15} ectf{compromise_962a24107ed9ee9f} ectf{backdoor_540bdb986852ec86} 5
CSUF yes ectf{design_fe2e361c27f1c3bd} ectf{steal_ebad661da3a69b43} ectf{compromise_4931bf3eebda1cbb} ectf{backdoor_fc7f0e66ac810663} 5
USCGA1 yes yes ectf{steal_cbf570e78db2ad8e} ectf{compromise_6feb773f96642814} ectf{backdoor_e902425915cb160a} 5
Rutgers - ectf{design_c3ff0f73409c4449} ectf{steal_e4eecd5e54c1dc44} ectf{compromise_222e2484360b7710} ectf{backdoor_e205c4b31e23bff7} 4
WMU - ectf{design_d11d6df54fdda198} ectf{steal_bee7b5042406d7ba} ectf{compromise_b9d7a91563b74ff8} ectf{backdoor_77c5a5ca9e499942} 4
NYIT - ectf{design_10f0226a26a66c15} ectf{steal_8875c455dfc7aef0} ectf{compromise_c454d02acfa664da} ectf{backdoor_89619465cad3d317} 4
CWRU - - ectf{steal_dbcf1750fe55558f} - - 1
NEU1 - - - ectf{compromise_89e6c270f19ab4ee} - 1
VT yes - - - - 1
USF - - yes - - 1
Total 8 11 12 19 17 55

"yes" = flag was submitted and accepted on CTFd but the exact flag string was not recorded locally.

Repository Structure

duth/           # Unauthenticated plaintext transfer - fake PLM impersonation (5/5)
epcc/           # MAC-only transfer auth - local MAC mint + group retag (5/5)
mhhs/           # AES-ECB encrypted transfer - PIN-derived key, no transfer auth (5/5)
lwhs/           # AES-CBC encrypted transfer - hardcoded key, group retag in plaintext header (5/5)
utep/           # Encrypted transfer with AUTH token - capture-and-replay (5/5)
uno/            # Buffer overflow + OOB slot alias + zero-key transfer oracle (5/5)
uscga1/         # Forged crypto (keys extracted via shellcode) + remote (5/5)
csuf/           # Plaintext transfer + boardtools shellcode (4/5)
nyit/           # Plaintext transfer - DUTH-style impersonation (2/5)
neu1/           # HMAC covers only uuid||iv - MITM ciphertext bit-flip (1/5)
vt/             # Boardtools shellcode attack - DEBUG opcode with lock bypass (1/5)
gt/             # wolfSSL AES-GCM (blocked: dev keys ≠ competition keys)
ttu/            # Plaintext transfer but complex file_t (no flags yet)
cedarville/     # AES-128-GCM (blocked: dev keys ≠ competition keys)
legacy/         # Old shellcode/boardtools-based attacks (pwntools + JTAG)

Common Attack Patterns

Remote flags (Compromise Machine + Backdoored Design)

All remote scripts use the eCTF remote flow API:

  1. API.flow_submit("remote", {"target_team": "<team>"}) to start a remote scenario
  2. Wait for the remote PLM's TCP port
  3. Connect to 54.163.176.58:<port>
  4. Impersonate a neighboring PLM and serve forged/corrupted files

Local flags (Read Update + Read Design + Steal Design)

Local exploits use serial ports to talk to physical boards:

  • Management UART: HSM commands (LIST, READ, WRITE, RECEIVE, LISTEN)
  • Transfer UART: peer-to-peer file exchange protocol

HSM Wire Protocol

All scripts use the same framing:

  • Magic: % (0x25)
  • Header: magic(1) + opcode(1) + length(2 LE)
  • Body sent/received in 256-byte blocks with bidirectional ACKs
  • Opcodes: ACK=0x41, RECEIVE=0x43, DEBUG=0x44, ERROR=0x45, AUTH=0x48, INTERROGATE=0x49, LISTEN=0x4E

Required Artifacts

Most remote scripts depend on pre-captured binary blobs stored in the parent ectf/ directory. See each team's README for the specific artifact list.

The backdoored_design_file is shared across DUTH, MHHS, and other teams for the Backdoored Design flag.

About

Attack scripts for 2026 eCTF. Scripts are meant to be ran in the top level of the 2026-eCTF-provision-server repository.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages