Terra CTF

Welcome to Terra CTF

The CTF competition will consist of a series of challenges ranging in difficulty, and it is up to you to solve as many as you can. The person with the most points at the end of the competition will be declared the winner.

Good luck to all participants, and may the best hacker win!

Instructions

To get started, please join our Discord Server

Flags will always be of the form terra_ctf{some_flag_you_get}

To submit flags for the competition, please privately message Terra members in the server (who can be identified by their Terra role). We will also be posting updates and information in the server, so be sure to check back regularly. If you have any questions, feel free to message us in the designated channels. We look forward to seeing your submissions!

Background

Tony :ay-tony: is an athlete competing in the olympics and your goal is to sabotage him :blob-ban:

Tony Stark Iron Man GIFfrom

Challenge 1: Web Exploitation (EASY):

Tony's health data is stored on Terra's database. However to access his data you will need to know his unique user_id. Fortunately for you, his ID is not obfuscated and hidden in plain sight on this website. Can you find out what Tony's ID number is?

(participants should be able to find and decrypt a flag hidden on a website)

Challenge 2: BLE stream of HR (EASY):

You found where Tony trains and need to gather information about his training performances. For now HR will suffice. Can you intercept his training data during his performance and bring that back to the team without Tony noticing during his training? :blob-cool:

(participants should be able to write code that connects to a strap and retrieves data, ideally without interfering with the current strap connection to e.g. the app using it)

Challenge 3: Mobile app rev (MEDIUM):

More information is needed about Tony such as his sleep habits and recovery schedule. You know from a friend that his uses TREIN to manage all of this. Can you retrieve Tony’s sleep and recovery data? :blob_eyes:

(participants should be able to reverse the app in the way they like and find the appropriate requests and secrets to connect to a server, find Tony’s user, and retrieve his data)

Challenge 4: Terra system rev (MED-HARD):

The sleep and recovery data from TREIN included summaries only, but you know TREIN uses Terra in the backend to get Tony’s data. You are provied with Terra credentials. Can you retrieve Tony’s full data (including his HR, HRV, and sleep stages samples)? :blob-devil:

(participants are meant to find vulnerabilities in the Terra service e.g. a SQL injection to allow their dev-id to access Tony’s)

Challenge 5: Data tampering (MED-HARD):

With all the data accessible, the final step is to sabotage Tony’s performance using false data during his training to prompt bad sleep and recovery advice, hence affecting his overall performance. Relay false HR samples during Tony’s training to the app recording his workout. :spidermanohno:

(participants are meant to build a middleman attack and act as the HR strap)

About Terra

Terra is a fitness and health API allows developers to easily connect their apps to any wearable devices. The team at Terra is a diverse group of hard-working and talented people around the world.

To learn more about Terra, feel free to shoot us a message on Discord or visit our website!