keypadbol

Description

During a physical intrusion pentest mission on a secure site, your client asks you to evaluate a first access to the site. This first access uses a keypad with a password, and only 10 attempts are authorized: an alarm will be triggered after more than 10 failures.

Filming the security guard entering his password is not an option as he cautiously hides his hands.

A physical access to the keypad between two rounds allows you to identify the keypad model: it is a “Membrane Keypad” (https://lastminuteengineers.com/arduino-keypad-tutorial/). The access to the driving board is not possible as it is too deeply embedded and you do not have much time. Hence you decide to implant a small logic analyzer inside a small and stealthy space. The analyzer is connected to the wires of the keypad, but the pinout is unfortunately unknown as the access to the board is not possible: you will nonetheless deal with it!

You get back the capture in the form of a file capture.vcd between the next two rounds (after the security guard has entered his password). Some social engineering also provides you with insightful information: the security guard is born in 1980, his daughter in 2018, and he has a pet dog whose name is “Baba”. With all this intel, you are confident that the password can be cracked!

Note: The string to find does not follow the usual format (case insensitive). Once you have found it (e.g., abcd), wrap FCSC{} around it to get the flag (e.g., FCSC{abcd}).