CYMOTIVE PT Challenge
CYMOTIVE github public area
Project maintained by CYMOTIVE Hosted on GitHub Pages — Theme by mattgraham
The task at hand is to research the flagship product of a Dental Hygiene company "SmarTeeth", which is advertised as "the future of toothbrushes".
'SmarTeeth' proudly states that their product comes built-in with an immutable secret from the factory, and further enhances its security by acquiring a stronger secret when first initialized. They also state that all external communications are encrypted.
After initial research, we were able to extract two strings (one from each of the devices). We are not sure what they are, but we believe they contain some type of unique ID for the device
The two strings and their acquired secrets are seen below:
| Device Serial Number (as provided on the manufacturer sticker) | Acquired secret |
|---|---|
| A7R38T | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b290YnJ1c2hfaWQiOiJTbWFyVGVldGgtUHJvLUE3UjM4VCJ9.gQrukj7lvbG04zNllhSvFQnOJs0qgV2hccwVJbRFz0w |
| A9K3ZZ | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b290YnJ1c2hfaWQiOiJTbWFyVGVldGgtUHJvLUE5SzNaWiJ9.VerC8eIpKidetYKthGNOmsHMYcpRjVqhS_IZOs_xTO4 |
We also found a URL that is expected to be the device backend: The challenge is offline
Your Goal:
Research the security procedures the device conducts against the backend, and think of potential ways to circumvent them or gain higher privileges. In this task expect to reveal secrets or find ways to trick the backend into thinking you are something you are not.
The challenge is offline - hosted here for reference