Deploying FaustCTF Vulnbox on Hetzner

Hetzner sponsored the infrastructure of FaustCTF 2025 and also provided a 10€ coupon for every team that wanted to host their vulnbox on their infrastructure for free.

Message from the FaustCTF organisers on each team’s profile page.

In this article we will go through the steps to deploy the vulnbox provided by the FaustCTF organizers on a Hetzner server. You can create your Hetzner using our referral link.

Introduction

The FaustCTF is an Attack/Defense competition organized yearly. In order to participate in the competition, the registered teams have to self host the vulnbox (a VM with the competition’s services) given by the organizers.

The organizers offer the vulnbox in two formats:

  • an OVA container – a format commonly used with virtualization software like Virtual Box
  • a QCOW2 image – a QEMU formal compatible with multiple hypervisors and some cloud providers

Unfortunately, Hetzner doesn’t directly support either of these formats, but their rescue mode can be utilized to prepare the server. Since this approach was not clearly documented on the internet, we will go through it step by step.

Create Account and Redeem Code

We will create a new Hetzner account to be used for our this team and use the code provided by the FaustCTF organizers. If you wish, you can create your account following our referral link.

After creating your account, to redeem the code, head to the Console, click “Usage” on the navigation bar and click the “Redeem Code”. A pop up will appear to insert the code.

You can redeem Hetzner codes by visiting the “Usage” section on Hetzner Console.

In our case, using the code provided by the FaustCTF organizer we got 10€ of credits, enough to host our vulnbox for the 8 hours of the competition.

Starting a server

To start preparing our server, we will set up a simple Ubuntu VPS to use it as a base and then convert it to the vulnbox. To do so, while on Hetzner Console, go to “Projects”, select the “Default” project, and under the “Servers” click “Add Server”.

For the new server, select the “Location” of your preference (e.g. Falkenstein at eu-central), select Ubuntu as “Image”, for “Type” select the “Shared vCPU” option with the “x86 (Intel/AMD)” variant in combination with “CPX41” (8 vCPUs, 16GB RAM, 240GB SSD, but you can scale this later), and apart from the “Name” that you can change, leave the rest to default. (Note that the RAM selected on this step should be enough so that we can download the vulnbox on the RAM disk later on through the rescue mode).

After creating the server, click on it to visit its management panel.

Operating in the Rescue Mode

Lets continue by enabling the rescue mode on the server we prepared. You can do that by visiting the “Rescue” tab and clicking “Enable rescue & power cycle” (if requested for a public key, ignore it and continue). If enabled, you will see a some new credentials on the screen, copy them as we will use them in a bit (you will lose them if you refresh the page). Then open the “Console” through the “Actions” dropdown on the top right of the page. A new pop up console will appear and you will be able to use the credentials given to login.

The first problem one may face when using the rescue mode is that the keyboard has a German layout (e.g. typing “z” may be interpreted as “y”), causing problems when copy pasting commands. So lets change that by changing the keyboard layout/language.

We will start by running dpkg-reconfigure keyboard-configuration which you can paste as dpkg/reconfigure kezboard/configuration so that it can be translated to the correct command using the German keyboard. On the configuration menu, select the Generic 104-key PC keyboard and then for language select other > English (US) > English (US), you can leave the rest as is. As soon as the configuration is done, execute setupcon and the keyboard will now be in English (US).

Let’s now download the vulnbox OVA container provided by the CTF organisers. You can use wget to do that, just be careful when pasting the URL as it may be entered with https;// instead of https://. When the download completes, extract the OVA using tar -xvf vulnbox.ova and then delete the OVA file using rm vulnbox.ova (to save space).

Now, we have the vulnbox’s disk in the form of a VMDK file, and we can clone it to our server’s disk using qemu-img to convert it and write the results directly on the /dev/sda where the main disk of the server is (this will take one or two minutes).

qemu-img convert -O raw vulnbox-disk1.vmdk /dev/sda
Write the vulnbox disk on the server’s disk, then sync and reboot.

The server should now be ready to boot as the vulnbox. You can now copy the random root password and connect to it using SSH, to configure the vulnbox so that it can be used with your team.

Conclusion

To sum up, we were able to utilise the VMDK disk file of the provided vulnbox OVA container to easily import the FaustCTF on a Hetzner server. During the competition, we had no problem with our vulnbox and our total credits consumption was around 3€ (running the CPX41 for about 8 hours).

BIOS Flashing on Chuwi Hi10 Air

Back in 2019, I bought a cheap Windows 10 tablet, the Chuwi Hi10 Air. Although Windows in tablet mode offers a very nice touchscreen experience, the low specification of the Hi10 Air makes it quite slow by today’s standards. For this reason, I started searching for alternative operating systems to improve the performance. After successfully testing several Linux versions, I found a guide about installing Android and I thought to give it a go, thus I got the suggested bios file and flashed it on my Chuwi, and then… nothing…

I searched on the Chuwi forum and found a little information on what to use to flash new bios to unbrick my device. Since the bios chip was on the motherboard, I planned to use the CAMP bios flash method. The first thing to do was to buy a USB programmer for the bios chip. I found an “EEPROM BIOS USB Programmer CH341A + SOIC8 Clip + 1.8V Adapter + SOIC8 Adapter Kit” on eBay for $12 with free shipping which seemed exactly what I needed. I bought one and waited for it to arrive. Additionally, I found the appropriate Chuwi Hi10 Air BIOS for my model number (found at the back of the device) at the Chuwi forum and saved it.

You shall now be called the “Jenga BIOS programmer“!
The CH341A programmer with the needed adapters is attached.

A few months later (it takes 1-2 months for me to get my orders from China) I received the programmer, I assembled it based on some images I found on a Chuwi flash guide and I was ready. Since the proposed guides used some questionable untrusted signed programs on Windows, I thought to give myself a break and just use Linux instead. I booted by Ubuntu and installed `flashrom`:

sudo apt install flashrom

Based on the guide I saw the BIOS flashing steps were simple:

  1. Buy an appropriate chip programmer
  2. Download the appropriate BIOS file
  3. Disassemble the tablet (be careful not to break the screen)
  4. Unplug the battery from the motherboard
  5. Clamp programmer on the BIOS chip
  6. Program the BIOS chip
  7. Detach the programmer & connect the battery cable back to the motherboard
  8. (optionally) Try to power on the tablet and see if it boots up
  9. Assemble the tablet
  10. Install the OS of your preference

I disassembled the tablet and unplugged the battery cable. Now it was time to connect the programmer on the chip. Be sure to clamp it correctly, it may take some tries.

Clamp dat chip!
The CH341A programmer attached to the Chuwi’s BIOS chip.

To be sure that the clamp is attached correctly, first try to read the BIOS already flashed on the chip. Here is an example of an incorrect connection that is not able to read from the chip:

bannana@thanos:~/$ sudo flashrom --programmer ch341a_spi
flashrom v0.9.9-r1954 on Linux 4.15.0-130-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop… OK.
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.
bannana@thanos:~/$

Clamp correctly the programmer and try again. After a successful connection, it’s time to flash the correct BIOS for my device that I got from an official source on the forum. My BIOS file was `BIOS_1906.BIN`, thus I called once again the `flashrom` with the BIOS file to flash:

bannana@thanos:~/$ sudo flashrom --programmer ch341a_spi -w BIOS_1906.BIN 
flashrom v0.9.9-r1954 on Linux 4.15.0-130-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found GigaDevice flash chip "GD25LQ64(B)" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
bannana@thanos:~/$

Success! Now my stupidly slow tablet boots!

Please be careful when closing the tablet. If during the disassembly one of the magnets is unseated, be sure to place them with the correct polarity (to match the polarity of the magnetic keyboard). Additionally, do not forget to place the power and volume buttons at their respective place.

Conclusion

Flashing the bios on the Chuwi was relatively easy assuming that you have the correct tools. Acquiring the appropriate tools and software though, requires research and thus time.

TP-Link TL-WN722N v2 & v3 monitor mode

What is monitor mode?

Putting your network card in monitor mode allows you to capture all the wireless traffic in the surrounding area. Monitor mode can be used to detect nearby devices, where they are connected, capture their MAC addresses (which can be used to identify the device), or even monitor network traffic of unprotected networks. Thus, monitor mode is essential for wireless network hacking.

The TL-WN722N

TL-WN722N is a nice, easy-to-use, and relatively cheap wireless USB adapter that can be used to monitor wireless channels. But there is one problem, for the v2 and v3, the default driver on Debian-based systems (like Ubuntu or Kali Linux) does not work as intended. Let’s fix it!

Fixing TL-WN722N v2 & v3 monitor mode on Debian-based systems

Prepare your system

The first thing to do is make sure our apt is updated and also that the required programs are installed:

sudo apt update
sudo apt install bc
sudo apt install linux-headers-$(uname -r)
sudo apt install build-essential git dkms -y

Get and build the right driver

A working driver for your TL-WN722N v2 or v3 exists on Aircrack-ng’s Github. You can download the driver and compile it.

cd ~/Downloads
git clone https://github.com/aircrack-ng/rtl8188eus
cd rtl8188eus
make

Alternatively, you may also use a driver from lwfinger’s Github.

Blacklist current driver

To disable the current not working driver from loading after reboot, blacklist it.

sudo sh -c "echo 'blacklist r8188eu' >> /etc/modprobe.d/realtek-wn722n-fix.conf"

Permanently install the working driver

Now the only thing left to do is install the driver we compiled:

cd ~/Downloads/rtl8188eus
sudo make install
sudo modprobe 8188eu

Then reboot the system and check if the monitor mode works.

Reverting back to the old driver

If you for any reason want to enable back the old not working driver, just remove the black list file.

sudo rm /etc/modprobe.d/realtek-wn722n-fix.conf