6a0877384d
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1, Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/ - Sync 24 solve/ files from main CTF-Espilon repo - Update all READMEs with real CTFd final scores at freeze - Add git-header.png banner - Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards, 1344 solves), correct freeze date March 26 2026
1.7 KiB
1.7 KiB
CAN Bus Implant — Solution
Overview
Simulated CAN bus with background traffic and UDS (Unified Diagnostic Services) protocol. Player sniffs traffic to identify patterns, then injects UDS frames to gain security access and read a protected DID.
Steps
- Open two terminals — one for sniffing, one for injection:
# Terminal 1: Sniff
nc <host> 3600
# Terminal 2: Inject
nc <host> 3601
-
Observe traffic on the sniff port. Note the following patterns:
0x100: Heartbeat (periodic counter)0x200-0x203: Sensor data (temperature, heart rate)0x7DF: OBD broadcast diagnostic request0x7E0→0x7E8: UDS request/response pair (periodic VIN read)
-
On the inject port, enter extended diagnostic session:
send 7E0 02 10 03 00 00 00 00 00
Response on sniff shows 0x7E8 with positive response 50 03.
- Request a security seed:
send 7E0 02 27 01 00 00 00 00 00
Response contains 4-byte seed: 67 01 XX XX XX XX.
- Compute the key by XORing each seed byte with
0x42, then send:
send 7E0 06 27 02 KK KK KK KK 00
Positive response: 67 02.
- Read the flag from DID 0xFF01:
send 7E0 03 22 FF 01 00 00 00 00
Response contains the flag.
Key Concepts
- CAN bus: Controller Area Network — no authentication, broadcast medium, used in vehicles and medical equipment
- UDS (ISO 14229): Diagnostic protocol with services like DiagnosticSessionControl, SecurityAccess, ReadDataByIdentifier
- SecurityAccess: Challenge-response authentication — ECU sends seed, tester must compute correct key
- Traffic analysis: Identifying request/response patterns and protocol types from raw bus traffic