V1 with content
This commit is contained in:
99
writeups/2024-05-04-NeedleInTheWiFiStack.md
Normal file
99
writeups/2024-05-04-NeedleInTheWiFiStack.md
Normal file
@@ -0,0 +1,99 @@
|
||||
---
|
||||
title: "Buckeye CTF 2023: Needle in the Wi-Fi stack"
|
||||
excerpt: "Someone listened on the network and now our task is to exfiltrate some useful data from there."
|
||||
tags: [ctf, forensics]
|
||||
---
|
||||
|
||||
Someone listened on the network and now our task is to exfiltrate some useful data from there.
|
||||
|
||||
## Recon
|
||||
|
||||
We are provided with a `.pcap` file, which is a packet capture file, that we can open using Wireshark. At first glance, it looks like the information we need is hidden on the right: all the SSIDs are encoded. The encoding format seems to be base64, as most of the strings have one or two equal symbols at the end, and use an alphanumeric charset. We could verify this using online encoding checkers, but we can also use the Linux base64 tool as well for that. Assuming we saved one of those strings in a file, we can do:
|
||||
|
||||
```bash
|
||||
$ base64 -d weird_string
|
||||
wh3n in doub7, hack hard3r
|
||||
```
|
||||
|
||||
Scrolling to the end of the .pcap file, we see that there are over one thousand lines to be analyzed.. We clearly can't proceed manually with this amount of information. Unfortunately, we cannot read the packet capture file as-is and grep what we want, as it looks like gibberish.
|
||||
|
||||
We could use the command-line utility `tshark` to read the file from the terminal, but all of the packet information we do not need is still present:
|
||||
|
||||
```bash
|
||||
$ tshark -r frames.pcap
|
||||
1 0.000000 22:22:22:22:22:22 -> Broadcast 802.11 120 Beacon frame, SN=0, FN=0, Flags=........, BI=100,
|
||||
SSID="bG9vMDBvMDBvbzBvMG9vb3Q3YSB0cjRmZmJjIHRvZDR5Cg=="
|
||||
2 0.029637 22:22:22:22:22:22 -> Broadcast 802.11 140 Beacon frame, SN=0, FN=0, Flags=........, BI=100,
|
||||
SSID="N2hpcypBcyBub3QgdG5LN3dvcm5gbmFtMyB5b3UgYXJlIGwwb2tpbmcbZjByCg=="
|
||||
3 0.041307 22:22:22:22:22:22 -> Broadcast 802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100,
|
||||
SSID="d2lmaSBpNSBteSBtVT1aW9uCg=="
|
||||
4 0.052245 22:22:22:22:22:22 -> Broadcast 802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100,
|
||||
SSID="d2lmaSBpNSBteSBtVT1aW9uCg=="
|
||||
```
|
||||
|
||||
## Extracting data
|
||||
|
||||
By reading the `tshark` help mage and manual page, we can see that there are options for extracting certain packet fields. We only want the SSIDs, so we will use these options:
|
||||
|
||||
```bash
|
||||
$ tshark -r frames.pcap -T fields -e wlan.ssid > ssids.txt
|
||||
```
|
||||
|
||||
That command tells `tshark` to read the `frames.pcap` file, to extract data as fields, and only print the WLAN SSID field. The output will be stored in the ssids.txt file. Running this, we obtain a file containing hexadecimal values. We will have to convert this output to ASCII in order to read it properly.
|
||||
|
||||
```bash
|
||||
$ cat ssids.txt
|
||||
b7437976644472664472666a74764d43797662353135953423063a52d65a6d6c6a494852765a44523543673d3d
|
||||
4e3268706379472759532351676476777a9473564e236476636d37626d6479447942356233556759584a6c494777776232747
|
||||
0626d63675a6a427943673d3d
|
||||
64326c6d615342704c53427655342775954567a6153797543673d3d
|
||||
64326c6d615342704c5342765534553161537937543673d3d
|
||||
19597738736516f3d
|
||||
```
|
||||
|
||||
We can pipe a single line of hex through `xxd` to convert it to ASCII:
|
||||
|
||||
```bash
|
||||
$ echo 626a42304947677a636a4d4b | xxd -r -p
|
||||
bjB0IGgzcjMK
|
||||
```
|
||||
|
||||
That looks like some of the base64 we found earlier. Let's pipe our command output through the base64 tool:
|
||||
|
||||
```bash
|
||||
$ echo 626a42304947677a636a4d4b | xxd -r -p | base64 -d
|
||||
n0t h3r3
|
||||
```
|
||||
|
||||
This is what we wanted. Now, let's automate this process for the huge amount of lines we have, by making a small Bash script:
|
||||
|
||||
```bash
|
||||
while read p; do
|
||||
echo $p | xxd -r -p | base64 -d >> clearssids.txt
|
||||
done <ssids.txt
|
||||
```
|
||||
|
||||
This will start a while loop, and read the `ssids.txt` file we created earlier. Each line of the file will get converted in base64, then into human-readable text, and then it will be written in a new file called `clearssids.txt`. This file will contain all the SSIDs in cleartext. After executing the script, we get this:
|
||||
|
||||
```bash
|
||||
$ ./extract.sh
|
||||
$ cat clearssids.txt
|
||||
wh3n in doubt, hack harder
|
||||
4ll the c001 kid5 4r3 pl4yin6 wi7h 802.11
|
||||
beacon fram3s, s0 ho7 ri6h7 n0w
|
||||
ke3p 534rchin6
|
||||
wifi is my p4ssi0n
|
||||
[REDACTED FOR SIMPLICITY]
|
||||
```
|
||||
|
||||
The flag could be hidden in all this mess. We can find the flag by grepping the specific CTF flag format prefix which is `bctf{` here:
|
||||
|
||||
```bash
|
||||
$ cat clearssids.txt | grep bctf{
|
||||
bctf{tw0_po1nt_4_g33_c0ng3s7ion}
|
||||
bctf{tw0_po1nt_4_g33_c0ng3s7ion}
|
||||
bctf{tw0_po1nt_4_g33_c0ng3s7ion}
|
||||
[REDACTED FOR SIMPLICITY]
|
||||
```
|
||||
|
||||
There we go!
|
||||
Reference in New Issue
Block a user