--- title: "Buckeye CTF 2023: Needle in the Wi-Fi stack" excerpt: "Someone listened on the network and now our task is to exfiltrate some useful data from there." tags: [ctf, forensics] --- Someone listened on the network and now our task is to exfiltrate some useful data from there. ## Recon We are provided with a `.pcap` file, which is a packet capture file, that we can open using Wireshark. At first glance, it looks like the information we need is hidden on the right: all the SSIDs are encoded. The encoding format seems to be base64, as most of the strings have one or two equal symbols at the end, and use an alphanumeric charset. We could verify this using online encoding checkers, but we can also use the Linux base64 tool as well for that. Assuming we saved one of those strings in a file, we can do: ```bash $ base64 -d weird_string wh3n in doub7, hack hard3r ``` Scrolling to the end of the .pcap file, we see that there are over one thousand lines to be analyzed.. We clearly can't proceed manually with this amount of information. Unfortunately, we cannot read the packet capture file as-is and grep what we want, as it looks like gibberish. We could use the command-line utility `tshark` to read the file from the terminal, but all of the packet information we do not need is still present: ```bash $ tshark -r frames.pcap 1 0.000000 22:22:22:22:22:22 -> Broadcast 802.11 120 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID="bG9vMDBvMDBvbzBvMG9vb3Q3YSB0cjRmZmJjIHRvZDR5Cg==" 2 0.029637 22:22:22:22:22:22 -> Broadcast 802.11 140 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID="N2hpcypBcyBub3QgdG5LN3dvcm5gbmFtMyB5b3UgYXJlIGwwb2tpbmcbZjByCg==" 3 0.041307 22:22:22:22:22:22 -> Broadcast 802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID="d2lmaSBpNSBteSBtVT1aW9uCg==" 4 0.052245 22:22:22:22:22:22 -> Broadcast 802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID="d2lmaSBpNSBteSBtVT1aW9uCg==" ``` ## Extracting data By reading the `tshark` help mage and manual page, we can see that there are options for extracting certain packet fields. We only want the SSIDs, so we will use these options: ```bash $ tshark -r frames.pcap -T fields -e wlan.ssid > ssids.txt ``` That command tells `tshark` to read the `frames.pcap` file, to extract data as fields, and only print the WLAN SSID field. The output will be stored in the ssids.txt file. Running this, we obtain a file containing hexadecimal values. We will have to convert this output to ASCII in order to read it properly. ```bash $ cat ssids.txt b7437976644472664472666a74764d43797662353135953423063a52d65a6d6c6a494852765a44523543673d3d 4e3268706379472759532351676476777a9473564e236476636d37626d6479447942356233556759584a6c494777776232747 0626d63675a6a427943673d3d 64326c6d615342704c53427655342775954567a6153797543673d3d 64326c6d615342704c5342765534553161537937543673d3d 19597738736516f3d ``` We can pipe a single line of hex through `xxd` to convert it to ASCII: ```bash $ echo 626a42304947677a636a4d4b | xxd -r -p bjB0IGgzcjMK ``` That looks like some of the base64 we found earlier. Let's pipe our command output through the base64 tool: ```bash $ echo 626a42304947677a636a4d4b | xxd -r -p | base64 -d n0t h3r3 ``` This is what we wanted. Now, let's automate this process for the huge amount of lines we have, by making a small Bash script: ```bash while read p; do echo $p | xxd -r -p | base64 -d >> clearssids.txt done