Buckeye CTF 2023: Needle in the Wi-Fi stack

Someone listened on the network and now our task is to exfiltrate some useful data from there.

Recon

We are provided with a .pcap file, which is a packet capture file, that we can open using Wireshark. At first glance, it looks like the information we need is hidden on the right: all the SSIDs are encoded. The encoding format seems to be base64, as most of the strings have one or two equal symbols at the end, and use an alphanumeric charset. We could verify this using online encoding checkers, but we can also use the Linux base64 tool as well for that. Assuming we saved one of those strings in a file, we can do:

$ base64 -d weird_string
wh3n in doub7, hack hard3r

Scrolling to the end of the .pcap file, we see that there are over one thousand lines to be analyzed.. We clearly can’t proceed manually with this amount of information. Unfortunately, we cannot read the packet capture file as-is and grep what we want, as it looks like gibberish.

We could use the command-line utility tshark to read the file from the terminal, but all of the packet information we do not need is still present:

$ tshark -r frames.pcap
    1   0.000000 22:22:22:22:22:22 -> Broadcast   802.11 120 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
SSID="bG9vMDBvMDBvbzBvMG9vb3Q3YSB0cjRmZmJjIHRvZDR5Cg=="
    2   0.029637 22:22:22:22:22:22 -> Broadcast   802.11 140 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
SSID="N2hpcypBcyBub3QgdG5LN3dvcm5gbmFtMyB5b3UgYXJlIGwwb2tpbmcbZjByCg=="
    3   0.041307 22:22:22:22:22:22 -> Broadcast   802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
SSID="d2lmaSBpNSBteSBtVT1aW9uCg=="
    4   0.052245 22:22:22:22:22:22 -> Broadcast   802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
SSID="d2lmaSBpNSBteSBtVT1aW9uCg=="

Extracting data

By reading the tshark help mage and manual page, we can see that there are options for extracting certain packet fields. We only want the SSIDs, so we will use these options:

$ tshark -r frames.pcap -T fields -e wlan.ssid > ssids.txt

That command tells tshark to read the frames.pcap file, to extract data as fields, and only print the WLAN SSID field. The output will be stored in the ssids.txt file. Running this, we obtain a file containing hexadecimal values. We will have to convert this output to ASCII in order to read it properly.

$ cat ssids.txt
b7437976644472664472666a74764d43797662353135953423063a52d65a6d6c6a494852765a44523543673d3d
4e3268706379472759532351676476777a9473564e236476636d37626d6479447942356233556759584a6c494777776232747
0626d63675a6a427943673d3d
64326c6d615342704c53427655342775954567a6153797543673d3d
64326c6d615342704c5342765534553161537937543673d3d
19597738736516f3d

We can pipe a single line of hex through xxd to convert it to ASCII:

$ echo 626a42304947677a636a4d4b | xxd -r -p
bjB0IGgzcjMK

That looks like some of the base64 we found earlier. Let’s pipe our command output through the base64 tool:

$ echo 626a42304947677a636a4d4b | xxd -r -p | base64 -d
n0t h3r3

This is what we wanted. Now, let’s automate this process for the huge amount of lines we have, by making a small Bash script:

while read p; do
    echo $p | xxd -r -p | base64 -d >> clearssids.txt
done <ssids.txt

This will start a while loop, and read the ssids.txt file we created earlier. Each line of the file will get converted in base64, then into human-readable text, and then it will be written in a new file called clearssids.txt. This file will contain all the SSIDs in cleartext. After executing the script, we get this:

$ ./extract.sh
$ cat clearssids.txt
wh3n in doubt, hack harder
4ll the c001 kid5 4r3 pl4yin6 wi7h 802.11
beacon fram3s, s0 ho7 ri6h7 n0w
ke3p 534rchin6
wifi is my p4ssi0n
[REDACTED FOR SIMPLICITY]

The flag could be hidden in all this mess. We can find the flag by grepping the specific CTF flag format prefix which is bctf{ here:

$ cat clearssids.txt | grep bctf{
bctf{tw0_po1nt_4_g33_c0ng3s7ion}
bctf{tw0_po1nt_4_g33_c0ng3s7ion}
bctf{tw0_po1nt_4_g33_c0ng3s7ion}
[REDACTED FOR SIMPLICITY]

There we go!