Thursday, September 26, 2019

InCTF 2019 - ... --- ...

by Renato "shrimpgo" Pacheco


I recently bought a MiBand and started exploring what crazy stuff I can do with it. Maybe this capture helps you find it yourself.

Note: Please submit the flag as inctf{sha1(FLAG IN CAPITALS)}

Challenge: Link1 & Link2

Looking at the title of the challenge, we know it’s morse code and it means SOS. We were expecting some morse code in the middle of the challenge, but analyzing pcap file, we only saw Bluetooth packets!

Basically, this pcap file shows MiBand pairing with some Apple device (maybe a smartphone) and MiBand starts sending “Encoded Message!” to Apple device.

pairing with Apple device

start sending encoded message 1

start sending encoded message 2

After that, some alert messages were sent to Apple device and we noticed that messages are morse code, but how to identify dots, dashes and spaces in this traffic? Alisson “Infektion” Bezerra had an insight and found out how. The last byte of each alert data (New Alert or Alert Level) consists of 01 (dot), 02 (dash) and 20 (space):

  • Dot Dot - byte 01

  • Dash Dash - byte 02

  • Space Space - byte 20

This command below extracts these bytes from pcap file and converts them into morse code:

tshark -r Challenge.pcap -Y "btatt.opcode == 0x52 || btatt.opcode == 0x12"\
 -e btatt.alert_level -Tfields |
 sed 's/0x00000001/./g;s/0x00000002/-/g' | sed -r 's/^$/ /g' | tr -d '\n'
.- - - .- -.-. -.- .- - -.. .- .-- -.

Translating this morse code, it means ATTACKATDAWN and its SHA1 is 14c8cfaa269659f52dd76cce43469554cfd5aedc. Submitting the flag:

Flag: inctf{14c8cfaa269659f52dd76cce43469554cfd5aedc}

Thanks to Alisson “Infektion” Bezerra (@alissonbezerra), @diofeher, @adriano_ribeiro and @dapolinario for helping to solve this challenge.

Capture the Flag , Forensics , Writeup