Description
I recently bought a MiBand and started exploring what crazy stuff I can do with it. Maybe this capture helps you find it yourself.
Note: Please submit the flag as inctf{sha1(FLAG IN CAPITALS)}
Looking at the title of the challenge, we know it’s morse code and it means SOS. We were expecting some morse code in the middle of the challenge, but analyzing pcap file, we only saw Bluetooth packets!
Basically, this pcap file shows MiBand pairing with some Apple device (maybe a smartphone) and MiBand starts sending “Encoded Message!” to Apple device.
After that, some alert messages were sent to Apple device and we noticed that messages are morse code, but how to identify dots, dashes and spaces in this traffic? Alisson “Infektion” Bezerra had an insight and found out how. The last byte of each alert data (New Alert or Alert Level) consists of 01 (dot), 02 (dash) and 20 (space):
-
Dot
-
Dash
-
Space
This command below extracts these bytes from pcap file and converts them into morse code:
tshark -r Challenge.pcap -Y "btatt.opcode == 0x52 || btatt.opcode == 0x12"\
-e btatt.alert_level -Tfields |
sed 's/0x00000001/./g;s/0x00000002/-/g' | sed -r 's/^$/ /g' | tr -d '\n'
.- - - .- -.-. -.- .- - -.. .- .-- -.
Translating this morse code, it means ATTACKATDAWN and its SHA1 is 14c8cfaa269659f52dd76cce43469554cfd5aedc
. Submitting the flag:
Flag: inctf{14c8cfaa269659f52dd76cce43469554cfd5aedc}
Thanks to Alisson “Infektion” Bezerra (@alissonbezerra), @diofeher, @adriano_ribeiro and @dapolinario for helping to solve this challenge.