Intro
This is the only challenge I solved in the Signals
section.
It’s been solved 59 times and it was worth 965 points.
Description:
Here’s a log of some kind of network traffic. The BASH script will help you set up your tools, and probably give you a hint as to what kind of network this is.
You can download the log here.
$ sha256sum pickupthatcan.log
6cd893bf99bf233d452aaa56ed65fcca51fef4e97493efa3ba6a44a0af03e95a pickupthatcan.log
The shell script is really short. It’s composed of three lines:
modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
Analysis
The first step was to see the log. Here an excerpt:
(1563316370.627559) can0 002#12000007D9535D0E
(1563316370.628247) can0 7E8#0641010007E50000
(1563316370.629271) can0 174#654654AA0E000000
(1563316370.629272) can0 176#001E0026C8000E
(1563316370.629273) can0 177#FE11400000
(1563316370.630309) can0 160#3273530008FFE8
(1563316370.630311) can0 180#189C353327003E10
(1563316370.631310) can0 003#6100000000000000
(1563316370.631311) can0 004#5400000000000000
(1563316370.631312) can0 005#4D000000
(1563316370.631313) can0 355#00000000000060
(1563316370.632996) can0 385#00000000000000
(1563316370.634018) can0 216#426C
(1563316370.634019) can0 245#FFE000180010FFE1
.....
Unfortunately it didn’t mean a lot to me.
So I started googling about the interface type referenced in the script.
As first I found this document: Bridging CAN Interface Up.
Then this entry on Wikipedia: SocketCAN.
After this discovery I was really excited! The created interface is used on the CAN
bus, a standard bus used on vehicle!
CAN frame
Now the log makes a lot more sense. It’s evidently the data exchanged on the bus.
However, to interpret the log, I studied the protocol and the frame format. About that I found this interesting entry on Wikipedia: CAN bus frame.
The protocol supports various types of frame. In this case, however, it’s a data frame
in the base frame format
.
The frame structure is really simple. The part that interests us is that it has an ID
(that defines also the priority of the frame) and the maximum size of the transported data
is 8 bytes.
However I really enjoyed the details of the frame format. I advice you to read the Wikipedia page. It’s really interesting.
So it’s clear that the hashtag splits the ID
from the data
.
Decoding the data
At this point I assumed that the data should contain the flag as hexadecimal string.
So I searched for 61756374667B
(it correspondes to auctf{
) and I found these interesting lines:
.....
(1563316371.102580) can0 003#61756374667B0000
.....
(1563316371.276500) can0 003#61756374667B496D
.....
(1563316371.276500) can0 003#61756374667B496D
.....
The flag is transmitted in piece. In this case the ID
of the frame is 003
. So I assumed that frames with subsequent ID
should contain the other pieces.
I was right. Indeed in the log I found:
.....
(1563316371.276500) can0 003#61756374667B496D
(1563316371.276501) can0 004#5468655472617368
(1563316371.279102) can0 005#4D616E7D
.....
I decoded the hexadecimal strings, concatened the results and here is the flag:
$ cat flag.txt
auctf{ImTheTrashMan}