Intro

This is the only challenge I solved in the Signals section.

It’s been solved 59 times and it was worth 965 points.

Description:

Here’s a log of some kind of network traffic. The BASH script will help you set up your tools, and probably give you a hint as to what kind of network this is.

You can download the log here.

$ sha256sum pickupthatcan.log 
6cd893bf99bf233d452aaa56ed65fcca51fef4e97493efa3ba6a44a0af03e95a  pickupthatcan.log

The shell script is really short. It’s composed of three lines:

modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0

Analysis

The first step was to see the log. Here an excerpt:

(1563316370.627559) can0 002#12000007D9535D0E
(1563316370.628247) can0 7E8#0641010007E50000
(1563316370.629271) can0 174#654654AA0E000000
(1563316370.629272) can0 176#001E0026C8000E
(1563316370.629273) can0 177#FE11400000
(1563316370.630309) can0 160#3273530008FFE8
(1563316370.630311) can0 180#189C353327003E10
(1563316370.631310) can0 003#6100000000000000
(1563316370.631311) can0 004#5400000000000000
(1563316370.631312) can0 005#4D000000
(1563316370.631313) can0 355#00000000000060
(1563316370.632996) can0 385#00000000000000
(1563316370.634018) can0 216#426C
(1563316370.634019) can0 245#FFE000180010FFE1
.....

Unfortunately it didn’t mean a lot to me.

So I started googling about the interface type referenced in the script.

As first I found this document: Bridging CAN Interface Up.

Then this entry on Wikipedia: SocketCAN.

After this discovery I was really excited! The created interface is used on the CAN bus, a standard bus used on vehicle!

CAN frame

Now the log makes a lot more sense. It’s evidently the data exchanged on the bus.

However, to interpret the log, I studied the protocol and the frame format. About that I found this interesting entry on Wikipedia: CAN bus frame.

The protocol supports various types of frame. In this case, however, it’s a data frame in the base frame format.

The frame structure is really simple. The part that interests us is that it has an ID (that defines also the priority of the frame) and the maximum size of the transported data is 8 bytes.

However I really enjoyed the details of the frame format. I advice you to read the Wikipedia page. It’s really interesting.

So it’s clear that the hashtag splits the ID from the data.

Decoding the data

At this point I assumed that the data should contain the flag as hexadecimal string.

So I searched for 61756374667B (it correspondes to auctf{) and I found these interesting lines:

.....
(1563316371.102580) can0 003#61756374667B0000
.....
(1563316371.276500) can0 003#61756374667B496D
.....
(1563316371.276500) can0 003#61756374667B496D
.....

The flag is transmitted in piece. In this case the ID of the frame is 003. So I assumed that frames with subsequent ID should contain the other pieces.

I was right. Indeed in the log I found:

.....
(1563316371.276500) can0 003#61756374667B496D
(1563316371.276501) can0 004#5468655472617368
(1563316371.279102) can0 005#4D616E7D
.....

I decoded the hexadecimal strings, concatened the results and here is the flag:

$ cat flag.txt
auctf{ImTheTrashMan}