Wireless CTF Notes using a Raspberry Pi

For WCTF it’s a good idea to use Pentoo. However on short notice, I could only find Kali for Rapsberry Pi for an easy on-the-go build. Some notes for myself which might be useful to whoever reads this.

Bluetooth Fox Hunting

First enable bluetooth:

systemctl enable bluetooth 
systemctl enable hciuart

For bluetooth fox-hunting:

For finding bluetooth with ble_finder, edit blue_hydra.yml to set:

rssi_log: true

Then use ble_finder to locate the devices in the list specified in the python script.

Alternatively, use blue_sonar to find the MAC you are hunting:

blue_sonar -t XX:XX:XX:XX:XX:XX

Bluetooth spoofing

To change/spoof the bluetooth MAC address on Raspberry Pi, you’ll need the tool bdaddr1:

apt-get install libbluetooth-dev
wget -U firefox https://drive.google.com/open?id=1Gu4SSI8Rem3iFcCT70dRHKB4UGdee7n_
bzip2 -d bdaddrtar.bz2 && tar xf bdaddrtar
cd bdaddr && make

First confirm your original MAC address

$ hcitool dev
Devices:
        hci0    AA:AA:AA:AA:AA:AA

Run bdaddr to change the address:

$ ./bdaddr -i hci0 -r 00:11:22:33:44:55
Manufacturer:   Broadcom Corporation (15)
Device address: AA:AA:AA:AA:AA:AA
New BD address: 00:11:22:33:44:55

Address changed - Device reset successully

Reset and restart the hci device and bluetooth service

hciconfig hci0 reset
systemctl restart bluetooth.service

Finally, doublecheck the change:

$ hcitool dev
Devices:
        hci0    00:11:22:33:44:55

Wifi spoofing

To spoof wifi MAC address, download macchanger

apt-get install macchanger
macchanger -h
macchanger -m XX:XX:XX:XX:XX:XX


Sources:

Kali Linux on Raspberry Pi

Just some notes on my Kali build with Raspberry Pi…

0. Materials

Soldering is required to attach the header that connects the hat to the pi.

1. Prepare OS

Download the image and use Etcher to flash the SD card with Kali Linux. You don’t even have to decompress the image.

2. Basic Setup

Insert the SD card into the Raspberry Pi and plug in the micro USB power source.

You’ll need to hook up an external monitor for the first boot in order to prepare the machine for console use.

Login as root:toor, set up the wifi, and run the standard stuff:

apt-get update
apt-get full-upgrade

Make sure to change the default password:

passwd root

Change the default SSH keys:

dpkg-reconfigure openssh-server

Edit the file /etc/ssh/sshd_config and change the line with PermitRootLogin to:

PermitRootLogin yes

Finally, enable autologin so that ssh can work on boot12. Edit /etc/lightdm/lightdm.conf and uncomment the lines:

autologin-user=root
autologin-user-timeout=0

Next edit /etc/pam.d/lightdm-autologin and comment out:

# auth required pam_succeed_if.so user != root quiet_success

After this step, you can reboot whenever and have ssh access with your root user.

Optionally, you can change the hostname so that people don’t know this is a kali box, or to make it easier to find yours.

vim /etc/hostname

3. Prepare for a console-only experience

Set Kali to boot into console mode:

systemctl set-default multi-user.target
systemctl get-default # this command checks the setting
reboot

Clone the following repos:

The first repo has adafruit-pitft.sh which is used to automatically configure the TFT display but since we’re on Kali some of the dependencies for the script are unvailable which is why we need the second repo.

In the py-spidev folder, run:

make
make install

Go into the Raspberry-Pi-Installer-Scripts folder and edit the adafruit-pitft.sh file. In this file, remove the part where it tries to install python-spidev and tslib. Then, run:

./adafruit-pitft.sh -u /root

This will ask you what screen you have and what configuration/rotation you prefer. Afterwards, when you reboot you should see the console show up on the display. I prefer the 270 degrees (landscape) setting as this will place the buttons below the display.

I’m still unable to figure out the buttons on a Kali image. If anyone out there has any input, please let me know :)

To edit wifi, there are two ways:

wpa_supplicant -B -i wlan0 -c <(wpa_passphrase "MYSSID" 12345678) && dhclient wlan0
# or 
nmcli d wifi connect MYSSID password 12345678 iface wlan0

4. Get Sound

Get sound to work In /boot/config.txt uncomment and edit the line:

dtparam=audio=on

Install and enable dependencies:

apt-get install alsa-utils
systemctl --user enable pulseaudio && systemctl --user start pulseaudio
reboot
systemctl --user status pulseaudio

Test the tone:

play -n -c1 synth 10 sine 1000


Sources:

Google Spreadsheets as JSON

For some use cases it is very easy to use a Google Sheet as the datasource for a website. For example, I’ve used a published Google spreadsheet as the backend data store for a competition leaderboard. This proves to be one of the simplest solutions as several moderators may want quick access to update the leaderboard and it can be updated easily from a mobile device.

It’s quite simple to publish the data from a Google Sheet as JSON:

  1. Click the blue share button on the top right of the Sheet console to get a shareable link. For this step, have it set so that “Anyone with the link can view”. What this does is two things: it publishes the sheet to be made available publicly, and it also gives you the necessary SHEET ID for the following steps. Example:

    https://docs.google.com/spreadsheets/d/<SHEET_ID>/edit?usp=sharing

  2. Insert the SHEET ID that you got from the Step 1 and insert it into the URL template:

    https://spreadsheets.google.com/feeds/list/<SHEET_ID>/od6/public/values?alt=json

Advent of Code Day 5

Day 5 of Advent of Code1.

This was relatively easier than yesterday’s puzzle. I wasted some time trying to figure out if I could solve it with a zip and list processing but eventually just went for a brute force approach for the sake of submitting earlier.

def run(polymer):
    done = False
    while not done:
        lngth = len(polymer)
        i = 0
        found = False
        while i < lngth-1:
            j = 1 + i
            if 32 == ( ord(polymer[i]) ^ ord(polymer[j]) ) :
                del polymer[i]
                del polymer[i]
                lngth = lngth - 2
                found = True
            else:
                i = 1 + i
        done = not found
    return polymer

with open("input5.txt") as f:
    polymer = list(f.readline().strip())

part1 = run(polymer)
print(len(part1))

min = 10000 #arbitrary, larger than part 1
# A = 65, Z = 90
for i in range(65,91):
    test_polymer = [a for a in polymer if (ord(a) != i) and (ord(a) != (i+32))]
    test_run = run(test_polymer)
    if min > len(test_run):
        min = len(test_run)

print(min)

Advent of Code Day 4

Day 4 of Advent of Code1.

I really like Python for these types of coding challenges. The data size is such that performance is negligible. It’s really easy to lay out your thoughts and reread the code without troubling yourself with complex syntax written for performance’s sake.

In this challenge, I use regex matching again to capture the minutes and IDs of the guards. Then I loop twice for each part of the challenge. I could have combined them into one or two loops, but again performance isn’t a priority over readability while attacking the puzzle.

import re

lines = []
for line in open("input4.txt"):
    lines.append(line.strip())
lines.sort()

pattern = re.compile('\[\d{4}-\d{2}-\d{2}\s(?P<hour>\d{2}?):(?P<minute>\d{2}?)\]\s(?P<msg>.*?)$')
id = None
sleeps = {}
for line in lines:
    s = pattern.match(line)
    msg = str(s.group('msg'))
    if 'Guard' in msg:
        id = str(msg.split(' ')[1].split('#')[1])
    if 'falls' in msg:
        start = int(s.group('minute'))
    if 'wakes' in msg:
        end = int(s.group('minute'))
        if id not in sleeps:
            sleeps[id] = []
        sleeps[id].extend(list(range(start,end)))

# part 1
g_longest = 0
g_id = None
g_minute = 0
for g,v in sleeps.items():
    if len(v) > g_longest:
        g_longest = len(v)
        g_id = g
        g_minute = max(set(v), key=v.count)

print(int(g_id)*int(g_minute))

# part 2
g_id = None
g_minute = 0
g_count = 0
for g,v in sleeps.items():
    minute = max(set(v), key=v.count)
    count = v.count(minute)
    if count > g_count:
        g_count = count
        g_id = g
        g_minute = minute

print(int(g_id)*int(g_minute))