Rating: 5.0

## Description

We are investigating an individual we believe is connected to a group smuggling drugs into the country and selling them on social media. You have been posted on a stake out in the apartment above theirs and with the help of space-age eavesdropping technology have managed to extract some data from their computer. What is the phone number of the suspect's criminal contact?

flag format includes country code so it should be in the format: rgbCTF{+00000000000}

## Included Files

magic_in_the_air.7z

## Writeup

Running file on the 'data' file from decompressing the 7z shows that it's a btsnoop log, so I used wireshark to analyze it. I'm only interested in the ATT packets so I processed it with filter "btl2cap.cid==0x004". I didn't know too much about this protocol, but scrolling through there was a ton of sequential "Rcvd Handle Value Notification" packets to the host from one source. Looking at the values of all of them they're mostly all 7 bytes long and generally just have values in the second highest byte. Looking for reference material to decode the values a team mate found [this](https://learn.adafruit.com/introducing-bluefruit-ez-key-diy-bluetooth-hid-keyboard/sending-keys-via-serial) page with a nice table of values for key press equivalents. Starting at frame 374 and going down these codes started to show the makings of a message with an inital decoding of "YOO MAN". I needed to pull out each of those bytes and convert them according to the table. I applied the values as a filter, and got rid of a bunch of them that were only null values by using the filter "btatt.value!=00:00:00:00:00:00:00". This didn't filter out all of them since there were some values that were null, but had a few extra values here and there, but this was a nice quick solution. I selected all of them starting from 374 down to the end and exported the packets. I just wanted to get down the bytes so I passed that through xxd -p into a new file. From there I just did some substitutions in vim:

:%s/\n//
:%s/\012e0e.\{30\}\)/\1\r/g
:%s/^.*012e0e.\{18\}\(..\).*$/\1/

This gave me all the keypresses. Then I took the table from the site above and did a little vim processing with that too to turn it into a python dict friendly format:

:%s/final byte KEY_\(.*\) *=byte(0x\(..\).*/"\2":"\1",/

I did a little more formatting to change character cases, but I could've simply done a call to lower() in python while processing it. But, I just took that and turned it into a quick python script that took in each line of the extracted keypresses and output the equivalent value from the dict:

conversion_table = {"00":"NONE",
"04":"A",
"05":"B",
"06":"C",
"07":"D",
"08":"E",
"09":"F",
[...]
"E5":"SHIFT_RIGHT",
"E6":"ALT_RIGHT",
"E7":"GUI_RIGHT" }

fd = open("keycap4.txt", "r")

for code in fd.readlines():
code = code.strip('\n')
print(conversion_table[code], end='')

This gave me the decoded message, but I need the phone number with country code. Don't know a ton about European phone numbers, but the message mentioned the number was from sweden, so we got the swedish country code (46) and tacked that on to the number in the message in a couple of different ways until it was correct.

Original writeup (https://github.com/signifi3d/ctf-writeups/blob/master/rgbCTF2020/osint/p1/p1.md).