Tags: hardware canbus 

Rating: 5.0

## Recon
after connecting to the service, we got a simple '< hi >' - lost a ton of time in totally not getting the "in-your-face-hint" of "socketcand". Googeling for ages for a CAN-over-IP transport protocol which would handshake with '< hi >'

**fast forward:** after finding the documentation of socketcand [(protocol here)](https://github.com/linux-can/socketcand/blob/master/doc/protocol.md) handshaking with the demon was simple.
putting up some quick and dirty canbus dump pwntools script (which failed for ssl, because of [THAT](https://github.com/Gallopsled/pwntools/pull/1644), so ugly processwrapping instead)

## Dumping CANBus
the following python code visually dumps the canbus and also writes each can-id to a file for later inspection

```python
from pwn import *

def hexdump(data):
output = ""
for i in range(0,len(data),2):
value = int(data[i:i+2],16)
if value > 0x20 and value < 0x80:
output += chr(value)
else:
output += "."
return(output)

# ugly process wrapping, cause "remote" failed on challenge server
p = process(['ncat', '--ssl', '7b0000005a916e68a93fc8ec.challenges.broker3.allesctf.net', '1337'])

# handshaking
print p.recvuntil('< hi >')
print p.sendline('< open vcan0 >')
print p.recvuntil('< ok >')
print p.sendline('< rawmode >')

# dump
while 1:
frame = p.recvuntil('>')
if frame != '< ok >':
frame = frame.split(' ')
output = frame[2] + "#" + frame[4]
output = output.ljust(21, " ") + hexdump(frame[4])
print output
f = open(frame[2] + '.txt','a+')
f.write(output+"\n")
f.close

p.interactive()
```

## Results
quite crowded on canbus...

```
...
1A0#E14DEF .M.
114#CCD913 ...
70D#283FF3B60140 (?...@
6AA#76 v
463#E02386EA80BA35D6 .#....5.
2F4#4666FEC9 Ff..
55F#60E168C07421 `.h.t!
070#8C1E58C5 ..X.
0BC#132D869BF6 .-...
399#F8CACD04F55E7669 .....^vi
341#52CBC8 R..
229#5E2810B75686CC5D ^(..V..]
61B#5089 P.
5DA#50CC5F56DAC85ABF P._V..Z.
191#5D2B46 ]+F
...
```

after running a bit

```
root@kali:~/alles2020/can# ls
001.txt 04F.txt 0CB.txt 156.txt 1CC.txt 23B.txt 2E1.txt 341.txt 406.txt 466.txt 4E0.txt 544.txt 59E.txt 5F8.txt 6AA.txt 745.txt 792.txt
005.txt 052.txt 0D3.txt 158.txt 1D1.txt 241.txt 2EA.txt 34D.txt 41A.txt 46C.txt 4E9.txt 546.txt 5A8.txt 605.txt 6B0.txt 747.txt 79D.txt
020.txt 070.txt 0E2.txt 17F.txt 1D9.txt 246.txt 2F1.txt 36F.txt 424.txt 477.txt 4EB.txt 54B.txt 5AB.txt 61B.txt 6B2.txt 748.txt 7A3.txt
025.txt 083.txt 0F0.txt 184.txt 1DA.txt 259.txt 2F4.txt 37D.txt 429.txt 47D.txt 4F9.txt 551.txt 5B0.txt 64F.txt 6C0.txt 74B.txt 7AE.txt
033.txt 093.txt 0F8.txt 191.txt 1EB.txt 267.txt 306.txt 388.txt 42D.txt 492.txt 4FC.txt 55F.txt 5B5.txt 654.txt 6D6.txt 751.txt 7B3.txt
036.txt 094.txt 107.txt 193.txt 205.txt 268.txt 313.txt 38D.txt 42F.txt 4B0.txt 503.txt 56E.txt 5BB.txt 664.txt 6E6.txt 756.txt 7C4.txt
03A.txt 098.txt 110.txt 1A0.txt 207.txt 26E.txt 315.txt 38E.txt 447.txt 4B9.txt 507.txt 57D.txt 5C6.txt 67A.txt 6FE.txt 761.txt 7C6.txt
03D.txt 0A5.txt 114.txt 1A9.txt 20D.txt 272.txt 318.txt 399.txt 44A.txt 4BD.txt 50E.txt 585.txt 5C7.txt 67F.txt 706.txt 76A.txt 7CB.txt
040.txt 0B7.txt 123.txt 1B0.txt 216.txt 290.txt 323.txt 3A4.txt 453.txt 4CF.txt 523.txt 589.txt 5CE.txt 68D.txt 709.txt 77D.txt 7CF.txt
043.txt 0BA.txt 131.txt 1B6.txt 229.txt 2A3.txt 325.txt 3C8.txt 454.txt 4D1.txt 532.txt 58C.txt 5DA.txt 68E.txt 70D.txt 784.txt
048.txt 0BC.txt 136.txt 1B9.txt 231.txt 2A8.txt 32A.txt 3CA.txt 45E.txt 4D8.txt 535.txt 59B.txt 5E9.txt 693.txt 70E.txt 786.txt
04D.txt 0C8.txt 13A.txt 1BE.txt 23A.txt 2DA.txt 33C.txt 3F3.txt 463.txt 4DE.txt 53E.txt 59C.txt 5F1.txt 69D.txt 71B.txt 791.txt
```

after quick visual inspection for anything that would stick out we found:

```
...
-rw-r--r-- 1 root root 28 Sep 7 14:01 136.txt
-rw-r--r-- 1 root root 837 Sep 7 14:01 13A.txt
-rw-r--r-- 1 root root 5005 Sep 7 14:01 156.txt <--- file size !
-rw-r--r-- 1 root root 30 Sep 7 14:01 158.txt
...
```

```
root@kali:~/alles2020/can# cat 156.txt
156#89504E470D0A1A0A .PNG....
156#0000000D49484452 ....IHDR
156#000000B500000016 ........
156#080600000086DBDD ........
156#E900000006624B47 .....bKG
156#44000000000000F9 D.......
156#43BB7F0000000970 C....p
156#48597300000B1300 HYs.....
```

so looks like someone put a png on can-id 156, so extracting this data gives us a picture showing the flag:

## ALLES{c4n_sn1ffer}

macz