PI 3: This isn’t a Secure Line
Description:
Our suspect is getting noided. We’ve managed to retrieve this from his computer. What can you find?
The flag format is the MD5 hash of what you will find. rgbCTF{hash}
Category: Forensics
First Blood: 9 hour, 16 minutes after release by team RedRocket
To try out this challenge, download the file here
The other questions in this series: PI1 and PI2
The Solution
Checking the file type with file data
reveals that it is yet another BTSnoop file. After investigating in wireshark, we can tell that this is some kind of audio device that is both transmitting and receiving audio data. How do we know this?
From [Opcode: SCO Rx Packet (0x0007)]
, we know this is SCO data being received
And from [Opcode: SCO Tx Packet (0x0006)]
, we know that this SCO data is being transmitted
Googling bluetooth SCO
reveals that it is a blueooth audio protocol used commonly in bluetooth Headset Profile and Intercom Profile. It can’t be Intercom Profile because we know that this data was captured from a computer, so it must be Bluetooth Headset Profile. That means that it is audio data, and even better, we know it is likely a phone call.
So, how do we listen to this audio data?
Jerry-rig method
Upon exporting this packet capture in JSON, it appears that the data is not preserved. Lets just rip it out of the capture file in python. How many problems in history I wonder have been solved by opening a wee IPython terminal?
We know that each SCO packet contains 48 bytes of audio data preceeded by 01 01 30
, so lets split on b"\x01\x01\x30"
and see what happens.
If we compare the above output (which is the fourth element of that split), to the third packet in wireshark, we see that the data part is the same. Great. However, further analysis (mucking about in IPython) reveals that some information for the next packet is attached to the end of our audio data. Luckily, as stated above we also know that the audio data is 48 bytes, so lets split our output and see where it gets us
Still with me here? We’ve split this data into what we definitely know is audio (the first 48 bytes) and the header for the next packet, which as you can see, contains the aformentioned opcode value:
b'\x00\x00\x003\x00\x00\x003\x00\x00
-> \x00\x06
<- \x00\x00\x00\x00\x00\xe2\x87i|d\r\x0b'
And we discover it is 24 bytes so the next step is to search the previous 24 bytes of each occurence of b"\x01\x01\x30"
for the opcode and couple it with the 48 bytes of audio data that comes after.
As you can see, we have harvested the same amount of Rx and Tx packets, which is a good sign. Finally, we write the raw audio data to a file from IPython
The final challenge is getting this audio to open and play correctly. The documentation is scant for this kind of thing but there are a few sources online that I found. namely this post and this paper (see section 6.3 and 6.3.1).
Bluetooth SCO audio is a mono audio signal with signed 16-bit PCM at 8000 Hz. You can either import this in Audacity File -> Import -> Raw Audio
or play it straight from the terminal with sox
The Rx audio is data received by the device we are capturing packets on, Tx is data being transmitted to the bluetooth headset.
I have merged and converted both Rx and Tx to an mp3, so you can listen in on the phone call in your browser, see here
Listening to the audio file we can discern that our suspect is “changing the password” to applepie
. So we take an MD5 hash of applepie
for the flag: rgbCTF{6cc7c5a5a21978e5587a59186cadb5e3}
The above IPython scripts have been compiled into a script file below:
Clean method
Shoutout to lukas2511
of RedRocket
for this method, which is lifted from his solution.
Lukas’s method is far less barbaric and first relies upon converting the BTsnoop file to a pcap, then simply using pythons pcap library scapy
to process through it. The reason I shout this out is that I did not think to (or know one could) do this and have subsequently learnt something useful. Cheers Lukas!