write-ups-challenges-2023-2024/table-flip/SETUP.md
2023-11-28 16:24:59 +01:00

4.2 KiB

Challenge setup

This challenge requires a hotspot to be hosted on a Raspberry Pi.
These steps can be taken to configure a Raspberry Pi correctly.

Installing Raspberry Pi OS

  • Install Raspberry Pi OS (Lite, 64 bit was used for these instrucitons) via the Raspberry Pi Imager (for example).
  • Make sure to enter a username and password in the OS Customisation settings.
  • Also enable SSH using password authentication. (Or public-key only, just make sure you can connect to the Pi).
  • DO NOT configure wireless LAN!! (So if you're using the imager for macOS, also choose "no" on all the prompts asking to use the wifi credentials stored in the keychain.)

When finished, turn on the Pi and connect it to your PC via Ethernet.
You should now be able to ssh into the Pi using the credentials you chose earlier.

For the rest of these instructions, the Pi requires an internet connection. Since no wifi has been setup, you need to share the internet connection of your PC with the Pi.
For macOS, you can do this by going to System Settings > Sharing > Internet Sharing, then turning Internet Sharing on, and allowing Ethernet devices to receive.

Installing RaspAP

In order to make configuration of the hotspot and captive portal easy, we use RaspAP to manange the access point.
In order to install RaspAP, you can use the installation instructions.

When you're running the installer, you can answer yes to the following questions:

  • lighttpd root: /var/www/html? [Y/n]: Y
  • Complete installation with these values? [Y/n]: Y
  • Enable HttpOnly for session cookies (Recommended)? [Y/n]: Y
  • Enable RaspAP control service (Recommended)? [Y/n]: Y

And you can answer no to the following questions:

  • Install ad blocking and enable list management? [Y/n]: n
  • Install OpenVPN and enable client configuration? [Y/n]: n
  • Install WireGuard and enable VPN tunnel configuration? [Y/n]: n
  • Enable VPN provider client configuration? [Y/n]: n

And then you can reboot.
Once you've rebooted, a wifi network raspi-webgui is created, and can be accessed using the default credentials.

Installing and enabling the captive portal

We will follow RaspAP's documentation on installing nodogsplash.

Again, follow the instructions on RaspAP's documentation.

Once the captive portal is installed and active, we need to swap out the splash.html and splash.css files located in /etc/nodogsplash/htdocs/.
Once you've replaced these files with our custom ones, you need to reload nodogsplash

sudo systemctl restart nodogsplash.service

Some additional (but required) configuration

We still need to change RaspAP's SSID name and default credentials. You can access RaspAP's Web UI by connecting to the hotspot and going to the router's ip (should be 10.3.141.1).
If you've correctly installed the captive portal, you will only see the flag.
In order to pass the captive portal, you need to go to a specific url. This url will start with the value that is present in the meta "action" tag of the head of the captive portal, and you need to include the value of the meta tok tag as a query parameter.

For example: http://10.3.141.1:2050/nodogsplash_auth/?tok=371e85e0 (your token will be different). Normally, you should see "Authenticated" and you can visit the web UI now. Some important settings you need to change:

Changing the SSID

  • Go to Hotspot > Basic > SSID.
  • You can change this to something original based on the challenge description. (recommended: ┏━┓ ︵ /(^.^/))
  • (And click "Save settings" on the bottom.)

Removing the password

  • Go to Hotspot > Security.
  • Set "Security type" to None.
  • (And click "Save settings" on the bottom.)

Changing RaspAP's admin credentials

We're still in a CTF...

NOTE: The challenge is just finding the flag in the captive portal, not breaking into the access point. But since default credentials are tempting for everyone, we will change this to something more secure.

  • Go to Authentication.
  • Change the username.
  • Change the password.