Skip to content

Instantly share code, notes, and snippets.

@toby-bro

toby-bro/FCSC23-writeup-canflag.md

Created February 22, 2026 20:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save toby-bro/ed2d09a6d0ff0c1461591eb7cc1b7934 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save toby-bro/ed2d09a6d0ff0c1461591eb7cc1b7934 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
FCSC23-writeup-canflag.md

Canflag

Link to the challenge

We are given a pcap of a CAN bus that does not have too many different packets. When reading the packets we see that some seem to have text in them, in their data field. We also see a few packets that interest us:

  • the one which has 'FCSC' has id 2 and is an extended packet
  • the one which has '{' has id 2 and is not an extended packet
  • the one which has '}' has the highest id of 68

So we probably need to sort the packets by ID, and if two have the same ID, then we sort by putting the extended packet first.

This command does just that:

 tshark -r canflag.pcap -T fields -e can.flags.xtd -e can.id -e data.data | sort -k2,2n -k1,1r| awk '{ print $3 }' | tr -d '\n' | xxd -r -p

And we get the flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment