P1 Security CTF - Challenge 2 : Understand partial SMS call-flow

This is continuation of our previous blog post on solving CTF challenge by P1Security

Link for CTF Challenge: https://ctf.p1sec.fr/

Challenge 2: Understand partial SMS call-flow

Objective: Find the password received as SMS by target user 


The call flow begins with the Short Message Service Center (SMSC) upon receiving an MO-Forward-SM request from its associated Mobile Switching Center/Visitor Location Register (MSC/VLR). The SMSC then initiates an SRI-SM request to the home location register (HLR) in order to retrieve the routing information for the destination Mobile Station International Subscriber Directory Number (MSISDN).

Upon receiving the SRI-SM request, the HLR processes the request and retrieves the routing information for the destination MSISDN's current serving MSC/VLR. The HLR then sends a response back to the SMSC, providing the necessary routing information.

Armed with the routing information, the SMSC proceeds to send the actual SMS message using an MT-Forward-SM message to the destination MSC/VLR. The MT-Forward-SM message contains the SMS content and relevant parameters required for delivery.

Subsequently, the destination MSC/VLR receives the MT-Forward-SM message from the SMSC and routes the SMS message to the intended destination mobile device associated with the provided MSISDN. Ultimately, the SMS message is delivered to the recipient's mobile device, allowing them to access and view the message content.

Image Source: https://www.cellusys.com/


To tackle Challenge 2, begin by downloading the PCAP file provided and opening it in Wireshark.

As in the first challenge, the initial step is to apply a filter to display only the packets associated with our target dealer's International Mobile Subscriber Identity (IMSI). Upon filtering the packets,  we can notice the MT-ForwardSM packets which contain the SMS text from multiple sender to the dealer's mobile device.

Next task is to refine our search filter to identify the message sent by the specific source MSISDN 39612353436. To accomplish this, we will expand one of the packets until we reach the GSM SMS TPDU layer, which contains the relevant information, including the source MSISDN in the TP-Originating-Address field.

To begin, Right-click on one of the packets and select "Apply as Filter -> Selected." it will create a new filter based on the selected packet where we need to modify the filter to replace the MSISDN with our targeted source MSISDN (39612353436). By doing this, we will refine the filter to display only the packets having the SMS message having wallet password.