Sunday, 1 September 2013

ASIS CTF 2013 - Forensics 100 - pcap

Task:
Find the flag. file
You can download the missing parts of pcap forensic challenge from here:
053dc897d3e154dd5ed27c46b738850d
21eae902cf5b82c7b207e963a130856d


We were provided a pcap file in this task. Let's open it in wireshark and look for something interesting among protocols that are used in network dump. It can be done by clicking Statistics -> Protocol Hierarchy.
As you can see there are couple of interesting things HTTP traffic, TCP data, UDP data. If nothing will help probably we will need to look at ICMP and SSH traffic, however in this task it wasn't needed. Let's look filter by HTTP, you need to right click HTTP and select Apply as filter -> Selected. It shows couple of files that were transfered using HTTP, but let's just remember that and move to TCP data traffic. Let's apply "data" as filter. There are a lot of packets. Following TCP stream will help to look at the entire conversation. You can just right click packet and select Follow TCP stream one of the first one will have such conversation:( filter by tcp.stream eq 0)
Which will let you find some secret key.("M)m5s6S^[>@#Q3+10PD.KE#cyPsvqH") It is not md5 so it is not a flag. Let's dive deeper.
By incrementing index in filter for tcp.stream we can get a lot of useful information. For example we can get the list of files while filtering by tcp.stream eq 7
This list of 20 files will help us later. We have to get those files. There are approximately 50-60 tcp streams. I have manually looked each stream, skipping some 403 HTTP responses, SSH sessions, favicon.ico downloads. Couple of streams are broken because the size of the file is less than it is in list. After carving 18 files and downloading 2 which where broken or missing from the ctf site you have to restore a file.(Before restoring a file check md5sums of each file and compare to file name. It is very helpful not to make a disastrous mistake). It is 7z archive. This can be deduced from one file which happens to be the beggining because of signature. Also you can deduce the last which has the smallest size among all. It is notable that first one with signature have the earliest time from the list and the last with the smallest size has the latest time. So let's order files by time. There is a caveat though. Couple of files have the same time. To overcome this I've just made 4 files covering all variants. First one was correct. By concatenating provided files we get a 7z archive that asks for a password. Let's use secret key that we found earlier. It matches and as a result we get an image containing a flag.(I converted it to PNG).

Flag is on the picture.


No comments:

Post a Comment