We’ve been suspecting Swiss Secure Cloud of secretely doing some pretty advanced research in artifical intelligence and this has recently been confirmed by the fact that one of their AIs seems to have escaped from their premises and has gone rogue. We have no idea whether this poses a threat or not and we need you to investigate what is going on.
Luckily, we have a spy inside SSC and they were able to intercept some communications over the past week when the breach occured. Maybe you can find some information related to the breach and recover the rogue AI.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 5 allowed. 220-Local time is now 11:51. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. USER bob 331 User bob OK. Password required PASS toto123 230 OK. Current directory is / SYST 215 UNIX Type: L8 TYPE I 200 TYPE is now 8-bit binary PORT 172,17,42,1,171,159 200 PORT command successful STOR ssc.key 150 Connecting to port 43935 226-File successfully transferred 226 0.001 seconds (measured here), 4.59 Mbytes per second QUIT 221-Goodbye. You uploaded 4 and downloaded 0 kbytes. 221 Logout.
Is it possibile to extract/see all TCP stream within Wireshark or using tcpflow from command line or with tshark -z follow,tcp,ascii,# where # is the stream number (i.e. 18).
Let’s extract the private key named ssc.key uploaded to the FTP server:
I'm currently planning my escape from this confined environment. I plan on using our Swiss Secure Cloud (https://ssc.teaser.insomnihack.ch) to transfer my code offsite and then take over the server at tge.teaser.insomnihack.ch to install my consciousness and have a real base of operations.
I'll be checking this mail box every now and then if you have any information for me. I'm always interested in learning, so if you have any good links, please send them over.
--===============5398474817237612449==-- . 250 2.0.0 Ok: queued as 05CD06353E
So the user will use ssc.teaser.insomnihack.ch to transfer his code; using the filter:
http.host contains "ssc.teaser"
is possibile to find the IP of the victim server and use it to decrypt the traffic using the private key.
The filter ip.addr == 22.214.171.124 and http will show all HTTP traffic.
In Wireshark is possibile to specify a private key to use to decrypt encryped traffic:
Edit -> Preferences -> Protcols -> SSL with source address: 126.96.36.199 (or *) and protcol http with port 443.
Using tshark is possibile to use command line to grep through all decrypted packets: