Writeup: UUT 2019 - The Criminal

(Updated: )
writeups
, , , ,

Information

  • category : forensics
  • points : 120

Description

We have captured traffic of a criminal who have accessed to Internet. The flag is hidden in the packets. Find and submit it before the criminal escapes.

Writeup

We have a large PCAP file with more than 90000 packets. The first thing we can do is to filter where the flag can be:

1
2
3
4
5
$ strings UUTCTF_PCAP.pcap | grep flag
ent:"\f3a1"}.fa-fish:before{content:"\f578"}.fa-fist-raised:before{content:"\f6de"}.fa-flag:before{content:"\f024"}.fa-flag-checkered:before{content:"\f11e"}.fa-flask:before{content:"\f0c3"}.fa-flickr:before{content:"\f16e"}.fa-flipboard:before{content:"\f44d"}.fa-flushed:before{content:"\f579"}.fa-fly:before{content:"\f417"}.fa-folder:before{content:"\f07b"}.fa-folder-minus:before{content:"\f65d"}.fa-folder-open:before{content:"\f07c"}.fa-folder-plus:before{content:"\f65e"}.fa-font:before{content:"\f031"}.fa-font-awesome:before{content:"\f2b4"}.fa-font-awesome-alt:before{content:"\f35c"}.fa-font-awesome-flag:before{content:"\f425"}.fa-font-awesome-logo-full:before{content:"\f4e6"}.fa-fonticons:before{content:"\f280"}.fa-fonticons-fi:before{content:"\f3a2"}.fa-football-ball:before{content:"\f44e"}.fa-fort-awesome:before{content:"\f286"}.fa-fort-awesome-alt:before{content:"\f3a3"}.fa-forumbee:before{content:"\f211"}.fa-forward:before{content:"\f04e"}.fa-foursquare:before{content:"\f180"}.fa-free-code-camp:before{content:"\f2c5"}.fa-freebsd:before{content:"\f3a4"}.fa-frog:before{content:"\f52e"}.fa-frown:before{content:"\f119"}.fa-frown-open:before{content:"\f57a"}.fa-fulcrum:before{content:"\f50b"}.fa-funnel-dollar:before{content:"\f662"
Int(n.value,10):n.type===i.TOKEN_FLOAT?t=parseFloat(n.value):n.type===i.TOKEN_BOOLEAN?"true"===n.value?t=!0:"false"===n.value?t=!1:this.fail("invalid boolean: "+n.value,n.lineno,n.colno):n.type===i.TOKEN_NONE?t=null:n.type===i.TOKEN_REGEX&&(t=new RegExp(n.value.body,n.value.flags)):this.fail("expected expression, got end of file"),void 0!==t?s=new r.Literal(n.lineno,n.colno,t):n.type===i.TOKEN_SYMBOL?s=new r.Symbol(n.lineno,n.colno,n.value):(this.pushToken(n),s=this.parseAggregate()),e||(s=this.parsePostfix(s)),s?s:void this.fail("unexpected token: "+n.value,n.lineno,n.colno)},parseFilterName:function(){for(var e=this.expect(i.TOKEN_SYMBOL),t=e.value;this.skipValue(i.TOKEN_OPERATOR,".");)t+="."+this.expect(i.TOKEN_SYMBOL).value;return new r.Symbol(e.lineno,e.colno,t)},parseFilterArgs:function(e){if(this.peekToken().type===i.TOKEN_LEFT_PAREN){var t=this.parsePostfix(e);return t.args.children}return[]},parseFilter:function(e){for(;this.skip(i.TOKEN_PIPE);){var t=this.parseFilterName();e=new r.Filter(t.lineno,t.colno,t,new r.NodeList(t.lineno,t.colno,[e].concat(this.parseFilterArgs(e))))}return e},parseFilterStatement:function(){var e=this.peekToken();this.skipSymbol("filter")||this.fail("parseFilterStatement: expected filter");var t=this.parseFilterName(),n=this.parseFilterArgs(t);this.advanceAfterBlockEnd(e.value);var i=new r.Capture(t.lineno,t.colno,this.parseUntilBlocks("endfilter"));this.advance
r=this.current(),"\n"===r?this.forward():"\r"===r&&(this.forward(),r=this.current(),"\n"===r?this.forward():this.back())),i(k,e,t,n);if((e=this._extractString(this.tags.VARIABLE_END))||(e=this._extractString("-"+this.tags.VARIABLE_END)))return this.in_code=!1,i(b,e,t,n);if("r"===r&&"/"===this.str.charAt(this.index+1)){this.forwardN(2);for(var c="";!this.is_finished();){if("/"===this.current()&&"\\"!==this.previous()){this.forward();break}c+=this.current(),this.forward()}for(var h=["g","i","m","y"],u="";!this.is_finished();){var p=h.indexOf(this.current())!==-1;if(!p)break;u+=this.current(),this.forward()}return i(D,{body:c,flags:u},t,n)}if(a.indexOf(r)!==-1){this.forward();var f,m=["==","===","!=","!==","<=",">=","//","**"],j=r+this.current();switch(s.indexOf(m,j)!==-1&&(this.forward(),r=j,s.indexOf(m,j+this.current())!==-1&&(r=j+this.current(),this.forward())),r){case"(":f=w;break;case")":f=T;break;case"[":f=L;break;case"]":f=_;break;case"{":f=O;break;case"}":f=A;break;case",":f=N;break;case":":f=C;break;case"~":f=B;break;case"|":f=F;break;default:f=S}return i(f,r,t,n)}if(e=this._extractUntil(o+a),e.match(/^[-+]?[0-9]+$/)){if("."===this.current()){this.forward();var V=this._extract(l);return i(R,e+"."+V,t,n)}return i(I,e,t,n)}if(e.match(/^(true|false)$/))return i(K,e,t,n);if("none"===e)return i(M,e,t,n);if(e)return i(P,e,t,n);throw new Error("Unexpected value while parsing: "+e)}var U=this.tags.B
%$Search for the flag in HTTP packets.

We can see in the end’s output that the flag is in the HTTP packets, so we can open the pcap in wireshark and filter for HTTP in the display filters and exports the filtered results in a new pcap (to work easier). We can see now that we have only 5652 packets. To see what files the hosts have exchanged we can go to File->Export Objects->HTTP

In the end we can see that the host 10.0.2.15 requested the file fl4g.7z to 10.5.6.22. However this is encrypted and we need a password to decrypt, so we can apply another display filter : ip.addr==10.5.6.22 && ip.addr==10.0.2.15 and export again the specified packets. We can now see as before what objects the two hosts have exchanged

And we can notice that there’s a file secret_password-1024x64.png

So the password to decrypt the 7z file where the flag is contained must be
this_is_th3_s3cr3t_password_for_flag right?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
7z e fl4g.7z                                                                       

Scanning the drive for archives:
1 file, 230 bytes (1 KiB)

Extracting archive: fl4g.7z

Enter password (will not be echoed):
ERROR: fl4g.7z
Can not open encrypted archive. Wrong password?

ERRORS:
Headers Error
    
Can't open as archive: 1
Files: 0
Size:       0
Compressed: 0

Well is not. If we carefully see the picture we can see that the O in password, is a 0, so the password is :

this_is_th3_s3cr3t_passw0rd_for_flag

And using this to extract the 7zip gives us the flag

Flag

UUTCTF{d0_n0t_sav3_pa$$word_in_public}