Post

CertCTF-2024

Posted Updated
By laffe
5 min read
CertCTF-2024

Inspection and file extraction

In this challenge we’re asked to download a packet capture file (.pcap) which contains 9 flags. We start by downloading it and open the file with wireshark to view the network traffic. It contains captured traffic from a conversation over IRC. There has been a ransomware attack and in the conversation there are mentions of files being transferred over FTP. Filtering for ftp traffic we find a few files being transferred, 2 more pcap files (corp_net1.pcap & corp_net2.pcap), a disk image, a text file called WORDLIST.txt. Before we begin to dig deeper lets try extract these and save them to a directory called files. This can be done with tcpflow by running the command

tcpflow -r CERT-SE_CTF2024.pcap -o files

tcpflow extraction

While we’re at it, lets also extract any files from corp_net1.pcap and corp_net2.pcap and save these to a directory called ftp-files.

First renaming the files and then extracting with the following commands

mv 010.000.000.020.36671-010.000.000.050.46740 corp_net1.pcap mv 010.000.000.020.38825-010.000.000.050.38952 corp_net2.pcap tcpflow -r corp_net1.pcap -o ftp-files tcpflow -r corp_net2.pcap -o ftp-files

corpnet extraction

Now we can begin to look for flags.

Flag hunting

1. CTF[AES128]

The first flag is found by right clicking any packet with the IRC protocol in CERT-SE_CTF2024.pcap and then click “follow TCP stream” in wireshark. The flag CTF[AES128] seems to be the password used for the IRC channel.

irc-pass

2. CTF[OR]

Among the extracted files there are a gzip file called 010.000.000.020.58938-010.000.000.010.40899. It contains a .txt file “why_not”. Lets first rename the file and then extract it with gzip.

mv 010.000.000.020.58938-010.000.000.010.40899 why_not.gz gunzip why_not.gz

When running the cat command on why_not we see that it contains a lot of repeated characters.

why not Preforming a frequency analysis with python (see code below).

from collections import Counter with open("why_not", "r") as file: content = file.read() \# count characters char_count = Counter(content) \# print each character and how many times it occurs for char, count in char_count.items(): print(f"'{char}': {count}")

frequency analysis

A pattern emerge and it seems to be a flag. Only considering unique characters in the file we get the flag CTF[OR].

3. CTF[RICKROLL]

In the IRC conversation we can find the following sentence: “He also handed over a strange looking string CTF[E65D46AD10F92508F500944B53168930], does it make sense to you?”.

In the conversation there is a hint to “ask John”. This hint brings John The Ripper to mind, which can be used to crack hashes. The string E65D46AD10F92508F500944B53168930 looks like a hash so lets see if it is cracked by using https://crackstation.net/. According to crackstation it is a LM hash and we get a perfect match for “RICKROLL”. Lets also try to crack it with John The Ripper just for fun.

Rick Roll

Indeed we get the same result, RICKROLL.

4. CTF[IRRITATING]

In one of the corp_net.pcap files we find another gzip file called “192.168.137.028.52743-195.200.072.082.50754”. After extracting this file it gives us another gzip. When we extract the new gzip it gives us another, and then another and then another and then a tar file and so on. Extracting all files eventually we get a text file containing the flag.

Irritating

5. CTF[HAPPY BIRTHDAY]

One of the extracted files from corp_net.pcap contained a PE32+ executable (GUI) x86-64, for MS Windows. Running this executable with wine we find a puzzle. After finishing the puzzle the flag can be found to the left of Donald ducks head, it spells CTF[HAPPY BIRTHDAY]

Puzzle1 Puzzle2

6. CTF[OPPORTUNISTICALLY]

One of the file extracted from CERT-SE_CTF2024.pcap is a gzip file containing a disk image. Opening this disk image with autospy we find a few interesting files inside.

  • ransomeware.sh
  • secret
  • secret.encrypted
  • sslkeylogfile

Autopsy

The ransomware.sh script seems to fetch a password from url: https://whatyoulookingat.com/1.txt when doing the encryption.

Using the sslkeylogfile we can try to decrypt the TSL traffic inside the 010.000.000.020.36671-010.000.000.050.46740.pcap file but it is missing the client_random key. The client random key can be found in the TSL handshake that was made to the C2 from IP: 195.200.72.82 which was mentioned in the IRC conversation. Now that we have the client random key, lets added it to the sslkeylogfile:

CLIENT_RANDOM cb68ed4293ea43b5ae0f949b7d36f9e801cdea8025cb8ce61b2226a1ba502118

To decrypt the TLS traffic we need to import the sslkeylogfile into wireshark. When the traffic is successfully decrypted we locate the http request that was made to “whatyoulookingat.com” and then following the http stream, we find the password pheiph0Xeiz8OhNa.

Password found

Now trying to decrypt the secret.encrypted file with this password

openssl enc -d -aes-128-cbc -in secret.encrypted -out decrypted_secret.txt -pass pass:"pheiph0Xeiz8OhNa"

It worked and the flag was found Password found

7. CTF[RHODE_ISLAND_Z]

In the IRC conversation they talk about a machine called CTF-PC101 and a word list. Running strings on all files we found that in the file 192.168.200.052.49424-192.168.200.051.00088 (which was extracted from 010.000.000.020.38825-010.000.000.050.38952.pcap) there was match for CTF-PC101.

We went and looked at the packages from source: 192.168.200.52 to destination: 192.168.200.51. There we found that they were communicating using the Kerberos protocol. After some research we understood that it was possible to extract password hashes from this pcap. Also after inspecting the files for a long time we discovered the username and realm. First we tried to construct the hashes by hand so we then could use JTR (John The Ripper) but there is an easier way to extract the hashes with tshark.

tshark -r 010.000.000.020.38825-010.000.000.050.38952.pcap -T pdml > output.pdml

We can then use a script called krb2john.py, which takes hashes from the pmdl file and makes them into a format that JTR can crack.

Two hashes was found with krb2john. CTF:\$krb5pa\$18\$CTF\$LAB.LOCAL\$\$1bbdb63ecab6986bdf7e3f4f8c635a9ea69adca80f8 1fc56d50ba384db4270fb994653eade08e0e79b5d7ed45f8ae3be7e89fa753be94566

CTF:\$krb5pa\$18\$CTF\$LAB\$\$c205a0c850b9b9a52ff583e6d9196181cbd 3de1997b1ab0c9f7e54896531b3ed499b85d91becf255882a4d784518c5345f67378d2fdd397c

krb2john

The hashes was copied into a new file and then we used john the ripper with the word list that was extracted in from the pcap and found a match, [RHODE_ISLAND_Z].

krb2john

Wrapping the matching string with CTF we get the flag CTF[RHODE_ISLAND_Z].

CTF, Write-ups
ctf hacking CERT
This post is licensed under CC BY 4.0 by the author.