Monday, July 22, 2019

CyBRICS CTF Quals 2019 - Paranoid

by Renato "shrimpgo" Pacheco

Description

My neighbors are always very careful about their security. For example they’ve just bought a new home Wi-Fi router, and instead of just leaving it open, they instantly are setting passwords!

Don’t they trust me? I feel offended.

paranoid.zip

Can you give me their current router admin pw?

By unpacking the ZIP file, we will have a ‘paranoid.pcap’ file. The problem description provides us the information that the PCAP file is about wireless traffic. Opening the PCAP with wireshark we can notice the communication isn’t encrypted. Let’s take a look into it:

image

image

It seems router admin access with default password 1234. Let’s check if there is any POST request (applying filter http.request.method == POST):

image

Yes, there are 2 of them! The first one changes admin password:

image

Coming back to description, he asked for the password’s router admin. Maybe this is the flag, but it would be too easy… Anyway, I tried and failed. Checking another POST request:

image

This is more interesting! He’s applying WEP connection and the password is Xi1nvy5KGSgI2. This POST request proves that wireless connection has WEP connection implemented. So, I’ve wrote that password in a file called senha and used it in aircrack-ng:

$ aircrack-ng -a 1 -w senha paranoid.pcap

The option -a 1 tells aircrack-ng to force WEP attack. The result is:

                                                                     Aircrack-ng 1.5.2 


                                                        [00:00:00] Tested 1 keys (got 8688 IVs)

   KB    depth   byte(vote)
    0    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    1    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    2    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    3    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    4    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    5    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    6    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    7    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    8    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
    9    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
   10    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
   11    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
   12    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 

     KEY FOUND! [ 58:69:31:6E:76:79:35:4B:47:53:67:49:32 ] (ASCII: Xi1nvy5KGSgI2 )
        Decrypted correctly: 100%

Nice! Let’s put it in wireshark to decrypt wireless traffic (Edit > Preferences… > Protocols > IEEE 802.11 > Decription keys > Edit). Add this password, found by aircrack-ng, like this:

image

Remember to not put ASCII password format, but the hexadecimal password format! Click on OK button to apply and more POST requests will show up!

image

According with new POST requests, he added a MAC in ACL MAC, changed SSID (NSA_WIFI_DONT_HACK), changed admin password and set WPA connection, in that order. The new admin password is BIGTIME2383 but, again, this is not the flag. Looking at WPA connection set, it shows this:

image

The new password for WPA connection is 2_RGR_xO-uiJFiAxdA33-PsdanuK. Again, let’s check if this password matches with WPA traffic present on PCAP file:

$ echo 2_RGR_xO-uiJFiAxdA33-PsdanuK >> senha
$ aircrack -a 2 -w senha paranoid.pcap


                              Aircrack-ng 1.5.2 

      [00:00:00] 1/6 keys tested (7.03 k/s) 

      Time left: 0 seconds                                      50.00%

                 KEY FOUND! [ 2_RGR_xO-uiJFiAxdA33-PsdanuK ]


      Master Key     : 8D 60 25 A0 13 2B 25 C0 14 EB 50 1F F7 A1 4B BE 
                       48 4E 13 71 6A 88 5B 6E 16 9A 66 EA 67 5E 90 68 

      Transient Key  : 98 A2 47 CE 0B CB 6B 48 0E 50 D9 0A C0 5B BC 66 
                       BF EB 00 18 C8 F0 A8 79 2E BF 84 24 EB 04 D0 A6 
                       F8 EF FF 2B F6 E6 55 85 08 46 19 01 BD 90 19 92 
                       01 8F A0 9B A3 30 1A DE 01 10 0C 26 A1 6B 66 41 

      EAPOL HMAC     : 4C 10 C2 3C E3 BF D9 FD A4 EF CA 1B 0A 2C DF 77

Alright! It matches! Let’s add it in wireshark to decrypt WPA traffic (following same procedure made in WEP traffic before). News POST requests will show up!

image

Now, it only shows POST requests about changing admin password. Following this HTTP traffic, we see the flag:

image

Flag: cybrics{n0_w4Y_7o_h1d3_fR0m_Y0_n316hb0R}

Capture the Flag , Forensics , Networking , Writeup