Wednesday, September 25, 2019

InCTF 2019 - Fresh From The Oven

by Renato "shrimpgo" Pacheco

Description

I have intercepted one of my friends chat. Can you help me in analyzing it?

Challenge: Link1 & Link2

This PCAP file has a communication between two users over a TCP connection, using port 1337 initially. The following chat below was extracted from TCP port 1337:

initial conversation

Note the hint in uppercase: It also means encoding the data also. So we shall chat by encoding our messages so that others cannot intercept them! Our secret code: Remember remember the FIFTH of november :) ROT5? Applying into encoded text:

decoded text

It’s telling us that the default encoding way is ROT5 and he’s going to send some files. Digging more on the PCAP, we found two TCP ports traffic between users: 444 and 81, using TCP flag PSH with a payload size of 800 bytes each package. Very suspicious, right? We used tcpflow to retrieved the files:

$ mkdir 81 444; cd 81
$ tcpflow -r ../challenge.pcapng "tcp port 81"
$ for i in {2374..3233}; do cat 192.168.043.242.0$i-192.168.043.178.00081 >> ../out81; done
$ cd ../444
$ tcpflow -r ../challenge.pcapng "tcp port 444"
$ for i in {2203..2265}; do cat 192.168.043.242.0$i-192.168.043.178.00444 >> ../out444; done

Extracting these payloads separetely by port, we had two weird files. Seeing the hex from one of them, we’ve applied ROT5 in each byte of file, making sure if our theory was right:

$ python3
>>> f = open('out444', 'rb').read()
>>> bytes([(f[0]-5)%256])
b'%'
>>> bytes([(f[1]-5)%256])
b'P'
>>> bytes([(f[2]-5)%256])
b'D'
>>> bytes([(f[3]-5)%256])
b'F'

Did you notice that was a PDF header file? OK, our theory was right. The other was a ZIP file. We’ve created a script to automate this:

zipfile = open('out81', 'rb').read()
pdffile = open('out444', 'rb').read()

wzip = open('file.zip', 'wb')
wpdf = open('file.pdf', 'wb')

for i in zipfile:
    wzip.write(bytes([(i-5)%256]))

for i in pdffile:
    wpdf.write(bytes([(i-5)%256]))

wzip.close()
wpdf.close()

Now we have one PDF and one ZIP files. First we’ve looked into PDF and we didn’t find anything useful. It’s such a bunch of Lorem Ipsum text. Tried to extract ZIP file:

$ unzip file.zip 
Archive:  file.zip
[file.zip] flag.png password:

Oh, shit! Password! We can crack this with John The Ripper:

$ zip2john file.zip > hash
ver 2.0 efh 5455 efh 7875 file.zip->flag.png PKZIP Encr: 2b chk, TS_chk, cmplen=687020, decmplen=700134, crc=71AEC93F

$ john --wordlist=rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
johnjandroveclarkmichaelkent (file.zip)
1g 0:00:00:01 DONE (2019-09-25 19:10) 0.9174g/s 6358Kp/s 6358Kc/s 6358KC/s jolyvic..john1ssex1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Ez-pz! Decompressing this ZIP file:

$ unzip file.zip 
Archive:  file.zip
[file.zip] flag.png password:
  inflating: flag.png

This is the image file:

flag image

So cute! We’re close to the flag… Focus, Neo! The first try was to look for the Least Significant Bit with zsteg:

$ zsteg -a flag.png 
imagedata           .. text: "---555%%%"
b1,bgr,lsb,xy       .. text: "1MLorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi pretium enim eu tortor tincidunt, ac convallis nulla imperdiet. Praesent eget fringilla odio, ut ornare quam. Quisque enim purus, semper sed felis quis, vestibulum congue metus. Sed bib"
b3,r,lsb,xy         .. text: ">D4nT4m6"
b3,g,msb,xy         .. text: "+-N*X$\[email protected]"
b4,r,lsb,xy         .. text: "2\"##UD\"\""
b4,r,msb,xy         .. text: "333]U]U]U"
b4,g,lsb,xy         .. text: "eFywUTDTUTDvgvdTwvgvwtE2#22TUDDxw"
<skipped>

The second payload had a Lorem Ipsum text (again!). Extracting this payload:

1MLorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi pretium enim eu tortor tincidunt, ac convallis nulla imperdiet. Praesent eget fringilla odio, ut ornare quam. Quisque enim purus, semper sed felis quis, vestibulum congue metus. Sed bibendum turpis eget scelerisque ornare. Duis quis neque eros. Ut maximus id lectus ut gravida. Nullam sit amet ex eu ex interdum convallis. Fusce sed leo id orci ultricies efficitur sed at nulla. Integer ornare sollicitudin metus sit amet tempor. Vestibulum eu magna in neque interdum tincidunt. Aenean efficitur sit amet eros eu porttitor. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Proin velit nunc, sagittis ac ante quis, tincidunt malesuada lacus. Interdum et malesuada fames ac ante ipsum primis in faucibus. Curabitur molestie nibh feugiat diam bibendum tincidunt.
Suspendisse ultrices risus at nunc tempor eleifend. Aliquam volutpat lectus at diam egestas consequat. Pellentesque quis fermentum purus. Maecenas vel lorem consequat justo consectetur euismod sit amet vel lorem. Cras bibendum nec tortor sit amet tristique. Nam semper nulla a maximus mattis. Vestibulum consequat enim quis nulla eleifend, nec congue justo sollicitudin. Donec quam sapien, malesuada et libero quis, aliquam tempor odio. Etiam aliquet non tellus ac bibendum.
 Sed sed dolor eu dolor faucibus interdum. Nullam tincidunt faucibus tempus. Nulla molestie ullamcorper velit, eget facilisis metus tempus sed. Duis vel purus at erat ultricies sollicitudin.
<skipped>
Aenean in turpis venenatis, maximus mauris ut, maximus elit. Sed porta tortor non fermentum congue. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Praesent et libero laoreet, rhoncus elit id, molestie diam. Cras scelerisque vehicula velit, euismod commodo purus aliquet sed. Etiam et arcu quam. Donec sollicitudin risus enim, sit amet lacinia enim tempor quis. Ut sit amet lectus risus. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Curabitur blandit tortor a porttitor rhoncus. Pellentesque quis semper tellus. Donec malesuada bibendum mi vel condimentum. Integer posuere, diam eget elementum porta, erat diam consequat purus, quis imperdiet nulla massa non urna. Quisque fringilla nec diam eu suscipit. Ut sollicitudin, neque a finibus porttitor, eros lacus ultricies nulla, in congue ante tellus quis ante.
"inctf{3ach_4nd_3v3ry_s3cre7_inf0rm4t10n_w1ll_b3_kn0wn_by_wir3shark!!!!!_:)}"
<skipped>

WOW! Here comes the flag!

flag: inctf{3ach_4nd_3v3ry_s3cre7_inf0rm4t10n_w1ll_b3_kn0wn_by_wir3shark!!!!!_:)}

Thanks to @marzanol for decode files with ROT5 and @Dan_Ps, @dapolinario and @adriano_ribeiro for helping solve this challenge!

Capture the Flag , Forensics , Writeup