Tuesday, May 7, 2019

INS'hAck 2019 - Passthru

by Renato "shrimpgo" Pacheco


You’re part of a company security team and the admin has recently enabled interception on the company filtering proxy. The admin is pretty confident when it comes to its domain whitelist. He gave you a capture to review. Time to prove him wrong.

This challenge brought a pcap file called capture.pcap and a file called sslkey.log. Let’s see what is inside of capture.pcap:

$ tcpick -r capture.pcap
Starting tcpick 0.2.1 at 2019-05-04 22:34 -03
Timeout for connections is 600
tcpick: reading from capture.pcap
1      SYN-SENT >
1      FIN-WAIT-1 >
1      FIN-WAIT-2 >
1      RESET >
2      SYN-SENT >
2      FIN-WAIT-1 >
2      FIN-WAIT-2 >
2      RESET >

There is a lot of connections in localhost at destination port 8080. Inspecting some packets, I could see a client browsing on Internet by proxy, with all of traffic encrypted. So how can I decrypt this packets? Wireshark is sollution! Opening capture.pcap in Wireshark, it will be like this:


Load sslkey.log in SSL Protocol (Edit > Preferences... > Protocols > SSL):


Now I can see HTTP Requests in plaintext:


The main accesses were wikipedia.org, forensicswiki.org, docs.python.com, en.cppreference.com, www.bcc.com, nothing relevant BUT I found something odd between others access. Some access to images.google.com with requestbin.net, redirecting to www.google.com/search?tbs:sbi... I didn’t know what requestbin.net was, so I read about it:


RequestBin gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way. Use RequestBin to see what your HTTP client is sending or to inspect and debug webhook requests.

Here an example:


Hum… Maybe if I access his requestbin ID zk2s2ezk I’ll find something.


Shit! It expired! What now? Keep looking at URL, I saw another clue. After id=... there was a parameter called kcahsni but, if you look closer, is a inshack in backwards! Cool! I got its content 9ef773fe97f56554a3b4 and translated to ASCII:

$ echo -n 9ef773fe97f56554a3b4 | xxd -r -p

Nothing suspicious, but I’ll inspect others URLs. I made a filter on wireshark and extracted these packets (File > Extract Packets Dissections > Plaintext):


I wrote in file called exported.txt. Here are the steps that I made to come into hexes:

$ grep searchbyimage exported.txt | egrep -v "(Full request|Expert Info|GET)" | cut -d' ' -f11 > requests.txt
$ awk -F'%3D' '{print $3}' requests.txt | cut -d'&' -f1 | tr -d '\n' | xxd -r -p 

Hey! Look what I found! My suspicious were correct! Now just reverse the characters to get our flag:

$ echo "}e59ad3f38a01dca00f9759e6d205317642c5421fcdad034ebe7077c2bddd472b{ASNI" | rev

Flag: INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}

Capture the Flag , Forensics , Writeup