Description
You’re part of a company security team and the admin has recently enabled interception on the company filtering proxy. The admin is pretty confident when it comes to its domain whitelist. He gave you a capture to review. Time to prove him wrong.
This challenge brought a pcap file called capture.pcap and a file called sslkey.log. Let’s see what is inside of capture.pcap:
$ tcpick -r capture.pcap
Starting tcpick 0.2.1 at 2019-05-04 22:34 -03
Timeout for connections is 600
tcpick: reading from capture.pcap
1 SYN-SENT 127.0.0.1:59408 > 127.0.0.1:8080
1 SYN-RECEIVED 127.0.0.1:59408 > 127.0.0.1:8080
1 ESTABLISHED 127.0.0.1:59408 > 127.0.0.1:8080
1 FIN-WAIT-1 127.0.0.1:59408 > 127.0.0.1:8080
1 FIN-WAIT-2 127.0.0.1:59408 > 127.0.0.1:8080
1 RESET 127.0.0.1:59408 > 127.0.0.1:8080
2 SYN-SENT 127.0.0.1:59410 > 127.0.0.1:8080
2 SYN-RECEIVED 127.0.0.1:59410 > 127.0.0.1:8080
2 ESTABLISHED 127.0.0.1:59410 > 127.0.0.1:8080
2 FIN-WAIT-1 127.0.0.1:59410 > 127.0.0.1:8080
2 FIN-WAIT-2 127.0.0.1:59410 > 127.0.0.1:8080
2 RESET 127.0.0.1:59410 > 127.0.0.1:8080
...
There is a lot of connections in localhost at destination port 8080. Inspecting some packets, I could see a client browsing on Internet by proxy, with all of traffic encrypted. So how can I decrypt this packets? Wireshark is sollution! Opening capture.pcap in Wireshark, it will be like this:
Load sslkey.log in SSL Protocol (Edit > Preferences... > Protocols > SSL):
Now I can see HTTP Requests in plaintext:
The main accesses were wikipedia.org, forensicswiki.org, docs.python.com, en.cppreference.com, www.bcc.com, nothing relevant BUT I found something odd between others access. Some access to images.google.com with requestbin.net, redirecting to www.google.com/search?tbs:sbi... I didn’t know what requestbin.net was, so I read about it:
RequestBin gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way. Use RequestBin to see what your HTTP client is sending or to inspect and debug webhook requests.
Here an example:
https://images.google.com/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D82290383-7480-487c-b78b-77ac769c56cd%26kcahsni%3D9ef773fe97f56554a3b4&encoded_image=&image_content=&filename=&hl=fr
Hum… Maybe if I access his requestbin ID zk2s2ezk I’ll find something.
Shit! It expired! What now? Keep looking at URL, I saw another clue. After id=... there was a parameter called kcahsni but, if you look closer, is a inshack in backwards! Cool! I got its content 9ef773fe97f56554a3b4 and translated to ASCII:
$ echo -n 9ef773fe97f56554a3b4 | xxd -r -p
��s���eT��
Nothing suspicious, but I’ll inspect others URLs. I made a filter on wireshark and extracted these packets (File > Extract Packets Dissections > Plaintext):
I wrote in file called exported.txt. Here are the steps that I made to come into hexes:
$ grep searchbyimage exported.txt | egrep -v "(Full request|Expert Info|GET)" | cut -d' ' -f11 > requests.txt
$ awk -F'%3D' '{print $3}' requests.txt | cut -d'&' -f1 | tr -d '\n' | xxd -r -p
��s���eT��&��������rZ�9h�R�<
}e59ad3f38a01dca00f9759e6d205317642c5421fcdad034ebe7077c2bddd472b{ASNI
2���l$���fg����(Ej�J�ơ.>�K
Hey! Look what I found! My suspicious were correct! Now just reverse the characters to get our flag:
$ echo "}e59ad3f38a01dca00f9759e6d205317642c5421fcdad034ebe7077c2bddd472b{ASNI" | rev
INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}
Flag: INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}