Guild icon
Project Sekai
🔒 RITSEC CTF 2023 / ✅-forensics-ads
Avatar
Sutx BOT 03/31/2023 4:02 PM
Ads - 300 points
Category: Forensics Description: We had to release a marketing intern because he failed security training. We monitored his activity for the last two weeks and captured this network traffic. We're worried that he was exfiltrating data. Can you confirm? Files: No files. Tags: No tags.
03/31/2023 4:02 PM
Sutx pinned a message to this channel. 03/31/2023 4:02 PM
Avatar
Sutx BOT 03/31/2023 4:40 PM
@afterworld wants to collaborate 🤝
Avatar
Sutx BOT 03/31/2023 5:32 PM
@hfz wants to collaborate 🤝
Avatar
sahuang 03/31/2023 5:32 PM
im checking clocks
Avatar
hfz 03/31/2023 5:32 PM
right
Avatar
sahuang 03/31/2023 5:35 PM
no idea on that, might check this
17:37
this is also http requests, hmm
17:37
how do we extract payload data
Avatar
hfz 03/31/2023 5:37 PM
from HTTP?
Avatar
sahuang 03/31/2023 5:38 PM
its oscp request
17:38
0Q0O0M0K0I0
Avatar
hfz 03/31/2023 5:38 PM
I don't think it's relevant
17:38
ICMP might be relevant
Avatar
sahuang 03/31/2023 5:38 PM
hm
Avatar
hfz 03/31/2023 5:38 PM
Image attachment
17:38
Router advertisement, etc
17:38
might be relevant with chall name
Avatar
sahuang 03/31/2023 5:38 PM
so we need to extract ICMP data?
Avatar
hfz 03/31/2023 5:38 PM
idk yet
Avatar
Sutx BOT 03/31/2023 6:10 PM
@crazyman ai wants to collaborate 🤝
Avatar
sahuang 03/31/2023 10:37 PM
Hint: Our network engineering team was able to isolate some suspicious ICMP traffic coming through our routers. We're still not sure what to make of it, though.
22:37
https://ctf.ritsec.club/files/a1a7202fdddecdb8d97d66e5b88b7bd2/ads.pcapng?token=eyJ1c2VyX2lkIjo3MTcsInRlYW1faWQiOjQ1OCwiZmlsZV9pZCI6Mjh9.ZCfDCQ.CyVPCRLHfFBEoPPvzV6DINb8ios
22:37
file may be updated
Avatar
Sutx BOT 03/31/2023 10:43 PM
@Violin wants to collaborate 🤝
Avatar
Sutx BOT 04/01/2023 4:19 AM
@TheBadGod wants to collaborate 🤝
Avatar
TheBadGod 04/01/2023 4:19 AM
there seems to be some icmp requests with this as data: 53555045524d414e00 (SUPERMAN\x00)
Avatar
TheBadGod 04/01/2023 4:28 AM
in some packets with ttl 1 (so maybe traceroute)
04:35
https://twitter.com/0xMagna/status/1352371526117552129 yeah just traceroute kekw
Author icon
Magna (@0xMagna)
Just learnt by accident that traceroute in Linux sends "SUPERMAN" in it's data. This made my day. #SuperMan #TTL #DogsWIthRouters
Thumbnail
Footer icon Twitter • 01/21/2021 1:44 PM
04:36
the data (in hex) from all icmp packets with ip.source == 192.168.0.247
requests.txt
111.62 KB
04:37
the destination is different for most of them
04:38
here they are with the dst ips (edited)
requests.txt
126.45 KB
04:41
only icmp with data and not the ones to 192.168.0.101
requests.txt
82.79 KB
Avatar
crazyman ai 04/01/2023 4:41 AM
I will check them when i go home
Avatar
TheBadGod 04/01/2023 4:41 AM
without the superman
requests.txt
82.07 KB
Avatar
Sutx BOT 04/01/2023 4:45 AM
@Guesslemonger wants to collaborate 🤝
Avatar
Guesslemonger 04/01/2023 4:47 AM
looked at it a lot, 192.168.0.101 and 192.168.0.247 should be relevant ips, since there is a router advertisement exchange between the two
04:47
idk how to proceed
04:49
also looked at response time, looked to be in ascii range, but it is a precise decimal, but shows up as rounded decimal in wireshark
04:49
so might not be relevant
Avatar
TheBadGod 04/01/2023 4:52 AM
all the pings between 101 and 247 are 0x08 - 0x37 only tho
Avatar
Guesslemonger 04/01/2023 4:58 AM
129.21.21.100 range is their uni ip, might be relevant
Avatar
TheBadGod 04/01/2023 4:59 AM
the third byte in every packet is in range 0-15
05:01
the other two bytes seem to not follow any pattern at all
05:02
data.txt
23.12 KB
Avatar
Guesslemonger 04/01/2023 5:02 AM
concentrating on 129 range ip, some reply, some no response, might have to separate data packets basis that
Avatar
TheBadGod 04/01/2023 5:03 AM
doesn't make sense when we should investigate exfiltration
Avatar
Guesslemonger 04/01/2023 5:04 AM
icmp data can always be modified with scapy
Avatar
TheBadGod 04/01/2023 5:05 AM
ok, but how would he be exfiltrating data with incoming data (edited)
05:05
like how would he be able to control from where he's exfiltrating data which servers respond and which dont
Avatar
Guesslemonger 04/01/2023 5:05 AM
incoming? when you ping an ip you send data right?
Avatar
TheBadGod 04/01/2023 5:06 AM
yeah, but you said filter / do stuff based wether or not there's a reply
Avatar
Guesslemonger 04/01/2023 5:06 AM
umm, might not be a realistic chall as such, i can just modify specific packets for a ctf style chall
05:07
pinging set of ips in same range definitely looks sus
05:09
need to learn tshark regex
05:16
data is not forming any file format as such
Avatar
TheBadGod 04/01/2023 5:17 AM
yeah it's probably somehow scrambled or encrypted
05:18
I'd guess encrypted because of the third byte being in range 0-15 (which would match many encryption block sizes), however they are not evenly distributed, so that speaks against this hypothesis
05:18
like there are (afaict) only 9 data packets which have an 8 as third byte
Avatar
Avatar
hfz
used /ctf submit
Sutx BOT 04/01/2023 8:15 AM
✅ Well done, challenge solved!
Avatar
hfz 04/01/2023 8:15 AM
>>> s = rdpcap("ads.pcapng") >>> def filter(pkt): return pkt.src == "a4:83:e7:3c:76:79" and pkt.haslayer(ICMP) and not (pkt[ICMP].type == 8 or pkt[ICMP].type == 0 or pkt[ICMP].type == 3) >>> >>> s = s.filter(filter) >>> len(s), len(s)%8 (184, 0) >>> bits = "".join(str([0,1][pkt[ICMP].type%2==0]) for pkt in s) >>> bits '0101001001010011011110110110011100110000001100000110011101101100011001010101111101000001011001000110010001011111011100110011001101110010011101100011000101100011001100110111001101111101' >>> "".join(chr(int(i, 2)) for i in re.findall(".{8}", bits)) 'RS{g00gle_Add_s3rv1c3s}' >>>
08:16
Mobile IP advertisement/Router solicitation, binary stream
Avatar
sahuang 04/01/2023 8:44 AM
damn nice
Avatar
Guesslemonger 04/01/2023 10:01 AM
Huh, which packets are those?
10:01
Wireshark filter?
Avatar
hfz 04/01/2023 10:03 AM
eth.src == a4:83:e7:3c:76:79 && icmp && !(icmp.type == 8 or icmp.type == 0 or icmp.type == 3)
Avatar
Guesslemonger 04/01/2023 10:30 AM
o pretty cool
Exported 67 message(s)