In this challenge, we were given a PCAP file and we have to find the flag using it.
Since no other information is given in the question apart from the PCAP file, we open it with Wireshark. Now, let's check the HTTP traffic.
Using the filter: http.request.method == "GET", we check all the HTTP GET requests captured in the PCAP file:
We can see several HTTP GET requests to download files whose name is a 32 char hex string.
Let us now sort this using the Info Column and we get this:
We open the PCAP with Network Miner which will analyze the PCAP file and extract any files from it. You can get Network Miner from here:
http://sourceforge.net/projects/networkminer/
Network Miner is able to reconstruct a few files from the TCP Streams:
After checking these files, it was found that the file with the name: d33cf9e6230f3b8e5a0c91a0514ab476 is a 7-zip file. But when you try to open it with 7-zip, it would not work. So, the 7-zip file is corrupted.
This is where the other chunks being downloaded in the PCAP will come to use. So, let's go ahead and get all those chunks.
Since Network Miner was unable to get all of them, we use tcpflow to get all the TCP Streams from the PCAP file.
Let us search these TCP Streams for some interesting information at first. We check the first TCP stream from our search results and find that it has an Index of Files:
So we extract the HTML response from this TCP stream and view it with the Browser:
So, we have a directory listing of the files. By looking at the size of these files we can see that almost all of them have a size of 61440 bytes. We analyze all the TCP streams with a size >= 58000 (the smallest file in the directory listing above).
Now, we have the TCP Streams of interest:
We now need to extract the data from these TCP Streams. These TCP Streams also contain the HTTP Response Headers, so we need to remove that.
Since the HTTP Response Headers end with \r\n\r\n (in Hex, 0xd0xa0xd0xa), we can use that as a delimiter and extract all the data after this:
we extract data from all these streams, then calculate the MD5 hash of each of these chunks and compare with the ones we got in the directory index above. We keep only the ones required.
Now, we need to put all these chunks of data together with the 7-zip file and extract it. The sequence of these chunks can be determined according to the file timestamps mentioned in the directory index above. Since there are 2 pairs of files having the same timestamp, we have to try combining the chunks in different orders to get it working.
When we try to extract it, it asks for a password:
We check the TCP Streams once again for the password by searching for some common keywords like password, secret and so on:
So, the Entire Password is again broken down into chunks and present in the TCP Stream:
It was present in the first TCP Stream.
So, the password is: M)m5s6S^[>@#Q3+10PD.KE#cyPsvqH
Flag is present on the image inside the archive file.
This challenge was good and it gives a lot of scope for automation. The entire process of extracting the chunks of data from the TCP Streams and then comparing their MD5 hashes with the required chunks can be automated.
Since no other information is given in the question apart from the PCAP file, we open it with Wireshark. Now, let's check the HTTP traffic.
Using the filter: http.request.method == "GET", we check all the HTTP GET requests captured in the PCAP file:
We can see several HTTP GET requests to download files whose name is a 32 char hex string.
Let us now sort this using the Info Column and we get this:
We open the PCAP with Network Miner which will analyze the PCAP file and extract any files from it. You can get Network Miner from here:
http://sourceforge.net/projects/networkminer/
Network Miner is able to reconstruct a few files from the TCP Streams:
After checking these files, it was found that the file with the name: d33cf9e6230f3b8e5a0c91a0514ab476 is a 7-zip file. But when you try to open it with 7-zip, it would not work. So, the 7-zip file is corrupted.
This is where the other chunks being downloaded in the PCAP will come to use. So, let's go ahead and get all those chunks.
Since Network Miner was unable to get all of them, we use tcpflow to get all the TCP Streams from the PCAP file.
Let us search these TCP Streams for some interesting information at first. We check the first TCP stream from our search results and find that it has an Index of Files:
So we extract the HTML response from this TCP stream and view it with the Browser:
So, we have a directory listing of the files. By looking at the size of these files we can see that almost all of them have a size of 61440 bytes. We analyze all the TCP streams with a size >= 58000 (the smallest file in the directory listing above).
Now, we have the TCP Streams of interest:
We now need to extract the data from these TCP Streams. These TCP Streams also contain the HTTP Response Headers, so we need to remove that.
Since the HTTP Response Headers end with \r\n\r\n (in Hex, 0xd0xa0xd0xa), we can use that as a delimiter and extract all the data after this:
we extract data from all these streams, then calculate the MD5 hash of each of these chunks and compare with the ones we got in the directory index above. We keep only the ones required.
Now, we need to put all these chunks of data together with the 7-zip file and extract it. The sequence of these chunks can be determined according to the file timestamps mentioned in the directory index above. Since there are 2 pairs of files having the same timestamp, we have to try combining the chunks in different orders to get it working.
When we try to extract it, it asks for a password:
We check the TCP Streams once again for the password by searching for some common keywords like password, secret and so on:
So, the Entire Password is again broken down into chunks and present in the TCP Stream:
It was present in the first TCP Stream.
So, the password is: M)m5s6S^[>@#Q3+10PD.KE#cyPsvqH
Flag is present on the image inside the archive file.
This challenge was good and it gives a lot of scope for automation. The entire process of extracting the chunks of data from the TCP Streams and then comparing their MD5 hashes with the required chunks can be automated.
1 comments:
d