[CTF NDH 2018 Quals] Write-Up – Network : Kebab STO

01
Apr
2018
  • Google Plus
  • LinkedIn
  • Viadeo
Posted by: Yann C.  /   Category: Cryptanalyze / Cryptology / / / / NDH2k18   /   No Comments

Write-up of the challenge “Network – Kebab STO” of Nuit du Hack 2018 CTF qualifications.

The weekend of 03/31/2018 is pre-qualification for the Nuit du Hack 2018 as a Jeopardy CTF. Having had the opportunity and the time to participate with some colleagues and friends, here’s a write-up resolution of the challenges which we could participate.

  • Category: Network
  • Name: Kebab STO
  • Description : The challenge consists in finding the flag into a network capture.
  • URL : tcp://kebabsto.challs.malice.fr:8888/
  • File : kebabsto.pcapng (149.66kB – c714bd030c959275df197ca7a392c21d3f68fa9fd6a161ab7ffa5e896ef7f0eb)
  • Points : 350

This challenge is about a pcapng analysis using a TCP service kebabsto.challs.malice.fr:8888 too.

Opening with Wireshark the kebabsto.pcapng, and try to export HTTP objects :

HTTP objects

HTTP objects

The first object is the HTML source code of an Apache “index of” referencing one file called “kdsqfkpdsdf” and the second is this file itself.

The “kdsqfkpdsdf” file is a ZIP archive, extract it :

kdsqfkpdsdf identification

kdsqfkpdsdf identification

Before the analysis of the ZIP content, continue on the initial PCANG file. There are several IMAP/SMTP exchanges :

IMAP exchange

IMAP exchange

These IMAP exchanges are authenticated :

AHRvbWF0ZUBkZWJpYW4ueW8AdG9tYXRlMTIz
Base64 decode : tomate@debian.yo:tomate123

Plus, an attachment is present in one email (encoded as Base64) :

IMAP attachement

IMAP attachement

We can retrieve this attachement via online service :

Decode IMAP attachement

Decode IMAP attachement

This new file is a ZIP archive too with 2 files :

  • docs/pubkey.pem : an RSA 1024b public key. none of RSA attack technics work on it (factordb, Wiener, etc.)
  • docs/cipherText : a big integer number as ciphertext

The email content from the PCAP is also interresting. There is precision about the TCP 8888 service :

They also retrieved a public key and an interesting cipher text
(attached documents).

Besides, they also found a service at mydomainndh.ndh (port 55555) which
decrypts every text encrypted with the public key, apart from the
interesting one.

There is a little mistake, it’s not the 55555 port but 8888 in reality. So this service implements the pubkey.pem to decrypt ciphertext submited. Try it with the content of “cipherText” :

72873754879996948796542757182427480866384878894019674005699447004829908491467629529161961884224325941110935083467870715412599916138560976722953815670278067115980556377912852138532905866093650699880301357138301236748217037629036311469031537013958415575513723738671978421707050599317605219729945496472798064172
8888 service

8888 service

Yeah ! It seems to be a password. But where and when can we use it ?

Go back earlier to the analysis of the kdsqfkpdsdf file retrieved from HTTP exchanges. It’s a ZIP containing another PCAP file :

lkdjflknezcz file

lkdjflknezcz file

Load it in Wireshark :

lkdjflknezcz PCAP file

lkdjflknezcz PCAP file

Several Wifi-WAP encrypted exchanges from an access-point called “wifiAccess” are available. Authentication requests too. We can try to break the WPA passphrase via the rockyou.txt wordlist :

Aircrack

Aircrack

Bingo, the WPA passphrase is “abcdefgh”, we can now decrypt this PCAP file to see it’s real content :

Airdecap

Airdecap

In this decrypted PCAP file, we can get :

  • Several TCP exchanges (but only ACK) ;
  • IMAP/SMTP authenticated exchanges (new credentials fromage@debian.yo:fromage123);
  • FTP exchange with content as hexadecimal value :
FTP file

FTP file

We recreate the file send through FTP with a little Python script and analyze it :

FTP file analysis

FTP file analysis

Another ZIP file ! But this one is password protected… We can try all credential retrieved (tomate123, fromage123, the WPA key, the password unciphered via the TCP 8888 service) :

Unzip password

Unzip password

YES ! It was the password from the TCP service “Th1s1s2P@ss_W0rd%M0f0”. A final file is extracted with ASCII content : slkfdsflj.

Flag Kebab STO

Flag Kebab STO

Greeting to the whole team ! 🙂

  • Google Plus
  • LinkedIn
  • Viadeo
Yann C.

About the Author : Yann C.

Consultant en sécurité informatique et s’exerçant dans ce domaine depuis le début des années 2000 en autodidacte par passion, plaisir et perspectives, il maintient le portail ASafety pour présenter des articles, des projets personnels, des recherches et développements, ainsi que des « advisory » de vulnérabilités décelées notamment au cours de pentest.