The weekend of 03\/31\/2018 is pre-qualification for the Nuit du Hack 2018<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n This challenge is about a pcapng analysis using a TCP service kebabsto.challs.malice.fr:8888<\/strong>\u00a0too.<\/p>\n Opening with Wireshark the\u00a0kebabsto.pcapng<\/a>, and try to export HTTP objects :<\/p>\n HTTP objects<\/p><\/div>\n The first object is the HTML source code of an Apache “index of” referencing one file called “kdsqfkpdsdf” and the second is this file itself.<\/p>\n The “kdsqfkpdsdf” file is a ZIP archive, extract it :<\/p>\n kdsqfkpdsdf identification<\/p><\/div>\n Before the analysis of the ZIP content, continue on the initial PCANG file. There are several IMAP\/SMTP exchanges :<\/p>\n IMAP exchange<\/p><\/div>\n These IMAP exchanges are authenticated :<\/p>\n Plus, an attachment is present in one email (encoded as Base64) :<\/p>\n IMAP attachement<\/p><\/div>\n We can retrieve this attachement via online service<\/a> :<\/p>\n Decode IMAP attachement<\/p><\/div>\n This new file is a ZIP archive too with 2 files :<\/p>\n The email content from the PCAP is also interresting. There is precision about the TCP 8888 service :<\/p>\n They also retrieved a public key and an interesting cipher text Besides, they also found a service at mydomainndh.ndh (port 55555) which There is a little mistake, it’s not the 55555 port but 8888 in reality. So this service implements the pubkey.pem to decrypt ciphertext submited. Try it with the content of “cipherText” :<\/p>\n 8888 service<\/p><\/div>\n Yeah ! It seems to be a password. But where and when can we use it ?<\/p>\n Go back earlier to the analysis of the\u00a0kdsqfkpdsdf file retrieved from HTTP exchanges. It’s a ZIP containing another PCAP file :<\/p>\n lkdjflknezcz file<\/p><\/div>\n Load it in Wireshark :<\/p>\n lkdjflknezcz PCAP file<\/p><\/div>\n Several Wifi-WAP encrypted exchanges from an access-point called “wifiAccess” are available. Authentication requests too. We can try to break the WPA passphrase via the rockyou.txt wordlist :<\/p>\n Aircrack<\/p><\/div>\n Bingo, the WPA passphrase is “abcdefgh”, we can now decrypt this PCAP file to see it’s real content :<\/p>\n Airdecap<\/p><\/div>\n In this decrypted PCAP file, we can get :<\/p>\n FTP file<\/p><\/div>\n We recreate the file send through FTP with a little Python script and analyze it :<\/p>\n FTP file analysis<\/p><\/div>\n Another ZIP file ! But this one is password protected… We can try all credential retrieved (tomate123, fromage123, the WPA key, the password unciphered via the TCP 8888 service) :<\/p>\n\n
![\"HTTP](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k01-300x192.png\")
<\/a>![\"kdsqfkpdsdf](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k04-300x68.png\")
<\/a>![\"IMAP](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k02-300x165.png\")
<\/a>AHRvbWF0ZUBkZWJpYW4ueW8AdG9tYXRlMTIz\r\nBase64 decode : tomate@debian.yo:tomate123<\/pre>\n
![\"IMAP](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k03-166x300.png\")
<\/a>![\"Decode](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k05-300x185.png\")
<\/a>\n
\n(attached documents).<\/p>\n
\ndecrypts every text encrypted with the public key, apart from the
\ninteresting one.<\/p><\/blockquote>\n72873754879996948796542757182427480866384878894019674005699447004829908491467629529161961884224325941110935083467870715412599916138560976722953815670278067115980556377912852138532905866093650699880301357138301236748217037629036311469031537013958415575513723738671978421707050599317605219729945496472798064172<\/pre>\n
![\"8888](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/kebab-300x76.png\")
<\/a>![\"lkdjflknezcz](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k06-300x37.png\")
<\/a>![\"lkdjflknezcz](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k07-300x230.png\")
<\/a>![\"Aircrack\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k08-300x195.png\")
<\/a>![\"Airdecap\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k09-300x64.png\")
<\/a>\n
![\"FTP](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k10-300x216.png\")
<\/a>![\"FTP](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k11-300x48.png\")
<\/a>
![\"Unzip](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k12-300x67.png\")
<\/a>![\"Flag](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/k13-300x63.png\")
<\/a>