SAINTCON 2014 Hackers Challenge Walkthrough: Capture The Packet

You can find the SAINTCON 2014 Hackers Challenge Introduction here.

And this is all the files referenced below: SAINTCON_2014_Hackers_Challenge_CP.zip

The challenges referenced below can be found here:

Contents

CP100 – Lame

Puzzle:

Unencrypted communication is a very dangerous thing...

Files
PCAP File CP100.pcap

Solution:

Open the PCAP in your favorite packet viewer; Wireshark.

I like to use the Statistics->Conversations; tool to make following/filtering streams easier.

Choose TCP in that window and there is only one stream to “Follow”

Scroll down reading what was going on the console, notice that you can see in plain text the password that used to login with TELNET, and everything else is plain text too.  You will find that a cat keys.txt was done.

LEARN MORE and secure your protocols,

s/telnet/ssh/
s/ftp/sftp|scp/
s/pop3/pop3s/
s/http/https/
s/imap/imaps/
s/insecure/secure/
s/plaintext/encrypted/

Key:
ENCRYPTYOURSHELLS!


CP200 – Listen Carefully

Puzzle:

Allison and Tom are having an intense discussion but what are they really saying?
Files:
PCAP File	CP200.pcapng

Solution:

Open the PCAP in your favorite packet viewer; Wireshark.

I like to use the Statistics->Conversations; tool to make following/filtering streams easier.

Lets examine everything in the packet capture.

Looking at the streams we see SIP, RTP, and whole bunch of unknown SDP.

Let’s listen to whatever calls we might have captured.
Telephony->RTP->Show All Streams->Analyzer->Player->Decode->Play

Or Telephony->VOIP Calls->Player->Decode->Play

And we hear a conversation with quotes from Dead Poets Society and Ender’s Game. Encouraging us to get a new perspective, and to learn from our enemy (the challenge itself).

So, what else is in this packet capture? Lots of UDP that wireshark didn’t immediately recognize.  But it looks alot like the other RTP/UDP packets in the capture.

Let’s LEARN MORE about http://wiki.wireshark.org/RTP

UDP: Typically, RTP uses UDP as its transport protocol. RTP does not have a well known UDP port (although the IETF recommend ports 6970 to 6999). Instead, the ports are allocated dynamically and then signalled using a different protocol such as SIP or H245. In SIP and other protocols a RTP session is described by SDP (Session Description Protocol), which is not really a protocol itself but rather a formalised way to describe a media session.

Hmm, so if we don’t have the SIP packets for a call, wireshark doesn’t know it is RTP.  But look, there is an option there: Try to decode RTP outside of conversations, i.e. heuristic dissection. Default OFF

Let’s turn that ON. Edit->Preferences->Protocols->RTP

Now if we go to Telephony->RTP->Show All Streams->Analyzer->Player->Decode->Play what do have? A 3rd RTP stream.

Ah that sounds familiar, go grab http://www.w1hkj.com/Fldigi.html or http://ke7sch.net/psker/PSKer.html or http://www.wolphi.com/ham-radio-apps/droidpsk/

Key: MyVoiceIsMyPassportVerifyMe


CP300 – Whats Encryption Anyway?

Puzzle:

Encryption is awesome, but its not always foolproof.

PCAP File for 300	CP300.pcapng.zip
CP300 Fixed	CP300-Fixed.pcapng.zip
You may need this.	Keys.asc

Solution:

Well the CP300 original file is just the same file from CP100, nothing useful there.  Let’s look at the fixed file.

Let start as usual by looking at the conversations, ah there’s an interesting one on TCP port 31337.

hello
well hello there
who are you?
my name is supertechguy
what is the purpose of this?
well that depends on what you want
well, Im looking for a key
then you have come to the right place
ok, will you give me the key?
I'd be happy to, but this connection is not secure
would you encrypt it and send it to me?
sure, what is your pgp address?
hc@saintcon.org
ok, it will be comming in just a moment
-----BEGIN PGP MESSAGE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

hQEMA+WhdpdMLer1AQf9HDvfkGY7Ds8sH+vfYeJGLEhbUJHlARGpx4iTwL+BCvrO
FQwXPh1rw8tCtiExpqwiJBVNZyN+VFhulxNME3YouFomeamFXSqXtLyud0xkAnr9
g5cKBJ0SAt4RBRkUl8quR57YW+0U4kj3oEZw0M6bsElPVZjRb05cl6+QKZNpcM+t
ZquG6oEdah4Netg1iiwPFSX2I4biZUs/7e9XiQUdrp7XAlpEav2Ez/0QsndD+c3E
+0+1m/rtuOk7zp1yJm09am8JusgZOAZHXIVsq0E/TRTitZBWClUkkKRctD1g+yxK
x7jAAf4ivhburr8ja7LPWILDduszxTKO+7nBZuUKboUCDAPtHH2aufIhZQEP/1+j
vGaNnmB8iRmgpCZMy2m89qatMWrW0fOEg6Q/Bx2PcXp8/EHJZFQogN2KWbPyb2eZ
1ROgkj6gDfklFnGjqH+Hn84K1PWNpQ1WXshJGAE0VGuFGKFENGra3bgDVATaJiJD
GZjp+e4wSRqMwzooJQrUgEJ2gtVGPACKbkxizYG+eG+IT4kcpLub7bLSmpRDQ9BB
triZ41iuE4Wnprad5kThkJZ0DmqPydx5BKLJSsXEXr9tCXR19gsYAn8hn23Jhg9X
wSTunIGXKMDDhkbzZcFXxLU/WCWyPM+ow5WGm8LqOELbz0a7WGpE079kbORbmkIJ
GYIa14EU2uSqnKJ2/8MjHYZkYoJHnAesFV/h9GfbU2FZFH0nSiRe6U4mqvkteFVE
+FM2GDIq3Nv/gykEJGwsZYFZm0eysgqKHapoBHxKOir2J5Xzkd6Lq43rWDHudmH2
31VpkutF8BTwPfnZ5nGNMOmFjtSnw6Cq5WZe8zWbM9M/iR3it9aojUkgEQWK4V9d
4H4v/R8jFSv35fydDjAsy6QLNa3o0lxTuCMyT3le7xeoZfgo9P2xjclaY5w+tdWQ
YOkWECB9CyUhv+ZShhurXfKStg1f81EWRFUi+/tJfBtnQ3tfajQ5ZMWvPSpJVL6v
DYpXUJKy7XVe76tlvF0IwFfEQBIPgCKcBPRytG6O0ukBHuDZmPEruvtxwy3INgyK
IMnNyJYfg34Ia29sPM4rQ6GrAUi8X/lHpadHkdpEYnOkewNxoCOb9lbPyZviPsPI
ZmheCQrD00b0Tm6tNbCagZKgzc52ktt9qFP45m+KSH84xiJlk7KwJeNbaF2FvzLO
lG8OZEyTMvtyCsVrjdSRbU9JiFG1igqcerUGlQ1Jbn79+5XjtxEiNzLPYcOJ9yBf
a4XWpEFNxy41GhH/hPYMp0FAobF2My+9vS5NTprHkhr1M4PWr5qQdYR23rfapp4E
KHTbSzt8L5bKq3WHDFKu4/TrTlkFVSFoJ/ltI/fjdVt+UN0mrDzZ0QFMUaUP/fzP
POzUeMoyiaa/Erg/u7MMP8XAmD0lJCVOpaE08rZ5AOpb2ZscDz14OLJcTqmGl6Im
qlwd3Uoag/bfMKXm71BQRc4zzO7SG2DNwiz4RLTbgfvIa3l41dDUkmg3GyRtIoVT
LUDQFEErcdEUI4Xh8HNwdkdXVGll6a+be5Ye6DDOWstl8jwRFqrdON/o8dIWOQaQ
4dG+IqLmJX/+xGYANvVaIs3MjP84sg/wxzfeGyWfQ7L9VHEsxlv3Ckt/6MgRn1ss
zQcVUpg7L9RHjiKqPlq970ZCrV4NzRrG0S/H3j0ELP44pRnCeaUjCl3bIfbbGgz9
wUWJJ56msFdBvqkynn6mNooWITBdq1MIOYQjyaVur5mK+aggY7UMqrQiYyvi6GuQ
152cqQEaG2nIeAVsj10sLzlKDDPa9dHZmPqVL1rYJ9Smm4Mkjh29xoIrlKBxK8zl
r85RDr7Ij1ANegeLj1LqV6AnDRTccLiGM0oauf/i62Wv1N3zKOO7b+XgcV4yl/7v
ERj+653vI0+K7Ms=
=B21g
-----END PGP MESSAGE-----
thank you
that wil be just perfect
youre very welcome
good bye
bye

Now you can search the rest of the packet capture for the private key to decode that encrypted message like I did, but it’s not there.

So take the provided private key install it in your keychain and decode the message.

gpg --allow-secret-key-import --import Keys.asc
gpg --decrypt message.txt

Key: PGPROCKSFORSENDINGMSGS


CP400 – Chaos

Puzzle:

Negentropy: Find order in the chaos.
Hints
- The files names are the truth.
- How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth?
- Ping!

Files
CP400	challenge.pcap.zip

Solution:

So lets take a look around this PCAP.

Statistics->HTTP->Requests->Create Stats

File->Export Objects->HTTP

Lots of files that say they aren’t the key.

Lets apply various filters to see what we have here, getting rid of fragmented frames, just ’cause.

(!http and !tcp ) && !(ip.flags.mf == 1)

And let’s filter out all the random UDP port scan looking stuff:

(!http and !tcp  ) && !(ip.flags.mf == 1) && !udp

That’s a pretty large ICMP echo request / reply (ping!)  What’s that GIF89a in the payload data? http://www.w3.org/Graphics/GIF/spec-gif89a.txt

So right click on the 437 bytes of data in the middle pane of wireshark and “export selected packet bytes” save as key.gif

Hmm, what is that?

http://en.wikipedia.org/wiki/Golden_spiral

We are definitely starting to find something very ordered in this chaos.

http://en.wikipedia.org/wiki/Fibonacci_number

Lets look at the conversations list, make sure to turn off ‘name resolution’.  Do you remember that UDP Port scan?  Lots of 1029byte packets, 1 packet per port.  What if we just take the fibbonaci number ports?

http://www.miniwebtool.com/list-of-fibonacci-numbers/?number=17

Heh, look all these packets have very ASCII looking payloads.  Could it be BASE64?

GO LEARN more about BASE64. http://en.wikipedia.org/wiki/Base64

Use any Base64 decoder (openssl enc -base64 -d and ctrl+d) to decode it.  Heh! Look, it’s a JFIF (JPEG File) header…

Export all the relevant packets data bytes.  Concat and base64 decode.

cat 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 > a
base64 -D a > b

View that JPEG and your key is there!

b

Key: 


CP500 – lookicaughtsomedata

Puzzle:

Challenge: lookicaughtsomedata.pcap

Hint: Ya, hi, I need a forensics guy to look at this capture I acquired. The dude we caught says that he has flag evidence against his boss. He texted him and I'm pretty sure we have the data since we've been 'legally' tapping this guy for a while. Get this data and I can put both of them away.

Solution:

Use the statistical and export tools in wireshark to look for interesting stuff.

I found this one:

GET /superduperdroidbackup.tgz HTTP/1.1
Host: d4rkm4tt3r.violates.us

HTTP/1.1 200 OK
Content-Length: 8831041
Content-Type: application/x-tar

Export it. Or go download it yourself. (http://d4rkm4tt3r.violates.us/superduperdroidbackup.tgz)

Ask a few questions: http://android.stackexchange.com/questions/16915/where-on-the-file-system-are-sms-messages-stored

Open superduperdroidbackup\data\data\com.android.providers.telephony\databases\mmssms.db in SQLiteBrowser and on the sms table you will find:

Key: Hey the key to this challenge is ‘iamsoleetatandroidforensics’ without quotes ofcourse