Skip to main content

CSAW CTF 2015 : Forensics 100 - Transfer write-up

Category : Forensics 
Points : 100

Challenge Description :

I was sniffing some web traffic for a while, I think I finally got something interesting. Help me find flag through all these packets.
net_756d631588cb0a400cc16d1848a5f0fb.pcap

Opening it up with Wireshark gives some few HTTP packets. After looking through those packets, I noticed that one of them contains the word FLAG.



The start of the conversation contains a python script and some random padding at the end which was more likely to be the script's output.



Looking through the python script we notice there is a variable called FLAG (censored) that gets encoded with Base64 then looped through one of the following ciphers ROT13, ROT3 and Base64 (randomly chosen).

 One thing to mention is that the script keeps the cipher index attached to the encrypted string, this will make it easier for us to reverse the whole thing.

def encode(pt, cnt=50):
tmp = '2{}'.format(b64encode(pt))
for cnt in xrange(cnt):
c = random.choice(enc_ciphers)
i = enc_ciphers.index(c) + 1
_tmp = globals()[c](tmp)
tmp = '{}{}'.format(i, _tmp)
return tmp
view raw encode.py hosted with ❤ by GitHub


I wrote a quick python script to do the decryption :

import string
from base64 import b64decode
dec_ciphers = ['rot13', 'b64d', 'caesard']
def rot13(s):
_rot13 = string.maketrans(
"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz",
"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
return string.translate(s, _rot13)
def b64d(s):
return b64decode(s)
def caesard(plaintext, shift=-3):
alphabet = string.ascii_lowercase
shifted_alphabet = alphabet[shift:] + alphabet[:shift]
table = string.maketrans(alphabet, shifted_alphabet)
return plaintext.translate(table)
def decode(pt, cnt):
tmp = pt
for i in xrange(cnt):
index = int(tmp[0])
choice = dec_ciphers[index - 1]
decoded = globals()[choice](tmp[1:])
tmp = decoded
rawd = b64decode(decoded[1:])
return rawd
if __name__ == '__main__':
data = '2Mk16Sk5iakYxVFZoS1RsWnZXbFZaYjFaa1prWmFkMDVWVGs1U2IyODFXa1ZuTUZadU1YVldiV[...]'
for j in range(1, 200):
try:
FLAG = decode(data, j)
if 'flag' in FLAG:
print FLAG
except:
pass
view raw flag.py hosted with ❤ by GitHub
Executing the script would give :

flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi}







Comments

Post a Comment

Popular posts from this blog

Capture the Ether - Lotteries write-up

Capture the Ether is a "Capture the Flag" style game in which you hack Ethereum smart contracts to learn about security. Spoiler Alert ! In this write-up, I will go through the first four challenges in the category labeled "Lotteries". Each of these challenges has its own difficulty level and reward points. Basically you can solve them by "guessing?" the right value of a variable in a given smart contract. Guess the number The smart contract for this challenge looks like this: It has three functions : GuessTheNumberChallenge() : a payable constructor that tells you how much Ether is required when deploying the smart contract. isComplete() : it returns true when the smart contract's balance is equal to 0. guess(uint8 n) : It takes a uint8 as an argument and compares it with the variable declared in line 4. If the numbers are equal, you will have your Ethers sent back to your address. Note that this function is payable and req...
1 comment
Read more

Pwning Windows 7 with ETERNALBLUE & DOUBLEPULSAR (Metasploit)

Thanks to @UnaPibaGeek & @pablogonzalezpe for their efforts to develop the Metasploit modules. Modules can be found here (Scanner + Exploit) : https://packetstormsecurity.com/files/142181/Microsoft-Windows-MS17-010-SMB-Remote-Code-Execution.html https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit This vulnerability affects Windows 2000, Windows XP, Windows 7, Windows 8, Windows Server 2000 up to 2012 R2. How to protect yourself If you still haven't updated your system, you should probably do it right away. If for some reason you aren't able to apply updates, Consider disabling SMB protocols. To disable SMBv1, SMBv2 and SMBv3 under Windows 8 and Windows Server 2012, run the following cmdlets (powershell commands) : Set-SmbServerConfiguration -EnableSMB1Protocol $false Set-SmbServerConfiguration -EnableSMB2Protocol $false For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008, you should use these: Set-Ite...
Post a Comment
Read more