PicoCTF 2017 – Special Agent User #appsec #infosec #forensics

Another day, another challenge.

Today’s blog post we will solving the “Special Agent User” challenge in the PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Special_Agent_1

We have another pcap (packet capture file) and we need to find the User Agent. OK. Sounds plausible. Let’s look at the hints.

PicoCTF_Special_Agent_2

There’s a link that discuss more about user-agents. Let’s go to that link.

Opening that link we see the following:

PicoCTF_Special_Agent_3

The web page explains the different components of the User-String. This will be useful.

Opening the packet capture file we notice the usual stuff UDP, and ICMP packets. And like with the first “Digital Camouflage” challenge we can ignore this.

User-Agent strings are found in HTTP requests. We need to look at packet captures for just HTTP requests.

Doing this we see a packet that’s piqued our interest…

PicoCTF_Special_Agent_4

On packet 80 (GET / HTTP/1.1) we’ll do a right click, Follow, HTTP stream.

Doing this we have the following:

PicoCTF_Special_Agent_5

Looking at the last entry in the user agent, we can see that the packet is using Firefox 25. Entering that as the flag, we’ve acquired 50 points!

PicoCTF 2017 – Digital Camouflage

Another day, another challenge.

Today’s blog post we will be solving the “Digital Camouflage” challenge in the PicoCTF.

Let’s start.

Clicking on the challenge we see the following:

PicoCTF_Digital_Camouflage_1

We need to find the password in a packet capture.

Let’s look at the hints to see what we can find.

PicoCTF_Digital_Camouflage_2

Downloading the file and going to Wireshark we see the following:

PicoCTF_Digital_Camouflage_6

We see network traffic. The first half is UDP packets which is not important for this challenge.

Scrolling down we see the following:

PicoCTF_Digital_Camouflage_5

Looking at this packet we see a username, and password. Could this be what we’re looking for?

Doing a right click, follow, HTTP Stream we see:

PicoCTF_Digital_Camouflage_4

Entering the password into the input box we retrieved the flag and acquired 50 points.

InfoSec Institute CTF #13

Another day, another challenge…

Today’s challenge is from the InfoSec Institute.

Going to the following link, we see the following:

infosec_13_intro

Doing a right click, view page source we see the following:

infosec_13_page_source

So from the hint we’re looking for a back-up file.

Since this is on a Linux box, let’s see what what the naming conventions are for backup files.

Let’s see if there’s a backup folder.

infosec_13_backup

That led us to a dead-end.

Let’s try adding .old at the end of the file.

Adding the “.old” at the end of the URL and pressing enter we get the following:

infosec_13_old

Hmm… this looks like another file. Let’s open it.

Opening the file in a text editor we get the following:

infosec_13_hidden_content

Looking at the file we see the the first paragraph, which matches our first screenshot.

Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.

Let’s navigate to this file and see what we find.

After the file downloads, we try to open it.

Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.

Since we don’t know what type of file it is, let’s go to this site here, to find out.

After uploading our file we determine that is a pcap file.

infosec_13_pcap

We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:

infosec_13_wireshark

The beginning of the file is DNS queries that are rejected we can ignore that.

Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png

Going to packet 633

infosec_13_wireshark_633

We can reconstruct this exchange.

Going to File –> Export Objects –> HTTP

We get the following:

infosec_13_wireshark_http_objects

Our file is highlighted in the above screenshot, so let’s click Save.

Opening the file we get our flag!

infosec_13_flag

Lessons learned:

Use the hints that are provided! We knew that the file we were looking for was a backup.  After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.

Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.

 

InfoSec Institute CTF Challenge #6

Another day,. another challenge…

Today’s challenge will be on the InfoSec Institute CTF Challenge #6.

See scenario below:

infosec_6_intro

Doing a page source we see the following:

infosec_6_pagesource

We see that there’s a pcap file if we select yes.

Opening Wireshark (which can be downloaded HERE)

We see the following:

infosec_6_wireshark

Wireshark is a program that is used to analyze network traffic. Most of the traffic in this file can be ignored as there is a lot of noise that is being displayed.

Looking at the first packet (UDP) we see the following:

infosec_6_udp_packet

We noticed there are a bunch of letters… possibly this is hexadecimal encoding?

Going to Google and searching for “hexadecimal decoding” we see the following link as the first result.

Clicking on the link and typing in the encoding we get the following:

infosec_6_finished

 

We found the flag!

Lessons learned:

  1. Download Wireshark!
  2. Inspect the packets, and pay attention to those that stand out. Usually the suspicious packets hold clues!
  3. These clues won’t give us the pot of gold on the first try. Most of the data will be obscured. So we will need to encode or decode the data
  4. Once we encode or decode usually the data will be there!

FYI – thenewboston on Youtube has a good beginner tutorial on Wireshark. Which can be found HERE.