BSides Raleigh CTF (2016) Write-Ups

While a bit late, I finally found (some) files to do a BSides Raleigh CTF write-up.

This will only focus on the few offline challenges that I found on my flash drive. That said, hopefully someone will still learn something from them.

I apologize where not remembering where most of these challenges came from, that said, I believe most were in the same section of the CTF.

I’ve verified that the uploaded and attached files work, so feel free to follow along if you did not compete!

BSides Raleigh CTF – Halloween

The first challenge that I will cover is the Halloween image.

At first glance, I didn’t see anything interesting with this image.

BSides Raleigh CTF - Halloween

Additionally, running strings on the file did not give me any more information.

That said, once I ran binwalk, thinks started getting interesting!

root@kali:~/_test# binwalk bsidesRaleighCTF-1-happyHalloween.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
126359        0x1ED97         Zip archive data, at least v2.0 to extract, name: r
302502        0x49DA6         Zip archive data, at least v1.0 to extract, name: __MACOSX/
302557        0x49DDD         Zip archive data, at least v2.0 to extract, name: __MACOSX/._r
303041        0x49FC1         End of Zip archive

Extracting the binary files using binwalk gave us the new file, “r”.

root@kali:~/_test# cd _bsidesRaleighCTF-1-happyHalloween.jpg.extracted/
root@kali:~/_test/_bsidesRaleighCTF-1-happyHalloween.jpg.extracted# ls
1ED97.zip  __MACOSX  r

Opening the new r file, we see another image, and get our flag (SUchGR3@th4X)!

BSides Raleigh CTF - R

BSides Raleigh CTF – Static Images

The next challenge covers the two images seemingly made up of static.

BSides Raleigh CTF - Static One

BSides Raleigh CTF - Static Two

That said, after taking a closer look at the two files (and rapidly switching between them), there was a slight difference somewhere in the middle.

Using a neat trick that I found on the ImageMagick Forums, I was able to extract the diff.

root@kali:~/_test# ls
bsidesRaleighCTF-2-one.png  bsidesRaleighCTF-3-two.png
root@kali:~/_test# convert bsidesRaleighCTF-2-one.png bsidesRaleighCTF-3-two.png \( -clone 0 -clone 1 -compose difference -composite -threshold 0 \) -delete 1 -alpha off -compose copy_opacity -composite -trim difference.png

Opening the new image gave me the jU$tic3PrEV4Ils flag!

BSides Raleigh CTF - Difference

BSides Raleigh CTF – Artifact

Up next was the artifact file left behind by the attackers.

bsidesRaleighCTF-4-artifact

At first glance, this looked like some sort of binary data.
root@kali:~/_test# file bsidesRaleighCTF-4-artifact
bsidesRaleighCTF-4-artifact: data

Quickly running the file through XXD showed that the magic bytes were nulled out.

root@kali:~/_test# head -2 bsidesRaleighCTF-4-artifact | xxd
00000000: 0000 0000 0d0a 1a0a                      ........

That said, looking at the next few bytes (as well as the end of the file) made it very clear that this was a PNG image.

root@kali:~/_test# head -3 bsidesRaleighCTF-4-artifact | xxd
00000000: 0000 0000 0d0a 1a0a 0000 000d 4948 4452  ............IHDR

... snip ...
root@kali:~/_test# tail -1 bsidesRaleighCTF-4-artifact | xxd
... snip ...
0000230: 0351 12fd 3af1 fb00 0000 0049 454e 44ae  .Q..:......IEND.
00000240: 4260 820a                                B`..

Correcting the PNG magic bytes allowed me to open the file and get the flag (HEymErCedE2)!

root@kali:~/_test# head -1 bsidesRaleighCTF-4-artifact | xxd
00000000: 8950 4e47 0d0a                           .PNG..

BSides Raleigh CTF - Artifact

BSides Raleigh CTF – Suspicious Traffic (#1)

Next up was the suspicious_traffic-1.pcap file.

bsidesRaleighCTF-5-suspicious_traffic-1

Opening up this file in Wireshark showed that it only had ~500 packets, so I decided to just comb through it manually.

All of the traffic seemed to revolve around the 192.168.0.100 host, so filtering on it didn’t help much.

That said, there were some commands being sent over UDP to the 224.0.0.1 host.

BSides Raleigh CTF - Suspicious Commands

Looking through all of these commands, I found a flag (Gh0$tm4n0n3rd) that worked!

BSides Raleigh CTF - Suspicious 1 Flag

As far as the other commands were concerned, they were actually hints for a different/older challenge.

BSides Raleigh CTF – Suspicious Traffic (#2)

After this was yet another pcap challenge.

bsidesRaleighCTF-6-suspicious_traffic-2

Unfortunately, in this case, I had a much larger file with over 17,000 packets.

In this case, I like to open up the pcap in Wireshark and scroll through it, trying to get a feel for what was going on.

The first thing I noticed was a “Host Announcement FIRP-JENKINS, Workstation, Server, NT Workstation, NT Server”. Unfortunately, this was related to a new host on the network and a different challenge.

Most of the pcap seemed like fairly normal traffic and browsing until I happened across a fishy looking DNS request.

1708974.Y2hlY2tpbmc.eversec.rocks: type TXT, class IN

Based on the domain name, this was part of this challenge.

Running the second part of the domain name through a base64 decoder gave me the value “checking”.

root@kali:~/_test# echo "Y2hlY2tpbmc=" | base64 -d
checking

This told me that my “attacker” was testing his DNS exfiltration, and that I was on the right track!

In this case, I wanted to work on my command-line kung fu and extract everything all at once.

First, after a bit of prodding and Google-ing, I figured out how to get tshark to only show me DNS traffic.

root@kali:~/_test# tshark -r bsidesRaleighCTF-6-suspicious_traffic-2.pcap -Y "dns" | grep eversec
Running as user "root" and group "root". This could be dangerous.
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
7649 134.196103 192.168.0.107 -> 192.168.0.1  DNS 93 Standard query 0x1134 TXT 1708974.Y2hlY2tpbmc.eversec.rocks
7653 134.470023  192.168.0.1 -> 192.168.0.107 DNS 106 Standard query response 0x1134 TXT 1708974.Y2hlY2tpbmc.eversec.rocks TXT
7757 143.197890 192.168.0.107 -> 192.168.0.1  DNS 93 Standard query 0x856c TXT 1708974.Y2hlY2tpbmc.eversec.rocks

... snip ...

Unfortunately, this still gave far too many results to go through manually.

Next up was to JUST get the DNS query of the packets. Additionally, I removed any DNS responses to prevent duplicates and making my manipulation easier

root@kali:~/_test# tshark -r bsidesRaleighCTF-6-suspicious_traffic-2.pcap -Y "dns && (dns.flags.response == 0)" | grep eversec > dns.txt
root@kali:~/_test#root@kali:~/_test# cut -d ' ' -f 13 dns.txt 
1708974.Y2hlY2tpbmc.eversec.rocks
1708974.Y2hlY2tpbmc.eversec.rocks
1708974.d2luLWR0ZHBucW5wcDhwXHRlaHNreWxhcmsNCg.eversec.rocks

... snip ...

With my cut working, it was time to get just the second string and run it through a decoder. I ended up using Python for this to save some headaches with padding and extra whitespace. I’ll include the code below the solution.

My Python script ended up finding 3 flags, as well as some hints about some other challenges!

The first flag was “tehskylark”, the second was “4m3r1c@nF00tB411”, and the third was “Y0UC4N7m1SSWh47y0ufRGE7”.

root@kali:~/_test# cut -d ' ' -f 13 dns.txt | cut -d '.' -f 2 > exfil.txt
root@kali:~/_test# python decode.py 
checking
checking
win-dtdpnqnpp8p\tehskylark

checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
checking
'4m3r1c@nF00tB411'

checking
checking
checking
checking
checking
checking
checking
Active Connections
  Proto  Local Address          Foreign Address
  TCP    0.0.0.0:135            WIN-DTDPNQNPP8P
checking
  TCP    0.0.0.0:445            WIN-DTDPNQNPP8P
checking
  TCP    0.0.0.0:1025           WIN-DTDPNQNPP8P
  TCP    0.0.0.0:1026           WIN-DTDPNQNPP8P
checking
  TCP    0.0.0.0:1027           WIN-DTDPNQNPP8P
  TCP    0.0.0.0:1028           WIN-DTDPNQNPP8P
  TCP    0.0.0.0:1029           WIN-DTDPNQNPP8P
  TCP    192.168.0.107:139      WIN-DTDPNQNPP8P
  TCP    192.168.0.107:1420     104.25.11.6:htt
  TCP    192.168.0.107:1422     151.101.33.140:
  TCP    192.168.0.107:1458     a104-87-136-139
  TCP    192.168.0.107:1462     a23-219-20-113:
  TCP    192.168.0.107:1464     161.170.236.122
  TCP    192.168.0.107:1477     a23-219-20-18:h
  TCP    192.168.0.107:1478     a23-219-20-18:h
  TCP    192.168.0.107:1484     a23-219-20-18:h
  TCP    192.168.0.107:1486     a23-219-20-18:h
  TCP    [::]:135               WIN-DTDPNQNPP8P
  TCP    [::]:445               WIN-DTDPNQNPP8P
checking
  TCP    [::]:1025              WIN-DTDPNQNPP8P
checking
  TCP    [::]:1026              WIN-DTDPNQNPP8P
  TCP    [::]:1027              WIN-DTDPNQNPP8P
  TCP    [::]:1028              WIN-DTDPNQNPP8P
  TCP    [::]:1029              WIN-DTDPNQNPP8P
  UDP    0.0.0.0:68             *:*            
  UDP    0.0.0.0:5353           *:*            
checking
  UDP    0.0.0.0:5353           *:*            
  UDP    0.0.0.0:5355           *:*            
checking
  UDP    0.0.0.0:63871          *:*            
  UDP    127.0.0.1:1900         *:*            
  UDP    127.0.0.1:64125        *:*            
checking
  UDP    192.168.0.107:137      *:*            
  UDP    192.168.0.107:138      *:*            
  UDP    192.168.0.107:1900     *:*            
  UDP    192.168.0.107:64124    *:*            
checking
  UDP    [::]:5353              *:*            
  UDP    [::]:5355              *:*            
  UDP    [::1]:1900             *:*            
  UDP    [::1]:64123            *:*            
checking
checking
  UDP    [fe80::303f:4cde:4569:cf96%11]:1900  *
  UDP    [fe80::303f:4cde:4569:cf96%11]:64122  
checking
checking
checking
checking
checking
checking
checking
checking
checking
Let's just forget
Everything said
checking
Everything we did
Best friends and better halves
checking
Goodbyes
And the autumn night when we realized
We were falling out of love
(There were some things that were said that wer
checking
But we never did
checking
Not to be
Overly dramatic
I just think it's best
Cause Y0UC4N7m1SSWh47y0ufRGE7
So lets just pretend
Everything and
Anything between you and me
Was never meant
checking
checking
checking
import base64

lines = ''

with open('exfil.txt') as f:
    lines = f.readlines()

for line in lines:
    if len(line) > 0:
        line = str.strip(line)        
        missing_padding = len(line) % 4
        if missing_padding != 0:
            line += b'='* (4 - missing_padding)
        print base64.decodestring(line)

Conclusion

I wish I still had some write-ups or information about the online challenges, but this was all I had saved.

This was another great CTF put on by EverSec and I was glad to compete in it.

In the end, I ended up winning this and getting a Pineapple Nano as my prize!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*