rawSEC MINICON CTF 2020 PCAP 1 Challenge Write Up

-
I had an opportunity to participate this CTF this time, I joined this CTF just for fun and to gain new knowledge along the way by completing some of the challenges. In this particular challenge, I'm using this tool to find the flag:

  • Notepad++
  • Wireshark
  • Microsoft Excel
  • Python
  • XLRD python library
  • Command line
First I load the PCAP_1.pcap to Wireshark.


Scrolling through the packet capture file, I notice there is GET request from 172.16.236.163 to 69.172.200.235 which can be seen there is a key value and its look like a base64 string, so I try to export it if there is any object from HTTP protocol.

To extract object in particular stream in the pcap file using Wireshark, you have to go to File > Export Objects > HTTP.


Looking at the export object there is a lot of base64 string can be found, decoding this string one by one does not seem practical. Therefore, I save all the objects into designated folder first to extract the string. I create a folder name base64 in Desktop, and save all the objects there.

Here is all the object that has been saved. Next, I open the terminal in the folder, run command as follow:
root@kali:~/Desktop/base64# ls > base64.txt
This will save the output of ls to a text file name as base64.txt.
To remove ‘%3fkey=’ from the string I’m using notepad++ and transfer the sanitized string to an excel file.




Checking the count of the string, there is 1000 base64 string that needed to be decode.

After that, I wrote a python script that will take the base64 string in the excel and decode it to ASCII.

This script require python and xlrd library to be install. Some of you must be wondering why I'm using this library, because I already made this script but for different purpose, to save some time, I just use what I already had. You can get this library by using pip

root@kali:~/Desktop# pip install xlrd

Here is the python script I that wrote.

# Reading an excel file using Python
import xlrd
import base64

# Give the location of the file
loc = "/root/Desktop/base64.xlsx"

# To open Workbook
wb = xlrd.open_workbook(loc)
sheet = wb.sheet_by_index(0)

for i in range(sheet.nrows):
    base64_message = (sheet.cell_value(i,0))
    message_bytes = base64.b64decode(base64_message)
    message = message_bytes.decode('ascii')
    print(message)

output of the decode string

root@kali:~/Desktop# python base64decode.py
kNfmJFQuUELAcIumgmNhRtUZCroCaChnIiY
kGiWwUJeBhukgxxeSaNZxqGZNzyWDdJDAqW

.
.
rZVYSsGAseXDyWWQzOudcUXzsFRrzumWZjs
rVifqLVPHfqmvOzXRhwvscMJZDPqnmaloFI
rawsec{iM_nOt_WhaT_You_LoOklng_fOr}
rawsec{yOu_gOt_mE_wiTh_BaSe64}
rkxuHhcfbgHufhIzRtVMFYhfQkEQXXIgnYl
rpMWUuCbncfcFsKOqnTGUwyIUmDIJJaXGpT
.
.

Among the gibberish string there is 2 meaningful string, the flag is

rawsec{yOu_gOt_mE_wiTh_BaSe64}

I think this is another way of doing this challenge, I sure there is more easier method out there, but for me I prefer using simple script and readily available tool to save time and effort.

That all for my write up on PCAP_1 Challenge of rawSEC MINICON CTF 2020.

Comments

Post a Comment

Popular posts from this blog

Deploying open-source SOC lab with red team simulation, at home. Elasticsearch Stack EDR + SIEM (Part 1)

-
Image
Introduction I’m always want to have my own lab that can mimic enterprise monitoring at home which include EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), case management and have a threat intel platform. It must be something that can be built from open source and free... Since there is significant upgrade on my personal workstation, I’m able to ramp up my virtualization capacity to support my endeavor. let’s gooooo! Network & Resources Allocation For this lab, everything will be deployed in virtual machine (VM) and in private network, simple. These are minimum specification I used in this lab; you can allocate more if you have more resources. CPU: 2 cores Network: bridged connection and replicate physical network connection state Storage: 80 GB RAM: 8 GB (For both Ubuntu VM, I’m allocating 16GB for better performance) Architectural & System Design Refer to the diagram above We will deploy two (2) Ubuntu 20.04 Desktop a...
Read more

Deploying open-source SOC lab with red team simulation, at home. MISP, Cortex and TheHive (Part 2)

-
Image
Sorry for posting this a bit late for those who are waiting for part 2. During my time writing part 1 and part 2, I was in rush to prepare for the new addition to my family, we (me, wife & family) have been blessed with our firstborn baby boy. So yeah, with the birth of my son, Ramadhan, and preparation for Aidilfitri all together at once, time is a little bit tight. Hehe Thank you very much for all your wishes and thank you for still following this series, so this time we will set up and install components for MISP, Cortex, and TheHive. This includes installation and integration between these 3 components as described in part 1. Once you have completed all the installation and integration, this server will tremendously help your analysis and automate a lot of things, you can track your progress or investigation, manage case, alert, task, and IOCs found. With a click of a button, you can receive reports and threat intel from multiple sources. This can be your great tool as a ...
Read more

Android Application Security - obfuscation using ProGuard in Android Studio

-
There are many techniques out there for Android Application code obfuscation. Most popular and easy to be applied is using ProGuard in Android Studio. What it usually does is it will shorten your app's class name, optimize your code, remove unnecessary resources and code. The main goal of it is to make your app harder to be reverse engineered. Obfuscation in Android Application has been applied extensively by malware author to hide their malicious code and give security researcher like us a bad day. As developer, you can applied ProGuard in your Android App project by implement this additional rule in your project level build.grade(Module:app)  file. buildTypes { release { minifyEnabled true shrinkResources true proguardFiles getDefaultProguardFile ( 'proguard-android-optimize.txt' ), 'proguard-rules.pro' } debug { minifyEnabled false shrinkResources false proguardFiles getDefaultProguardFile ( 'proguard-and...
Read more