These are my writeups for the tenable CTF Forensic category.
This challenge presents us with a pdf document containing redacted information and it is our job to retrieve this information. The way to do this is simply convert the file to html using pdftohtml and retrieve the flag. We use the command:
pdftohtml sf703.pdf
Our pdf to html converter outputs several files including the redacted information.
This challenge presents us with a pcap and we are asked to find the hidden message in these strange packets. Opening the packet reveals a protocol I have never heard of before "Modbus". This is a protocol for serial connection analyzing.
Here we follow the stream and see our flag which was really easy.
This challenge asks us to review the weird traffic found in this document that was opened. We are provided with a .xlsm and a pcap file. I believe there are 2 ways to solve this challenge, either through file forensics on the xlsm or through pcap forensics on the traffic made by this malicious document.
Opening the pcap we can see a large amount of GET requests to a target. The GET requests are pulling down some type of data and we need to figure out what that is.
We will be using olevba to look for malicious IOC's in the document.
Looking through the provided output we see that there are 2 variables, text and key. The variables text and key are being XOR'd in a byte strings.
tshark -r exfil.pcap -Tfields -e http.request.uri.query "http.request.uri.query"
184D5825262C6336
6426435B4B626833
045A125516100301
10161F05120C0B0F
454D53590B5D0507
5702161C19004442
034646154F0F5259
52561D101614081C
1156516D60641047
1D150147420D564D
03091A194B5D0315
574E190C124F141B
0557144603171757
1D575C071208191C
0902421A0844411D
54074E0D004B565E
1803510A0413104B
667F71510155115B
16530C071C561A49
6D791C5A0E044C09
5D0C402754070412
00552D0A0F064A04
0B113F7F2608575A
0800134B02180606
024306065E142118
5547500509415A05
4C7F38320C041A11
5E411917570A050F
165A563A5C001E15
5D0D4F1F53011D19
61701B18533F2836
233C23605A41167E
tshark -r exfil.pcap -Tfields -e http.file_data "http.file_data"
We remove the pre-amble using sed.
<html><body>7bxvco1sj8gwpr92</body></html>
<html><body>0uctdhbg9rzyvq57</body></html>
<html><body>l3aupyodmehvzfk6</body></html>
<html><body>0upkfmbanov57z9x</body></html>
<html><body>6m2yx8fu9qd7kr4c</body></html>
<html><body>2v6hqa0b9t3w5fjd</body></html>
<html><body>n35aom7yfqzd04iu</body></html>
<html><body>93md6gizvlypw1ox</body></html>
<html><body>txqgj3u5d9woz7na</body></html>
<html><body>x5h3by9m0cre42k7</body></html>
<html><body>ehvuk4majq2tg10c</body></html>
<html><body>8nmdwociyse0lab2</body></html>
<html><body>j9sfkvy3pwqxoeah</body></html>
<html><body>nw5s2kvijzqref9c</body></html>
<html><body>efbxmd4n5i8rkgya</body></html>
<html><body>1cnko9v30dp2rexf</body></html>
<html><body>qp5oawce3uhvml21</body></html>
<html><body>lu94s012goyt8iba</body></html>
<html><body>bsohq3igya5dr42n</body></html>
<html><body>gsz6oc7m9583krfi</body></html>
<html><body>mb4xgiep72kcs1hv</body></html>
<html><body>l0rgne84jszcqxu6</body></html>
<html><body>xl5uba3zshrcdmjn</body></html>
<html><body>qofkayrevwml9gdx</body></html>
<html><body>jcora4up78kbqs5t</body></html>
<html><body>43prh2zl0g9djqos</body></html>
<html><body>8u2yiaj1pqwneb6s</body></html>
<html><body>759d2iwjhyqpl1vb</body></html>
<html><body>btvq9en5wgy1r4dx</body></html>
<html><body>4yol2gx7mhijzur0</body></html>
<html><body>kz47slmu1cdrfhi6</body></html>
<html><body>qyw3zn9tmarix507</body></html>
<html><body>vmbcl8rnxked2zf9</body></html>
tshark -r exfil.pcap -Tfields -e http.file_data "http.file_data" | sed 's/\<html><body>//g'
<7bxvco1sj8gwpr92</body></html>
<0uctdhbg9rzyvq57</body></html>
<l3aupyodmehvzfk6</body></html>
<0upkfmbanov57z9x</body></html>
<6m2yx8fu9qd7kr4c</body></html>
<2v6hqa0b9t3w5fjd</body></html>
<n35aom7yfqzd04iu</body></html>
<93md6gizvlypw1ox</body></html>
<txqgj3u5d9woz7na</body></html>
<x5h3by9m0cre42k7</body></html>
<ehvuk4majq2tg10c</body></html>
<8nmdwociyse0lab2</body></html>
<j9sfkvy3pwqxoeah</body></html>
<nw5s2kvijzqref9c</body></html>
<efbxmd4n5i8rkgya</body></html>
<1cnko9v30dp2rexf</body></html>
<qp5oawce3uhvml21</body></html>
<lu94s012goyt8iba</body></html>
<bsohq3igya5dr42n</body></html>
<gsz6oc7m9583krfi</body></html>
<mb4xgiep72kcs1hv</body></html>
<l0rgne84jszcqxu6</body></html>
<xl5uba3zshrcdmjn</body></html>
<qofkayrevwml9gdx</body></html>
<jcora4up78kbqs5t</body></html>
<43prh2zl0g9djqos</body></html>
<8u2yiaj1pqwneb6s</body></html>
<759d2iwjhyqpl1vb</body></html>
<btvq9en5wgy1r4dx</body></html>
<4yol2gx7mhijzur0</body></html>
<kz47slmu1cdrfhi6</body></html>
<qyw3zn9tmarix507</body></html>
<vmbcl8rnxked2zf9</body></html>
This still did not work so we will clean it up with notepad ++
7bxvco1sj8gwpr92
0uctdhbg9rzyvq57
l3aupyodmehvzfk6
0upkfmbanov57z9x
6m2yx8fu9qd7kr4c
2v6hqa0b9t3w5fjd
n35aom7yfqzd04iu
93md6gizvlypw1ox
txqgj3u5d9woz7na
x5h3by9m0cre42k7
ehvuk4majq2tg10c
8nmdwociyse0lab2
j9sfkvy3pwqxoeah
nw5s2kvijzqref9c
efbxmd4n5i8rkgya
1cnko9v30dp2rexf
qp5oawce3uhvml21
lu94s012goyt8iba
bsohq3igya5dr42n
gsz6oc7m9583krfi
mb4xgiep72kcs1hv
l0rgne84jszcqxu6
xl5uba3zshrcdmjn
qofkayrevwml9gdx
jcora4up78kbqs5t
43prh2zl0g9djqos
8u2yiaj1pqwneb6s
759d2iwjhyqpl1vb
btvq9en5wgy1r4dx
4yol2gx7mhijzur0
kz47slmu1cdrfhi6
qyw3zn9tmarix507
vmbcl8rnxked2zf9
We are tasked with observing strange traffic and figuring out what it is! I know that using the ICMP protocol is a common way to conduct this attack.
Let's grab the HEX data from the first large packet and pop it into HEXD to see if there is any provided header information.
Then we grab the rest with Tshark, pop it into HEXD and save it.
tshark -r dataexfil.pcapng -Tfields -e data "frame.cap_len == 1044 or frame.cap_len == 189"
We copy and paste this into HXD or CYber chef and save as a .png file.
This challenge provides no details other than the suggestion of many cats.
A simple check with Autopsy carves the flag from the .img file.
Comments