top of page
  • BlueDolphin

Tenable CTF 2022 - Forensics


These are my writeups for the tenable CTF Forensic category.

This challenge presents us with a pdf document containing redacted information and it is our job to retrieve this information. The way to do this is simply convert the file to html using pdftohtml and retrieve the flag. We use the command:



pdftohtml sf703.pdf



Our pdf to html converter outputs several files including the redacted information.







This challenge presents us with a pcap and we are asked to find the hidden message in these strange packets. Opening the packet reveals a protocol I have never heard of before "Modbus". This is a protocol for serial connection analyzing.



Here we follow the stream and see our flag which was really easy.



This challenge asks us to review the weird traffic found in this document that was opened. We are provided with a .xlsm and a pcap file. I believe there are 2 ways to solve this challenge, either through file forensics on the xlsm or through pcap forensics on the traffic made by this malicious document.



Opening the pcap we can see a large amount of GET requests to a target. The GET requests are pulling down some type of data and we need to figure out what that is.


We will be using olevba to look for malicious IOC's in the document.


Looking through the provided output we see that there are 2 variables, text and key. The variables text and key are being XOR'd in a byte strings.




tshark -r exfil.pcap -Tfields -e http.request.uri.query "http.request.uri.query" 


184D5825262C6336

6426435B4B626833

045A125516100301

10161F05120C0B0F

454D53590B5D0507

5702161C19004442

034646154F0F5259

52561D101614081C

1156516D60641047

1D150147420D564D

03091A194B5D0315

574E190C124F141B

0557144603171757

1D575C071208191C

0902421A0844411D

54074E0D004B565E

1803510A0413104B

667F71510155115B

16530C071C561A49

6D791C5A0E044C09

5D0C402754070412

00552D0A0F064A04

0B113F7F2608575A

0800134B02180606

024306065E142118

5547500509415A05

4C7F38320C041A11

5E411917570A050F

165A563A5C001E15

5D0D4F1F53011D19

61701B18533F2836

233C23605A41167E



tshark -r exfil.pcap -Tfields -e http.file_data "http.file_data" 

We remove the pre-amble using sed.


<html><body>7bxvco1sj8gwpr92</body></html>

<html><body>0uctdhbg9rzyvq57</body></html>

<html><body>l3aupyodmehvzfk6</body></html>

<html><body>0upkfmbanov57z9x</body></html>

<html><body>6m2yx8fu9qd7kr4c</body></html>

<html><body>2v6hqa0b9t3w5fjd</body></html>

<html><body>n35aom7yfqzd04iu</body></html>

<html><body>93md6gizvlypw1ox</body></html>

<html><body>txqgj3u5d9woz7na</body></html>

<html><body>x5h3by9m0cre42k7</body></html>

<html><body>ehvuk4majq2tg10c</body></html>

<html><body>8nmdwociyse0lab2</body></html>

<html><body>j9sfkvy3pwqxoeah</body></html>

<html><body>nw5s2kvijzqref9c</body></html>

<html><body>efbxmd4n5i8rkgya</body></html>

<html><body>1cnko9v30dp2rexf</body></html>

<html><body>qp5oawce3uhvml21</body></html>

<html><body>lu94s012goyt8iba</body></html>

<html><body>bsohq3igya5dr42n</body></html>

<html><body>gsz6oc7m9583krfi</body></html>

<html><body>mb4xgiep72kcs1hv</body></html>

<html><body>l0rgne84jszcqxu6</body></html>

<html><body>xl5uba3zshrcdmjn</body></html>

<html><body>qofkayrevwml9gdx</body></html>

<html><body>jcora4up78kbqs5t</body></html>

<html><body>43prh2zl0g9djqos</body></html>

<html><body>8u2yiaj1pqwneb6s</body></html>

<html><body>759d2iwjhyqpl1vb</body></html>

<html><body>btvq9en5wgy1r4dx</body></html>

<html><body>4yol2gx7mhijzur0</body></html>

<html><body>kz47slmu1cdrfhi6</body></html>

<html><body>qyw3zn9tmarix507</body></html>

<html><body>vmbcl8rnxked2zf9</body></html>


tshark -r exfil.pcap -Tfields -e http.file_data "http.file_data" | sed 's/\<html><body>//g'


<7bxvco1sj8gwpr92</body></html>

<0uctdhbg9rzyvq57</body></html>

<l3aupyodmehvzfk6</body></html>

<0upkfmbanov57z9x</body></html>

<6m2yx8fu9qd7kr4c</body></html>

<2v6hqa0b9t3w5fjd</body></html>

<n35aom7yfqzd04iu</body></html>

<93md6gizvlypw1ox</body></html>

<txqgj3u5d9woz7na</body></html>

<x5h3by9m0cre42k7</body></html>

<ehvuk4majq2tg10c</body></html>

<8nmdwociyse0lab2</body></html>

<j9sfkvy3pwqxoeah</body></html>

<nw5s2kvijzqref9c</body></html>

<efbxmd4n5i8rkgya</body></html>

<1cnko9v30dp2rexf</body></html>

<qp5oawce3uhvml21</body></html>

<lu94s012goyt8iba</body></html>

<bsohq3igya5dr42n</body></html>

<gsz6oc7m9583krfi</body></html>

<mb4xgiep72kcs1hv</body></html>

<l0rgne84jszcqxu6</body></html>

<xl5uba3zshrcdmjn</body></html>

<qofkayrevwml9gdx</body></html>

<jcora4up78kbqs5t</body></html>

<43prh2zl0g9djqos</body></html>

<8u2yiaj1pqwneb6s</body></html>

<759d2iwjhyqpl1vb</body></html>

<btvq9en5wgy1r4dx</body></html>

<4yol2gx7mhijzur0</body></html>

<kz47slmu1cdrfhi6</body></html>

<qyw3zn9tmarix507</body></html>

<vmbcl8rnxked2zf9</body></html>


This still did not work so we will clean it up with notepad ++


7bxvco1sj8gwpr92

0uctdhbg9rzyvq57

l3aupyodmehvzfk6

0upkfmbanov57z9x

6m2yx8fu9qd7kr4c

2v6hqa0b9t3w5fjd

n35aom7yfqzd04iu

93md6gizvlypw1ox

txqgj3u5d9woz7na

x5h3by9m0cre42k7

ehvuk4majq2tg10c

8nmdwociyse0lab2

j9sfkvy3pwqxoeah

nw5s2kvijzqref9c

efbxmd4n5i8rkgya

1cnko9v30dp2rexf

qp5oawce3uhvml21

lu94s012goyt8iba

bsohq3igya5dr42n

gsz6oc7m9583krfi

mb4xgiep72kcs1hv

l0rgne84jszcqxu6

xl5uba3zshrcdmjn

qofkayrevwml9gdx

jcora4up78kbqs5t

43prh2zl0g9djqos

8u2yiaj1pqwneb6s

759d2iwjhyqpl1vb

btvq9en5wgy1r4dx

4yol2gx7mhijzur0

kz47slmu1cdrfhi6

qyw3zn9tmarix507

vmbcl8rnxked2zf9



We are tasked with observing strange traffic and figuring out what it is! I know that using the ICMP protocol is a common way to conduct this attack.



Let's grab the HEX data from the first large packet and pop it into HEXD to see if there is any provided header information.




Then we grab the rest with Tshark, pop it into HEXD and save it.


tshark -r dataexfil.pcapng -Tfields -e data "frame.cap_len == 1044 or frame.cap_len == 189"

We copy and paste this into HXD or CYber chef and save as a .png file.




This challenge provides no details other than the suggestion of many cats.



A simple check with Autopsy carves the flag from the .img file.


546 views0 comments

Recent Posts

See All

Comments


bottom of page