CTF WRITEUPS : Birdman's Data {Network}
Otter ctf is an online capture the flag hacking and reverse engineering competition of format jeopardy.
For more otter ctf information visit here or visit the official website.
One of the challenges was of network type "Birdman's Data" which says "We recorded some BirdMan's networking, but a part of it (the important part) got scrambled", along with a downloadable .pcap file. .pcap files are packet capture packets that can be seen with help of network monitoring software or packet listening programs like wireshark etc.
So I am not very good at capture the flag things so my friend helped with this a lot, ok let's dive right into it.
# After downloading the file first logical thing to do, which isn't efficient but is necessary in my opinion, so just open terminal and "cd" directories to the downloaded file location. then just "file" out the .pcap file name i.e: $file Birdmans_data.pcap, this gives some information about the file which is just sufficient. It outputs data such as file_name.ext: file type (in this case tcpdump capture file).
sometimes files with fake extensions can be passed to you, if you are participating in such an event.
# Try opening file with forced other software other than network sniffing tool, try opening this in VIM. it is the most trustworthy text manipulation software for binary visualisation and things. Once u open that in VIM editor you'll some strings forming in the dump file although its heavily obfuscated but, thanks to our brains we can identify patterns in things. These strings tho are hard to read and to process easily, so a more efficient way of printing only readable strings is to write "strings <filename.ext>(Birdmans_data.pcap in this case)" in the terminal. This gives us a more readable and reachable output in terminal.
Go through it even tho its bad to traverse it like this, but just "go through" with it. In there you'll notice many HTTP requests made and request headers with them, watch closely you'll see GET type requests with heads like:"GET /crypto/AES/key/128/?_=1531740269666 HTTP/1.1"
Here this is a GET request to the server with type crypto regarding AES(advanced encryption standard) encryption key, this is interesting this means that what ever the network data is that is encrypted with the help of AES encryption. OK, down there you'll also notice key="obfuscated url" and IV(initialisation vector)="random string of "things"" also token exists.
# Now, we know that its a .pcap file with some AES encrypted cipher text with is need to be decrypted. Now being a .pcap file, let's open it i'll recommend you installing Wireshark for best experience from here. Launch Wireshark and click on "open capture file" icon just below the "GO" tab in "MENU BAR", select the .pcap file from the dialog box that open just then. I'll suggest to select manually "Files of type:" its submenu for precise guess, select "Wireshark/tcpdump/....-pcap(*.dmp *.cap *.pcap)" and "pcap"(from main and sub menu respectively and finally hit OPEN. That lead you to opening of the .pcap file containing packets/request etc which used to communicate, Under the "Apply a display filter...<Ctrl-/>"
just below the menu bar write "HTTP" to filter packets transmitted with HTTP protocol. After that something which you are going to encrypt you'll probably not send it through GET requests and would use the POST request so check latest packet transferred after the POST request select it and click on "Uncompressed entity body" on the lower left hand which welcomes you with a cipher text which you'll most probably have to decrypt. Along with the cipher text that packet also contain "key" and "IV(initialisation vector)" without url fuzzing and obfuscation.
so, yay we have our cipher text and key and IV to fully decrypt the text, we can use online AES encryption decryption tools to decrypt the cipher text but a smart choice would be to decrypt this text from where its encrypted.
QUES: How do we know which tool they used to encrypt the text?
ANS: notice the get requests which are passed, just open them scroll all the way down you'll see the website link they used to pass the key and encrypt the data.
# Now just copy and paste the online tool link in browser and decrypt the text with key and IV. Once we decrypt that we'll have a simple text file with some gibberish written which doesn't make sense with some out of the world indentation and capitalisation. The considerably most hard part of challenge of figuring out the flag, I mentioned some weird indentation in the file that isn't there just by chance, it has a specific reason of these indentations. Just take out the first letter of each line existing there and put it together including the curly braces you'll encounter. it pronounces CTF{...-...-...-...} and this is the required flag we were searching for.
P.S: for images comment!
So I am not very good at capture the flag things so my friend helped with this a lot, ok let's dive right into it.
# After downloading the file first logical thing to do, which isn't efficient but is necessary in my opinion, so just open terminal and "cd" directories to the downloaded file location. then just "file" out the .pcap file name i.e: $file Birdmans_data.pcap, this gives some information about the file which is just sufficient. It outputs data such as file_name.ext: file type (in this case tcpdump capture file).
sometimes files with fake extensions can be passed to you, if you are participating in such an event.
# Try opening file with forced other software other than network sniffing tool, try opening this in VIM. it is the most trustworthy text manipulation software for binary visualisation and things. Once u open that in VIM editor you'll some strings forming in the dump file although its heavily obfuscated but, thanks to our brains we can identify patterns in things. These strings tho are hard to read and to process easily, so a more efficient way of printing only readable strings is to write "strings <filename.ext>(Birdmans_data.pcap in this case)" in the terminal. This gives us a more readable and reachable output in terminal.
Go through it even tho its bad to traverse it like this, but just "go through" with it. In there you'll notice many HTTP requests made and request headers with them, watch closely you'll see GET type requests with heads like:"GET /crypto/AES/key/128/?_=1531740269666 HTTP/1.1"
Here this is a GET request to the server with type crypto regarding AES(advanced encryption standard) encryption key, this is interesting this means that what ever the network data is that is encrypted with the help of AES encryption. OK, down there you'll also notice key="obfuscated url" and IV(initialisation vector)="random string of "things"" also token exists.
# Now, we know that its a .pcap file with some AES encrypted cipher text with is need to be decrypted. Now being a .pcap file, let's open it i'll recommend you installing Wireshark for best experience from here. Launch Wireshark and click on "open capture file" icon just below the "GO" tab in "MENU BAR", select the .pcap file from the dialog box that open just then. I'll suggest to select manually "Files of type:" its submenu for precise guess, select "Wireshark/tcpdump/....-pcap(*.dmp *.cap *.pcap)" and "pcap"(from main and sub menu respectively and finally hit OPEN. That lead you to opening of the .pcap file containing packets/request etc which used to communicate, Under the "Apply a display filter...<Ctrl-/>"
just below the menu bar write "HTTP" to filter packets transmitted with HTTP protocol. After that something which you are going to encrypt you'll probably not send it through GET requests and would use the POST request so check latest packet transferred after the POST request select it and click on "Uncompressed entity body" on the lower left hand which welcomes you with a cipher text which you'll most probably have to decrypt. Along with the cipher text that packet also contain "key" and "IV(initialisation vector)" without url fuzzing and obfuscation.
so, yay we have our cipher text and key and IV to fully decrypt the text, we can use online AES encryption decryption tools to decrypt the cipher text but a smart choice would be to decrypt this text from where its encrypted.
QUES: How do we know which tool they used to encrypt the text?
ANS: notice the get requests which are passed, just open them scroll all the way down you'll see the website link they used to pass the key and encrypt the data.
# Now just copy and paste the online tool link in browser and decrypt the text with key and IV. Once we decrypt that we'll have a simple text file with some gibberish written which doesn't make sense with some out of the world indentation and capitalisation. The considerably most hard part of challenge of figuring out the flag, I mentioned some weird indentation in the file that isn't there just by chance, it has a specific reason of these indentations. Just take out the first letter of each line existing there and put it together including the curly braces you'll encounter. it pronounces CTF{...-...-...-...} and this is the required flag we were searching for.
P.S: for images comment!
Comments
Post a Comment