Hi mates,

During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated.

Somalia – 800 points 

 

They provide us with a pcapng capture with DNS queries IN A from IPv6 host. This queries were of type Standard Query 0x000 A with some random hexadecimal [hex-host].des. I’ve been working around the idea of some kind of cipher due “.des” domain termination and after trying some others weird methods (hex->ascii, hex-unxor) that produces nothing.

Another problem was that UDP source ports appears with strange range (0,117 random) and probably we need to sort in order to get some good outputs. My initial tries produce nothing with unordered streams by udp source ports. So if I was right need to reorder source ports, ‘guess’ cipher key and finally decipher flag. Let’s start.

Solution 1: tshark to the rescue

A quickly way to sort those udp source ports that will output only hexadecimal strings of our streams was:

tshark -r exfiltracion_111abda47b950e6cd474a43583372c4f.pcapng -Tfields -e udp.srcport -e dns.qry.name |sort -n | cut -f2| sed 's/.des//g'|tr -d "\n"

This produces output:

0a73a58aecc21437e1904c8ab6052dc1
a0f76199fa5794ca01e8758aad48de3d
d4b60088a7bb9c279f4f9996e8cb8567
afe260dec74371276b702a5fd30dadd5
d8cd76f9fd75d811236b823593238570
03448e77303587aeb5a3ef036ca8d2cf
d6058a89152f249ea1c0fa0d98f16818
8b9fe0f3f028d7a065b8a1b035746e89
a92f42d82222da6fd19bb7f3a48806b2
e12ee6c61d0ce61d41667e24cd1efa17
b39d6221375e1dbfc4933ecf592f957b
3fc71e9a8d232aa120fec2308e23a592
56034f4d3477224f43891e018a5bb410
d740c363137758add3d57b55d1e4403f
119afa1ac38fba06c0f96470bb8d2337
6e0e1093847b166ace15f13cca38654c
c9a7d599ba47fe0fc104bfd6406e494a
6671021dac22e8571ce22af0671a57af
549c080ed7bcc2de6de8db39838976cd
252558feeda03347a29b81df31df8ebf
146178977bb922f5a741d0e99f64a28a
52a12ba448732c049a6cf562749332d4
82b5012a3cf100fb08a9f985aeea95af
03b62011dec40cf49d1b3cbab78fcccd
1aff868454dd0887cf0ed20f505a2948
adab98720499dd4da582bde8610301a4
d32b6a98ab85853d43601a5b6712163a
23ee43199b4b03953f9d3b97a063eede
e84a712649c893f2e34237653b87301b
...

Ok, we have all data with correct (asumption) order but what about key for DES-ECB (asumption) cipher. We can try with some data inside the pcap because guessing was too difficult to try and we have a constant field on all the streams: IPv6 field c7:3f:1d:b9:a2:4:4a:ff. 

Notice is key is 15 bytes and we need a 16-bytes one for decipher ecb-des, so padding left with ‘0’ that ‘alone’ 4. We have all to make our first script to solve the task in our initial assumption.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
''' 
DCS17 Challenge S21SEC
Tenemos la sospecha que se han exfiltrado datos, a través de la red.
¿Podrías saber que se ha exfiltrado ?
Fichero: exfiltracion_111abda47b950e6cd474a43583372c4f.pcapng
Puntos: 800 
'''
from Crypto.Cipher import DES
import binascii
from scapy.all import *
import subprocess

# Leemos el pcap
pcap = rdpcap("exfiltracion_111abda47b950e6cd474a43583372c4f.pcapng")

# Sacamos la key que se deduce de la dirección  ipv6 origen 
key = pcap[1][IPv6].src 
key = key.split(':')

# Padding de relleno para la key. son 15 characteres pero necesitamos 16. 
for i in xrange(len(key)):
	if len(key[i])==1:
		key[i] =  str("0" + key[i])
	ckey = ''.join(key) #ckey = "c73f1db9a2044aff"


# Ejecutamos tshark ordenando filtrando los streams por src port 
hexdata = subprocess.check_output("tshark -r exfiltracion_111abda47b950e6cd474a43583372c4f.pcapng -Tfields -e udp.srcport -e dns.qry.name |sort -n | cut -f2| sed 's/.des//g'|tr -d \"\n\"", shell=True)
# Pasamos los datos para descifrarlos con des ecb 
hexdata_to_binary = binascii.unhexlify(hexdata)
key = binascii.unhexlify(ckey)
des = DES.new(key, DES.MODE_ECB)
flag_text = des.decrypt(hexdata_to_binary)
print "#"*100 
print flag_text
print "#"*100

Hey!, seems that worked. We have a flag, but we can make use of scapy instead of that ugly tshark subprocess command. So refactor python to produce same result:

Scapy: Infiniteless possibilities

I don’t know deeper scapy but i know has a lot of possibilities to work on pcap files, so i finally reduce the python script using scapy:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
''' 
DCS17 Challenge S21SEC
Tenemos la sospecha que se han exfiltrado datos, a través de la red.
¿Podrías saber que se ha exfiltrado ?
Fichero: exfiltracion_111abda47b950e6cd474a43583372c4f.pcapng
Puntos: 800 
'''
from Crypto.Cipher import DES
from scapy.all import *
import binascii

# Leemos el pcap
pcap = rdpcap("exfiltracion_111abda47b950e6cd474a43583372c4f.pcapng")

# Sacamos la key que se deduce de la dirección  ipv6 origen 
key = pcap[1][IPv6].src 
key = key.split(':')

# Necesitamos padding para la key c73f1db9a244aff != c73f1db9a2044aff
for i in xrange(len(key)):
	if len(key[i])==1:
		key[i] =  str("0" + key[i])
	ckey = ''.join(key)

# Sacamos los paquetes ordenando por puerto UDP origen 
hexdata=''
for packet in sorted(pcap, key= lambda x:x[UDP].sport,reverse=False):
    hexdata += ''.join((packet[DNSQR].qname).replace('.des','').replace('.',''))

# Pasamos los datos para descifrarlos con des ecb 
hexdata_to_binary = binascii.unhexlify(hexdata)
key = binascii.unhexlify(ckey)
des = DES.new(key, DES.MODE_ECB)
flag_text = des.decrypt(hexdata_to_binary)
print "#"*100 
print flag_text
print "#"*100

The equivalent part to the tshark version was the sorted udp source port part with scapy:

# Sacamos los paquetes ordenando por puerto UDP origen 
hexdata=''
for packet in sorted(pcap, key= lambda x:x[UDP].sport,reverse=False):
    hexdata += ''.join((packet[DNSQR].qname).replace('.des','').replace('.',''))

Finally got the output:

No hay contenido relacionado



Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *