11 KiB
Question: One of our employees was browsing the web when he suddenly lost connection! Can you help him figure out why?
❯ tshark -r file.pcap -T fields -e ip.src -e ip.dst | tr '\t' '\n' | sort -u:
Recorded IPs:
185.125.190.58
192.168.100.1
192.168.100.10
192.168.100.20
192.168.100.30
❯ tshark -r chall.pcap -Y http.request -T fields -e ip.dst | sort -u
192.168.100.1
❯ tshark -r chall.pcap -Y http.request -T fields -e ip.src | sort -u
HTTP Clients:
192.168.100.10
192.168.100.20
Notable Stuff: Capture Timeframe: 17:17:49 -> 17:21:21 UTC 192.168.100.20 stopped sending packets completly by May 6, 2025 17:21:14 All html files delivered are exactly the same 192.168.100.1 is connected over ssh to 192.168.100.20
192.168.100.10 sends a lot of tcp retransmissions it probably lost connection => This is the employee probably The pcap file contained a lot of arp requests. This made me look for signs of arp poisoning:
❯ tshark -r chall.pcap -Y "arp.opcode == 2" -T fields -e arp.src.proto_ipv4 -e eth.src | sort | uniq -c
6 192.168.100.10 bc:24:11:3e:f3:a5
6 192.168.100.10 bc:24:11:78:c8:64
2 192.168.100.1 bc:24:11:74:12:33
32 192.168.100.1 bc:24:11:78:c8:64
3 192.168.100.20 bc:24:11:e8:04:b1
1 192.168.100.254 26:55:ad:5c:79:a6
1 192.168.100.254 3a:d3:ba:f1:51:d3
1 192.168.100.254 56:0c:c0:94:27:a3
1 192.168.100.254 6e:e9:35:c7:a8:87
3 192.168.100.30 bc:24:11:78:c8:64
From this I created a list of all IP addresses with their corresponding mac addresses 192.168.100.10:
- bc:24:11:3e:f3:a5
- bc:24:11:78:c8:64 192.168.100.1:
- bc:24:11:74:12:33
- bc:24:11:78:c8:64 192.168.100.20:
- bc:24:11:e8:04:b1 192.168.100.254:
- 26:55:ad:5c:79:a6
- 3a:d3:ba:f1:51:d3
- 56:0c:c0:94:27:a3
- 6e:e9:35:c7:a8:87 192.168.100.30:
- bc:24:11:78:c8:64
=> 192.168.100.10, 192.168.100.30, 192.168.100.1 are connected to the same interface => This is probably the Attacker
I labeled the interfaces with the help of .config/wireshark/ethers with the information i had.
❯ cat ./config/wireshark/ethers
bc:24:11:3e:f3:a5 Employee
bc:24:11:74:12:33 Server
bc:24:11:e8:04:b1 SSH_Connection
bc:24:11:78:c8:64 Attacker
As the cause of the disconnect is the hint to the flag I started looking for strange data / repeating patterns. I specifically looked at the arp traffic the suspected attacker generated.
❯ tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64"
102 9.721959 192.168.100.30 → 185.125.190.58 NTP 90 NTP Version 4, client
157 15.490011 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
649 47.001218 192.168.100.30 → 192.168.100.10 ICMP 98 Echo (ping) request id=0x5cfe, seq=1/256, ttl=64
655 47.003303 192.168.100.30 → 192.168.100.1 ICMP 98 Echo (ping) request id=0x5cff, seq=1/256, ttl=64
850 51.919433 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
852 52.054555 Attacker → Employee ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
853 52.094738 Attacker → Employee ARP 42 Who has 192.168.100.10? Tell 192.168.100.30
1107 67.340041 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1112 67.846893 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1117 68.353860 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1149 68.860876 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1153 69.367942 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1192 70.874804 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1193 70.880994 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1196 71.387822 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1201 71.894817 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1204 72.401811 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1211 72.908807 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1219 74.415759 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1220 74.420757 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1224 74.927766 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1227 75.434762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1231 75.941762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1233 76.448768 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1243 77.954716 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1244 77.959717 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1248 78.465727 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1253 78.971743 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1255 79.478726 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1283 79.985841 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1385 81.492711 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1386 81.497642 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1397 82.003674 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1399 82.510696 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1402 83.016682 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1423 83.522648 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1525 85.029614 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1526 85.034558 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1543 85.540595 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1546 86.046628 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1548 86.553617 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1552 87.060604 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1560 88.567556 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1561 88.572559 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1564 89.079578 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
It is very suspicious that the Attacker sends multiple ARP replies for 192.168.100.1 to the Employee which has been observed as belonging to bc:24:11:74:12:33 (Server) without a preceeding ARP request from the Employee. Looking further into these suspicous ARP replies I noticed that they are the only ones to contain trailer data in the ethernet packet.
❯ tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64 and arp.opcode == 2" -T fields -e frame.number -e eth.trailer -e _ws.col.info
157 192.168.100.30 is at bc:24:11:78:c8:64
850 192.168.100.30 is at bc:24:11:78:c8:64
852 192.168.100.30 is at bc:24:11:78:c8:64
1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1192 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1193 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1196 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1201 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1204 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1211 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1219 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1220 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1224 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1227 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1231 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1233 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1243 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1244 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1248 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1253 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1255 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1283 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1385 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1386 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1397 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1399 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1402 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1423 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1525 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1526 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1543 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1546 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1548 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1552 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1560 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1561 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1564 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
There is a repeating pattern in the ARP replies. The block
1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
is sent multiple times.
I suspect that the flag are the 5 trailer entries appended and decoded
015a334a6c6558746b024d5752664d5639710364584d335832646c044e3139774d44467a056232347a5a48303d
Each trailer entry starts with 0. I assume this is some id. I removed the leading id from the encoded_flag.
5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d
Decoding with
echo "5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d" | xxd -r -p | base64 -d
yields the flag: grey{d1d_1_jus7_ge7_p01son3d}