Files
ctf/2025/catthegrey/forensics/dist-connection-issues/notes.md
2025-06-06 03:13:31 +02:00

11 KiB
Raw Blame History

Question: One of our employees was browsing the web when he suddenly lost connection! Can you help him figure out why?

 tshark -r file.pcap -T fields -e ip.src -e ip.dst | tr '\t' '\n' | sort -u:
Recorded IPs:
185.125.190.58
192.168.100.1
192.168.100.10
192.168.100.20
192.168.100.30
 tshark -r chall.pcap -Y http.request -T fields -e ip.dst | sort -u
192.168.100.1
 tshark -r chall.pcap -Y http.request -T fields -e ip.src | sort -u
HTTP Clients:
192.168.100.10
192.168.100.20

Notable Stuff: Capture Timeframe: 17:17:49 -> 17:21:21 UTC 192.168.100.20 stopped sending packets completly by May 6, 2025 17:21:14 All html files delivered are exactly the same 192.168.100.1 is connected over ssh to 192.168.100.20

192.168.100.10 sends a lot of tcp retransmissions it probably lost connection => This is the employee probably The pcap file contained a lot of arp requests. This made me look for signs of arp poisoning:

 tshark -r chall.pcap -Y "arp.opcode == 2" -T fields -e arp.src.proto_ipv4 -e eth.src | sort | uniq -c
  6 192.168.100.10	bc:24:11:3e:f3:a5
  6 192.168.100.10	bc:24:11:78:c8:64 
  2 192.168.100.1	bc:24:11:74:12:33
 32 192.168.100.1	bc:24:11:78:c8:64
  3 192.168.100.20	bc:24:11:e8:04:b1
  1 192.168.100.254	26:55:ad:5c:79:a6
  1 192.168.100.254	3a:d3:ba:f1:51:d3
  1 192.168.100.254	56:0c:c0:94:27:a3
  1 192.168.100.254	6e:e9:35:c7:a8:87
  3 192.168.100.30	bc:24:11:78:c8:64

From this I created a list of all IP addresses with their corresponding mac addresses 192.168.100.10:

  • bc:24:11:3e:f3:a5
  • bc:24:11:78:c8:64 192.168.100.1:
  • bc:24:11:74:12:33
  • bc:24:11:78:c8:64 192.168.100.20:
  • bc:24:11:e8:04:b1 192.168.100.254:
  • 26:55:ad:5c:79:a6
  • 3a:d3:ba:f1:51:d3
  • 56:0c:c0:94:27:a3
  • 6e:e9:35:c7:a8:87 192.168.100.30:
  • bc:24:11:78:c8:64

=> 192.168.100.10, 192.168.100.30, 192.168.100.1 are connected to the same interface => This is probably the Attacker

I labeled the interfaces with the help of .config/wireshark/ethers with the information i had.

 cat ./config/wireshark/ethers 
bc:24:11:3e:f3:a5 Employee
bc:24:11:74:12:33 Server
bc:24:11:e8:04:b1 SSH_Connection
bc:24:11:78:c8:64 Attacker

As the cause of the disconnect is the hint to the flag I started looking for strange data / repeating patterns. I specifically looked at the arp traffic the suspected attacker generated.

 tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64"
  102   9.721959 192.168.100.30 → 185.125.190.58 NTP 90 NTP Version 4, client
  157  15.490011     Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
  649  47.001218 192.168.100.30 → 192.168.100.10 ICMP 98 Echo (ping) request  id=0x5cfe, seq=1/256, ttl=64
  655  47.003303 192.168.100.30 → 192.168.100.1 ICMP 98 Echo (ping) request  id=0x5cff, seq=1/256, ttl=64
  850  51.919433     Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
  852  52.054555     Attacker → Employee     ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
  853  52.094738     Attacker → Employee     ARP 42 Who has 192.168.100.10? Tell 192.168.100.30
 1107  67.340041     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1112  67.846893     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1117  68.353860     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1149  68.860876     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1153  69.367942     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1192  70.874804     Attacker → Server       ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
 1193  70.880994     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1196  71.387822     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1201  71.894817     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1204  72.401811     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1211  72.908807     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1219  74.415759     Attacker → Server       ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
 1220  74.420757     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1224  74.927766     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1227  75.434762     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1231  75.941762     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1233  76.448768     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1243  77.954716     Attacker → Server       ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
 1244  77.959717     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1248  78.465727     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1253  78.971743     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1255  79.478726     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1283  79.985841     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1385  81.492711     Attacker → Server       ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
 1386  81.497642     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1397  82.003674     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1399  82.510696     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1402  83.016682     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1423  83.522648     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1525  85.029614     Attacker → Server       ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
 1526  85.034558     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1543  85.540595     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1546  86.046628     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1548  86.553617     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1552  87.060604     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1560  88.567556     Attacker → Server       ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
 1561  88.572559     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
 1564  89.079578     Attacker → Employee     ARP 51 192.168.100.1 is at bc:24:11:78:c8:64

It is very suspicious that the Attacker sends multiple ARP replies for 192.168.100.1 to the Employee which has been observed as belonging to bc:24:11:74:12:33 (Server) without a preceeding ARP request from the Employee. Looking further into these suspicous ARP replies I noticed that they are the only ones to contain trailer data in the ethernet packet.

 tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64 and arp.opcode == 2" -T fields -e frame.number -e eth.trailer -e _ws.col.info
157		192.168.100.30 is at bc:24:11:78:c8:64
850		192.168.100.30 is at bc:24:11:78:c8:64
852		192.168.100.30 is at bc:24:11:78:c8:64
1107	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1112	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1117	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1149	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1153	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64
1192		192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1193	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1196	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1201	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1204	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1211	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64
1219		192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1220	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1224	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1227	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1231	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1233	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64
1243		192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1244	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1248	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1253	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1255	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1283	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64
1385		192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1386	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1397	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1399	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1402	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1423	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64
1525		192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1526	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1543	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1546	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1548	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1552	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64
1560		192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1561	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1564	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64

There is a repeating pattern in the ARP replies. The block

1107	015a334a6c6558746b	192.168.100.1 is at bc:24:11:78:c8:64
1112	024d5752664d563971	192.168.100.1 is at bc:24:11:78:c8:64
1117	0364584d335832646c	192.168.100.1 is at bc:24:11:78:c8:64
1149	044e3139774d44467a	192.168.100.1 is at bc:24:11:78:c8:64
1153	056232347a5a48303d	192.168.100.1 is at bc:24:11:78:c8:64

is sent multiple times.

I suspect that the flag are the 5 trailer entries appended and decoded

015a334a6c6558746b024d5752664d5639710364584d335832646c044e3139774d44467a056232347a5a48303d

Each trailer entry starts with 0. I assume this is some id. I removed the leading id from the encoded_flag.

 5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d

Decoding with

echo "5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d" | xxd -r -p | base64 -d

yields the flag: grey{d1d_1_jus7_ge7_p01son3d}