209 lines
11 KiB
Markdown
209 lines
11 KiB
Markdown
Question: One of our employees was browsing the web when he suddenly lost connection! Can you help him figure out why?
|
||
|
||
```
|
||
❯ tshark -r file.pcap -T fields -e ip.src -e ip.dst | tr '\t' '\n' | sort -u:
|
||
Recorded IPs:
|
||
185.125.190.58
|
||
192.168.100.1
|
||
192.168.100.10
|
||
192.168.100.20
|
||
192.168.100.30
|
||
```
|
||
|
||
```
|
||
❯ tshark -r chall.pcap -Y http.request -T fields -e ip.dst | sort -u
|
||
192.168.100.1
|
||
```
|
||
|
||
```
|
||
❯ tshark -r chall.pcap -Y http.request -T fields -e ip.src | sort -u
|
||
HTTP Clients:
|
||
192.168.100.10
|
||
192.168.100.20
|
||
```
|
||
|
||
Notable Stuff:
|
||
Capture Timeframe: 17:17:49 -> 17:21:21 UTC
|
||
192.168.100.20 stopped sending packets completly by May 6, 2025 17:21:14
|
||
All html files delivered are exactly the same
|
||
192.168.100.1 is connected over ssh to 192.168.100.20
|
||
|
||
192.168.100.10 sends a lot of tcp retransmissions it probably lost connection => This is the employee probably
|
||
The pcap file contained a lot of arp requests. This made me look for signs of arp poisoning:
|
||
|
||
```
|
||
❯ tshark -r chall.pcap -Y "arp.opcode == 2" -T fields -e arp.src.proto_ipv4 -e eth.src | sort | uniq -c
|
||
6 192.168.100.10 bc:24:11:3e:f3:a5
|
||
6 192.168.100.10 bc:24:11:78:c8:64
|
||
2 192.168.100.1 bc:24:11:74:12:33
|
||
32 192.168.100.1 bc:24:11:78:c8:64
|
||
3 192.168.100.20 bc:24:11:e8:04:b1
|
||
1 192.168.100.254 26:55:ad:5c:79:a6
|
||
1 192.168.100.254 3a:d3:ba:f1:51:d3
|
||
1 192.168.100.254 56:0c:c0:94:27:a3
|
||
1 192.168.100.254 6e:e9:35:c7:a8:87
|
||
3 192.168.100.30 bc:24:11:78:c8:64
|
||
```
|
||
|
||
From this I created a list of all IP addresses with their corresponding mac addresses
|
||
192.168.100.10:
|
||
- bc:24:11:3e:f3:a5
|
||
- bc:24:11:78:c8:64
|
||
192.168.100.1:
|
||
- bc:24:11:74:12:33
|
||
- bc:24:11:78:c8:64
|
||
192.168.100.20:
|
||
- bc:24:11:e8:04:b1
|
||
192.168.100.254:
|
||
- 26:55:ad:5c:79:a6
|
||
- 3a:d3:ba:f1:51:d3
|
||
- 56:0c:c0:94:27:a3
|
||
- 6e:e9:35:c7:a8:87
|
||
192.168.100.30:
|
||
- bc:24:11:78:c8:64
|
||
|
||
=> 192.168.100.10, 192.168.100.30, 192.168.100.1 are connected to the same interface => This is probably the Attacker
|
||
|
||
I labeled the interfaces with the help of .config/wireshark/ethers with the information i had.
|
||
```
|
||
❯ cat ./config/wireshark/ethers
|
||
bc:24:11:3e:f3:a5 Employee
|
||
bc:24:11:74:12:33 Server
|
||
bc:24:11:e8:04:b1 SSH_Connection
|
||
bc:24:11:78:c8:64 Attacker
|
||
```
|
||
|
||
As the cause of the disconnect is the hint to the flag I started looking for strange data / repeating patterns.
|
||
I specifically looked at the arp traffic the suspected attacker generated.
|
||
|
||
```
|
||
❯ tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64"
|
||
102 9.721959 192.168.100.30 → 185.125.190.58 NTP 90 NTP Version 4, client
|
||
157 15.490011 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
|
||
649 47.001218 192.168.100.30 → 192.168.100.10 ICMP 98 Echo (ping) request id=0x5cfe, seq=1/256, ttl=64
|
||
655 47.003303 192.168.100.30 → 192.168.100.1 ICMP 98 Echo (ping) request id=0x5cff, seq=1/256, ttl=64
|
||
850 51.919433 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
|
||
852 52.054555 Attacker → Employee ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
|
||
853 52.094738 Attacker → Employee ARP 42 Who has 192.168.100.10? Tell 192.168.100.30
|
||
1107 67.340041 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1112 67.846893 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1117 68.353860 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1149 68.860876 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1153 69.367942 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1192 70.874804 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1193 70.880994 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1196 71.387822 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1201 71.894817 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1204 72.401811 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1211 72.908807 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1219 74.415759 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1220 74.420757 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1224 74.927766 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1227 75.434762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1231 75.941762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1233 76.448768 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1243 77.954716 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1244 77.959717 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1248 78.465727 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1253 78.971743 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1255 79.478726 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1283 79.985841 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1385 81.492711 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1386 81.497642 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1397 82.003674 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1399 82.510696 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1402 83.016682 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1423 83.522648 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1525 85.029614 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1526 85.034558 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1543 85.540595 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1546 86.046628 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1548 86.553617 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1552 87.060604 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1560 88.567556 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1561 88.572559 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1564 89.079578 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
|
||
```
|
||
|
||
It is very suspicious that the Attacker sends multiple ARP replies for 192.168.100.1 to the Employee which has been observed as belonging to bc:24:11:74:12:33 (Server) without a preceeding ARP request from the Employee.
|
||
Looking further into these suspicous ARP replies I noticed that they are the only ones to contain trailer data in the ethernet packet.
|
||
|
||
```
|
||
❯ tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64 and arp.opcode == 2" -T fields -e frame.number -e eth.trailer -e _ws.col.info
|
||
157 192.168.100.30 is at bc:24:11:78:c8:64
|
||
850 192.168.100.30 is at bc:24:11:78:c8:64
|
||
852 192.168.100.30 is at bc:24:11:78:c8:64
|
||
1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1192 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1193 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1196 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1201 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1204 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1211 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1219 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1220 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1224 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1227 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1231 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1233 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1243 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1244 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1248 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1253 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1255 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1283 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1385 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1386 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1397 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1399 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1402 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1423 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1525 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1526 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1543 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1546 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1548 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1552 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1560 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
|
||
1561 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1564 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
```
|
||
|
||
There is a repeating pattern in the ARP replies.
|
||
The block
|
||
```
|
||
1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
|
||
1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
|
||
```
|
||
is sent multiple times.
|
||
|
||
I suspect that the flag are the 5 trailer entries appended and decoded
|
||
|
||
```
|
||
015a334a6c6558746b024d5752664d5639710364584d335832646c044e3139774d44467a056232347a5a48303d
|
||
```
|
||
|
||
Each trailer entry starts with 0. I assume this is some id.
|
||
I removed the leading id from the encoded_flag.
|
||
|
||
```
|
||
5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d
|
||
```
|
||
|
||
Decoding with
|
||
```
|
||
echo "5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d" | xxd -r -p | base64 -d
|
||
```
|
||
|
||
yields the flag: `grey{d1d_1_jus7_ge7_p01son3d}`
|
||
|
||
|
||
|