Files
ctf/catthegray25/forensics/dist-connection-issues/notes.md
2025-05-31 22:42:59 +02:00

209 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Question: One of our employees was browsing the web when he suddenly lost connection! Can you help him figure out why?
```
tshark -r file.pcap -T fields -e ip.src -e ip.dst | tr '\t' '\n' | sort -u:
Recorded IPs:
185.125.190.58
192.168.100.1
192.168.100.10
192.168.100.20
192.168.100.30
```
```
tshark -r chall.pcap -Y http.request -T fields -e ip.dst | sort -u
192.168.100.1
```
```
tshark -r chall.pcap -Y http.request -T fields -e ip.src | sort -u
HTTP Clients:
192.168.100.10
192.168.100.20
```
Notable Stuff:
Capture Timeframe: 17:17:49 -> 17:21:21 UTC
192.168.100.20 stopped sending packets completly by May 6, 2025 17:21:14
All html files delivered are exactly the same
192.168.100.1 is connected over ssh to 192.168.100.20
192.168.100.10 sends a lot of tcp retransmissions it probably lost connection => This is the employee probably
The pcap file contained a lot of arp requests. This made me look for signs of arp poisoning:
```
tshark -r chall.pcap -Y "arp.opcode == 2" -T fields -e arp.src.proto_ipv4 -e eth.src | sort | uniq -c
6 192.168.100.10 bc:24:11:3e:f3:a5
6 192.168.100.10 bc:24:11:78:c8:64
2 192.168.100.1 bc:24:11:74:12:33
32 192.168.100.1 bc:24:11:78:c8:64
3 192.168.100.20 bc:24:11:e8:04:b1
1 192.168.100.254 26:55:ad:5c:79:a6
1 192.168.100.254 3a:d3:ba:f1:51:d3
1 192.168.100.254 56:0c:c0:94:27:a3
1 192.168.100.254 6e:e9:35:c7:a8:87
3 192.168.100.30 bc:24:11:78:c8:64
```
From this I created a list of all IP addresses with their corresponding mac addresses
192.168.100.10:
- bc:24:11:3e:f3:a5
- bc:24:11:78:c8:64
192.168.100.1:
- bc:24:11:74:12:33
- bc:24:11:78:c8:64
192.168.100.20:
- bc:24:11:e8:04:b1
192.168.100.254:
- 26:55:ad:5c:79:a6
- 3a:d3:ba:f1:51:d3
- 56:0c:c0:94:27:a3
- 6e:e9:35:c7:a8:87
192.168.100.30:
- bc:24:11:78:c8:64
=> 192.168.100.10, 192.168.100.30, 192.168.100.1 are connected to the same interface => This is probably the Attacker
I labeled the interfaces with the help of .config/wireshark/ethers with the information i had.
```
cat ./config/wireshark/ethers
bc:24:11:3e:f3:a5 Employee
bc:24:11:74:12:33 Server
bc:24:11:e8:04:b1 SSH_Connection
bc:24:11:78:c8:64 Attacker
```
As the cause of the disconnect is the hint to the flag I started looking for strange data / repeating patterns.
I specifically looked at the arp traffic the suspected attacker generated.
```
tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64"
102 9.721959 192.168.100.30 → 185.125.190.58 NTP 90 NTP Version 4, client
157 15.490011 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
649 47.001218 192.168.100.30 → 192.168.100.10 ICMP 98 Echo (ping) request id=0x5cfe, seq=1/256, ttl=64
655 47.003303 192.168.100.30 → 192.168.100.1 ICMP 98 Echo (ping) request id=0x5cff, seq=1/256, ttl=64
850 51.919433 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
852 52.054555 Attacker → Employee ARP 42 192.168.100.30 is at bc:24:11:78:c8:64
853 52.094738 Attacker → Employee ARP 42 Who has 192.168.100.10? Tell 192.168.100.30
1107 67.340041 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1112 67.846893 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1117 68.353860 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1149 68.860876 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1153 69.367942 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1192 70.874804 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1193 70.880994 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1196 71.387822 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1201 71.894817 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1204 72.401811 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1211 72.908807 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1219 74.415759 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1220 74.420757 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1224 74.927766 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1227 75.434762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1231 75.941762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1233 76.448768 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1243 77.954716 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1244 77.959717 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1248 78.465727 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1253 78.971743 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1255 79.478726 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1283 79.985841 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1385 81.492711 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1386 81.497642 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1397 82.003674 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1399 82.510696 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1402 83.016682 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1423 83.522648 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1525 85.029614 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1526 85.034558 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1543 85.540595 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1546 86.046628 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1548 86.553617 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1552 87.060604 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1560 88.567556 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1561 88.572559 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
1564 89.079578 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64
```
It is very suspicious that the Attacker sends multiple ARP replies for 192.168.100.1 to the Employee which has been observed as belonging to bc:24:11:74:12:33 (Server) without a preceeding ARP request from the Employee.
Looking further into these suspicous ARP replies I noticed that they are the only ones to contain trailer data in the ethernet packet.
```
tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64 and arp.opcode == 2" -T fields -e frame.number -e eth.trailer -e _ws.col.info
157 192.168.100.30 is at bc:24:11:78:c8:64
850 192.168.100.30 is at bc:24:11:78:c8:64
852 192.168.100.30 is at bc:24:11:78:c8:64
1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1192 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1193 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1196 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1201 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1204 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1211 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1219 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1220 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1224 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1227 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1231 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1233 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1243 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1244 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1248 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1253 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1255 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1283 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1385 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1386 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1397 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1399 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1402 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1423 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1525 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1526 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1543 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1546 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1548 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1552 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
1560 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!)
1561 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1564 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
```
There is a repeating pattern in the ARP replies.
The block
```
1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64
1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64
1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64
1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64
1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64
```
is sent multiple times.
I suspect that the flag are the 5 trailer entries appended and decoded
```
015a334a6c6558746b024d5752664d5639710364584d335832646c044e3139774d44467a056232347a5a48303d
```
Each trailer entry starts with 0. I assume this is some id.
I removed the leading id from the encoded_flag.
```
5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d
```
Decoding with
```
echo "5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d" | xxd -r -p | base64 -d
```
yields the flag: `grey{d1d_1_jus7_ge7_p01son3d}`