HackingWeek 2015 - Network

18 May 2015

Write-ups for the four Hacking Week 2015 Network challenges with Wireshark and Python.

Introduction

In this article I will summarize the different methods that were used to complete the four network challenges during the HackingWeek 2015.
The essential tool is Wireshark, you will also need a scripting language such as Python.

Network 1

Le fichier pcap suivant contient une capture réseau d'une connexion FTP. La clef de ce challenge est contenu dans l'un des fichiers transférés pendant cette connexion FTP.

This first challenge is rather easy, you have a pcap file with 152 packets it's the capture of a FTP session.
We are probably looking for a file that contains the flag. We will use a Wireshark filters to display transferred data only.

ftp-data

Now we have only 52 displayed packets, looking at the packet number 44 a JFIF Header in the Data should trigger your brain.
To dump this picture right click ob the packet number 44 then click on "Follow TCP Stream" and save as image.jpg. If you open the picture you will get the flag.

Network 2

Le fichier pcap suivant contient une capture réseau d'un scan nmap, retrouvez les services qui ont été trouvés sur la machine cible. La clef de validation sera service1:service2:service3:... en mettant les services par ordre de ports croissants.

For the second challenge we are going to use Wireshark filters again. This time we have the capture of a nmap scan with 2009 packets.
If you are not aware of how TCP works you should read about it. We are looking for packets where the ACK and the SYN bits are set.

tcp.flags.ack == 1 && tcp.flags.syn == 1

This filter leave us with 5 packets, if you inspect these packets deeper you can see they use different ports 21, 22, 23, 80 and 443.
The service for each ports in the same order is ftp, ssh, telnet, http and https.

Network 3

Le fichier pcap suivant contient une capture réseau d'un transfert via le protocole SMB2. Il s'agit de retrouver un fichier zippé qui transité sur le réseau et d'en extraire la clef qu'il contient.

For the third network challenge we need to find a zip file in the middle of a pcap file with 97,138 packets.
Let's use some Wireshark filters again, we only want to see transfers of files larger than 200 bytes.

smb2.write_data && smb2.write_length > 200

We now have 208 displayed packets. After a quick overview we can see that the packet number 13895 seems to be what we are looking for because it contain a zip header.
We copy the "Write Data" from the SMB packet and save it to a zip file. The zip file contains a file named flag.txt but it is password protected (it would have been too easy).

The last step is to find the password used to protect the zip. We are going to use John the ripper.

$ john2zip net3.zip
net3.zip:$zip$*0*1*a2b728db72200be0*a089

$ john net3.txt

After a few seconds the password is cracked and appears to be "dawn".

Network 4

On dispose d'un fichier (pcapssl-capture.pcap), de la clef publique du serveur Web (PublicKey.pem), ainsi que du résultat d'une attaque Heartbleed sur le serveur pendant que l'échange se passait (heartbleed_attack.log).

Avec ces trois éléments, vous devez réussir à déchiffrer l'échange qui a eut lieu. La clef de validation de l'épreuve est le mot de passe de l'utilisateur qui se connecte pendant cet échange chiffré.

For this fourth and last network challenge we had to extract the private key from a log file after a Heartbleed attack.
This challenge was rather simple, all you had to do is convert all the hex values from "heartbleed_attack.log" back to binary and then use a tool such as keyscan.py to recover the two distinct prime numbers p and q.

Find p and q

$ keyscan.py PublicKey.pem heartbleed_attack.log

Generate a new PEM

The next step was to generate the PEM from e, p and q. You can download rsatool on Github.

$ rsatool.py -f PEM -o net4.pem -p 154505360461616922248064634925887787698458246382581570008454841098205176362058153054716586584864800572253287936092439749949400519549787548103712618564774866592690729105816373428201915463608923143735621932793997654468908714003299258111612018699395021710536083706990861285242484886738208843067246867876336512717 -q 138852093008898850686012456373768327478455353038157410858057164373875677340426807024748710986463974023721177557819726767426790025368866252626983875396610359520369182162294762648394554627219869605698331975009788541386106645697563287735732352178202095503974633116258015336431940916628771494999735090165023984599 -n 21453392681189875951298501360475937910331099904642103712139850912587601072539013884446576637048682790378384414405647284552787785744821723288139857992564721276307295828675846453183302641291421949808644672921028570522645830518653678392315849744535854226548223374738128381748147180975701307187591766830556689067960208767002461073883802714221404861267486185903944574825561447846526644728233714429328538195888279960378012470136107349531560867617249371649297675371225958097871635686534640509783438670920385294202304339136723400423006466759263057614217093217884345171221152234249347612857704091560436655171684041151575645483 -e 65537

Decrypt the HTTPS traffic

The last step was load the pcap and to add the PEM to the SSL RSA keys list to display the unencrypted traffic.