Deadface CTF 2023 — Traffic Analysis
Write-ups for Deadface 2023 CTF Traffic Analysis challenges
Deadface 2023 CTF Write-ups
Sometimes IT Lets You Down
Task
Lytton Labs has been having a slew of weird activity in the network lately. This recent PCAP capture we know contains a user account who compromised our domain controller. Can you figure out what user account was compromised?
Submit the flag as:
flag{username}.
Solution
I have downloaded the ITletsyoudown.pcapng network capture and opened it with Wireshark for analysis.
My first go-to is always the “Statistics”. My favourite statistics to start any analysis is “Protocol Hierarchy”. This gives you a high-level overview of what protocols are contained in the capture and may give you a glance of interesting types of data.
Statistics > Protocol Hierarchy
Since we are looking for domain users, Server Message Block (SMB) traffic is hugely of importance to us. Most modern servers support SMBv2 and SMBv3, although some still support the old SMBv1 protocol which is hugely vulnerable (do you really WannaCry? ).
Let’s go for SMBv2 to start with and filter out traffic
smb2
Bingo! that was easy wasn’t it? We have the user “mmeyers” trying to authenticate to spooky.domain.
flag{mmeyers}
Git Rekt
Task
One of our teammates at Turbo Tactical ran a phishing campaign on spookyboi and thinks spookyboi may have submitted credentials. We need you to take a look at the PCAP and see if you can find the credentials.
Submit the password as the flag:
flag{password}.
Solution
I have downloaded the pcap-20231010.pcap network capture and opened it with Wireshark for analysis.
As usual, we examine the “Statistics” and “Protocol Hierarchy” as a first port of call to get a high-level overview.
Statistics > Protocol Hierarchy
Traffic of interest here could be SSH or HTTP. Most of the time I would inspect the web traffic first.
This time we most likely have to look at the HTTP traffic first as the attack was a phishing campaign intending to harvest web credentials.
From experience we can already zoom in on “HTML form URL Encoded” data to see if there are any interesting interactions and web logins submitted using HTML Form method.
You can right click that line and select it as a filter.
Alternatively, you can use the following Wireshark filter:
urlencoded-form
below is the HTTP Request which shows the password. Be aware that the password maybe URL encoded so you will have to ensure you decode it
POST /session HTTP/1.1
Host: 147.182.253.207
Connection: keep-alive
Content-Length: 520
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://147.182.253.207
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-GPC: 1
Accept-Language: en-US,en
Referer: http://147.182.253.207/
Accept-Encoding: gzip, deflate
Cookie: preferred_color_mode=dark; tz=America%2FChicago
commit=Sign+in&authenticity_token=itYs%2BHLxxadKOu%2FLcUSIlVEkCT0DBQ6EwYw2TO0D28Za9lQoiAGqbgjQ0p2IewNCvvtRkN0XcJrK5Me1ndYRvw%3D%3D&login=spookyboi%40deadface.io&password=SpectralSecrets%232023&webauthn-conditional=undefined&javascript-support=true&webauthn-support=unsupported&webauthn-iuvpaa-support=unsupported&return_to=https%3A%2F%2Fgithub.com%2Flogin&allow_signup=&client_id=&integration=&required_field_826d=×tamp=1696980020598×tamp_secret=701122f4b577941e1c787414ea0775e8cd9e974f8c5b46eceff028a721e9d713“password” = “SpectralSecrets#2023”
The flag is the password. Simple as that.
Another method of going about it is through following the HTTP Stream and cycling through them until you see the logon details submitted. Just make sure you decode the URL encoding (the %23 represents a # symbol).
Analyze > Follow > HTTP Stream
Alternative and quicker method to also find the password is to …(drum rolls) … simply grep for it! You should always learn how to analyse things in Wireshark, but when you are pressed for time in a CTF, you are excused to look for the quickest method to solve a challenge in order to move on to the more complex ones.
flag{SpectralSecrets#2023}
Creepy Crawling
Task
One of our clients, TGRI, had an SSH server compromised at one of their smaller remote locations. Their only security analyst was fired and “accidentally” deleted information specific to the attack. Thankfully, TGRI still has the PCAP that captured the SSH brute force attack. What SSH protocol did TGRI run that was eventually compromised by DEADFACE?
Submit the SSH protocol as the flag:
flag{SSH-1.1.1: Simple SSH Server}SHA1SUM:
d402c9123b03cdcdf68fee34b2a5729bfb5f867c
Solution
I have downloaded the pcap-20231010.pcap network capture and opened it with Wireshark for analysis.
By now you know the drill. We examine the “Statistics” and “Protocol Hierarchy” as a first port of call to get a high-level overview.
We notice that when we filter for SSH protocol, we have around 991packets exchanged between 10.10.10.80 and 10.10.10.50. Let’s filter by entering “ssh” into the display filter area
ssh
If you pay attention to the “Info” tab you will quickly notice who is the server (10.10.10.5) and who is the client (10.10.10.80).
Here we can also see the two different SSH clients used by the server and client.
To narrow the filter even further, let’s specify that we are only interested in packets originating from the server. Packets originating from the server are sent from TCP Source Port 22.
ssh && tcp.srcport == 22
We can click on any packet displaying the server protocol in use and copy
Protocol: SSH-2.0–9.29 FlowSsh: Bitvise SSH Server (WinSSHD) 9.29
For the flag we only need to follow the format of flag{SSH-1.1.1: Simple SSH Server} therefore we can truncate the answer and only copy the exact string we need which is SSH-2.0–9.29 FlowSsh: Bitvise SSH Server.
flag{SSH-2.0–9.29 FlowSsh: Bitvise SSH Serve}
UVB-76 (Hello, are you there?)
Task
Lytton Labs system administrators are talking through network traffic, probably complaining about the Turbo Tactical assessment. I have looked and looked but I can’t figure it out. Can you find the secret message?
Solution
I have downloaded the PCAP06.pcapng network capture and opened it with Wireshark for analysis.
As always, I start with “Statistics” and “Protocol Hierarchy” analysis. to get a high-level overview of what protocols are contained in this capture.
Statistics > Protocol Hierarchy
We can see that there is heavy TCP transmission activity but also ICMP which in many CTF’s a “traffic of interest”. Also, whenever you see “Data” it is definitely worth having a look at.
Let’s filter for “data” and see what traffic or protocols contain data.
data
Immediately we see that ICMP contains some data. ICMP echo requests contain standard payloads, however malicious actors or CTF makers use it occasionally to send custom strings of data rather than the random “abcdefg…” or “!#$%&’()*+,-./0123456789….” in some implementations.
We see our first hint that we are on the right track.
The payload contains “Keep Looking”. That is very promising.
We keep scrolling down until we see something very interesting and looks like a potential flag. However, this time we will also filter our results to only show ping requests not the reply. This is done by specifying the sender 10.10.10.3 in our filter.
data && ip.src==10.10.10.3
Let’s zoom in on that Data field in the Packet Details pane on the left.
Notice the flag on the right page also called the Packet Bytes?
If we copy the packets with the flag (there should be a few echo requests with the flag data), we get the following:
<Ether dst=00:15:5d:01:8c:22 src=00:15:5d:01:8c:1e type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=47 id=64922 flags= frag=0 ttl=64 proto=icmp chksum=0x551b src=10.10.10.3 dst=10.10.10.2 |<ICMP type=echo-request code=0 chksum=0xa7a7 id=0x2bd seq=0x2 unused='' |<Raw load='Flag{is_this_thing_' |<Padding load='on?}' |>>>>>,
<Ether dst=00:15:5d:01:8c:22 src=00:15:5d:01:8c:1e type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=47 id=64922 flags= frag=0 ttl=64 proto=icmp chksum=0x551b src=10.10.10.3 dst=10.10.10.2 |<ICMP type=echo-request code=0 chksum=0xa7a7 id=0x2bd seq=0x2 unused='' |<Raw load='Flag{is_this_thing_' |<Padding load='on?}' |>>>>>,
<Ether dst=00:15:5d:01:8c:22 src=00:15:5d:01:8c:1e type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=47 id=64922 flags= frag=0 ttl=64 proto=icmp chksum=0x551b src=10.10.10.3 dst=10.10.10.2 |<ICMP type=echo-request code=0 chksum=0xa7a7 id=0x2bd seq=0x2 unused='' |<Raw load='Flag{is_this_thing_' |<Padding load='on?}' |>>>>>,The interesting thing about this ICMP packet is that the flag string was spread over the “load” and the “padding”. Don’t worry about the technicality of this if you just want the flag and not a network geek like me who likes to understand protocols a bit deeper :)
Now that we have done this the long way, a shorter method to solve it. Credit for this quick solution goes to Michael Holsbach. Please check out his other Deadface write-ups as well.
Perform a simple strings and grep search of the capture. This does save time during CTFs for those who know Wireshark well already, but I will still urge you to learn how to do traffic analysis on Wireshark or Tshark as you will need that knowledge in real-life situations.
Flag: flag{is_this_thing_on?}
Conclusion
I hope you enjoyed the write-up and it has helped you in any way or shape.
Wireshark is a great investigative tool to learn for both defenders, CTF players and penetration testers. It is a must-learn skill in Cyber Security.
Spend some time playing with it as well as the command line versions Tshark and tcpdump which will come in handy in situations where you can access to a headless server (no GUI) and need to either capture some traffic or analyse existing captures.
There are few more challenges I have solved after the CTF has ended so I did not include these here to be honest. I have only shared the challenges I solved during the competition.
Many thanks and see you soon on the next CTF!
