Sharif CTF 2016: Network Forensics (Forensics 200)

Category: Forensics
Points: 200
Solves: 65

Description

You are given a cap file that contains wireless traffics in a location. Find the flag! :-)

Write-Up

We are given a pcap to start our journey. Here's a screen shot of what it generally looks like

capture

It's a bunch of WiFi Traffic. Initially, we can only see a few beacon packets, some null packets, some acknowledgment packets, and of course, data packets.

However, if we look at the data packets, we will find something that will slow us down a bit:
flags

Notice how the "protected" bit is set. This means that the data in these packets are encrypted. Wireshark can help us decrypt, however, but this requires us to have a key.

Lets look a bit further. I'm going to filter traffic by TCP.

rom-0-http

Interesting! We see that a file named rom-0 is being downloaded over unencrypted HTTP. Extracting the file with Wireshark, we can start to do analysis on the file.

When I have an unknown file, I like to use a tool called binwalk to scan for signatures.

binwalk

Well, theres defiantly something there. After some googling, it turns out that the rom-0 file can be extracted from certain routers and used to extract a password. That might be what we need to get traffic decrypted.

Countless tools exist to decompress this type of file. Using this website, I was able to extract a few strings. The string I got out of it was Rome4040. That's a bit interesting since a SSID beacon at the start of the capture was for an AP named Rome. Lets try decrypting traffic now.

Using Wireshark, I went to prefrences->protocols->IEEE 802.11. Make sure the checkbox is checked for "enable decryption". Next, add the decryption key and the SSID like this:

key thing

Note when you do this, you may need to go to view->reload to make sure packets were decrypted.

Filtering by TCP again, we can start to go through the traffic. There are a few points where it hits Google. However, there is an interesting POST request:
post
post

Aha! A pastebin submission. Lets take a look at the post data:
paste

This looks like hex encoded ASCII! The value that was posted is:

53:68:61:72:69:66:43:54:46:7b:62:65:30:32:64:32:61:33:39:36:34:38:32:39:36:39:65:33:39:64:39:32:62:36:65:34:34:30:66:35:65:33:7d

Decoding it to ASCII we get:

SharifCTF{be02d2a396482969e39d92b6e440f5e3}

Nice!! Submit the flag :)