Friday, December 29, 2017

Network Forensic CTF - TufMups Undercover Operation


Disclaimer: This CTF scenario is satirical and doesn't represent anyone's opinion, about anything.


This is a network forensics CTF I set up recently for a team training event. It was well received and I think it is a bit of a laugh and challenge for a range of experience levels. I hope you enjoy it!


Background: You're an agent with a government law enforcement agency. You've been tracking a group of criminal hackers known as "TufMups". This group either keeps a low profile, your agency's capacity to run investigations on the internet is very poor, or some combination of those two factors. Up until two days ago you had an active relationship with an informant who went by the handle "K3anu". As you walked into your office you received a package containing a flash drive, a printed screenshot (at the top of this blog post) and a very short note. 

"Review this PCAP. It will all make sense. Woaaahhhh. - K3anu"

That package was the last you heard from K3anu.

DOWNLOAD EVIDENCE LINK  <-- Everything you need to answer the questions is in the PCAP. There is a server I left up which you can use to get a couple flags, but it's not intended to be hackable. It may be more fun to get the flag(s) directly from the webserver - so I'll leave it up! 


If you're approaching this new to either CTF or analyzing PCAP's I have a couple of tips:

  1. Use CyberChef and love it. I have a blogpost about it here
  2. Know and love WireShark. There are other ways to approach a PCAP challenge by replaying the cap through Bro/Suricata/VortexIDS (thx to D.K. for this tip) or summarizing with another command line tool like TShark but that isn't totally necessary.
  3. Find a tool to help crack zip files, think about both brute force and dictionary attacks as viable strategies. There might be one in Kali Linux, and on other Linux distributions it may be just an "apt install" away :D.
  4. Metadata is always useful - make sure you have a tool to check for it.
  5. Read ahead through the questions if you're getting stuck. Use the screenshot at the top of the post as a starting point. Hit me up on Twitter for hints @securitymustard or to berate me.

Questions:

What is the start time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)?
What is the end time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)?
How many total packets were sent between the host and the hacker website IP?
What is the hostname of the system the PCAP was recovered from? (all caps)
What exact version of browser did K3anu use? (exact number only)
What operating system did K3anu use? (Name and number only)
How many DNS queries in the PCAP received NXdomain responses?
What is the hidden message in the TufMups website? (decoded)
What is the key to decode the secret message in the TufMups website?
How did K3anu get access to the file? (lowercase, just protocol)
What's the nickname of the operator on the IRC channel?
What is the 1st operation needed to decode the IRC users "secure" comms? (just the format name)
What is the 2nd operation needed to decode the IRC users "secure" comms? (just the format name)
What is the 3rd operation needed to decode the IRC users "secure" comms? (just the format name)
What is the 4th and final operation needed to decode the IRC users "secure" comms? (2 words lowercase)
What is the password to decrypt the zip file that was downloaded by K3anu?
How many total rows of "fullz" are represented in the file?
How many people in the fullz are named Joshua, have a MasterCard, and use an OS X system?
From the previous question (people named Joshua) - what is the most expensive car new in this filtered list?
What IP and port does the executable connect to? ip:port
What is the MD5 of the executable?
What was used to compile the malicious executable?
What executable did K3anu likely use to download files from the remote server? (exactly as written in source material)
What is the host system's exact BIOS version?
What is the filename of the first file taken from K3anu's computer?
What is the filename of the second file taken from K3anu's computer?
What utility was used to steal the files from K3anu's computer?
What destination port was used to steal the files from K3anu's computer?
What is the password to decrypt the file stolen from K3anu's computer? (it's lowercase)
What is K3anu's real identity?
What city is K3anu likely to be in?
What is K3anu's likely status? (lowercase)
What is the address of the restaurant closest to where K3anu is likely to be? (exactly as reported by Google maps)
The hacker left a message for law enforcement on K3anu's system, what was it? (message only)


DOWNLOAD ANSWERS LINK : Don't get too hasty looking up the answers! You can always ping me on Twitter @securitymustard for hints :D.