Thursday, January 10, 2019

Walkthrough: Network Forensics CTF - TufMups Undercover Operation

I published the “TufMups” CTF scenario over a year ago, and in that time a few people have asked for a walkthrough. I think we can file this blog post solidly in the “better late than never” category. Enough time has passed that I didn’t remember exactly how to do these challenges and had a bit of fun with it. As always please reach me on Twitter with any questions or comments.

If you don't have it here is the evidence download. I’ll be working through this using Kali Linux running on VMware Workstation, but you only need a few tools (Wireshark, fcrackzip, strings, grep, etc) so feel free to use what you like.

1. What is the start time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)? 2017-12-10 17:43:18
2. What is the end time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)? 2017-12-10 18:25:20

The first two questions are simply the time and date of the beginning and end of the PCAP. First open the PCAP in Wireshark, set the “Time Display Format” (View menu) to “Date and Time of Day”, then simply scroll to the first and last packet to mark the time and date.

3. How many total packets were sent between the host and the hacker website IP? 15128

The next question is regarding how many packets were sent between the victim and the “hacker website IP”. The IP address is provided in a screenshot from the setup of the CTF:

There are a couple of ways we can come to this answer. First we could use a display filter and view the number of displayed packets at the bottom of the Wireshark window.

Alternately we could view this information from the “Conversations” menu in the “Statistics” menu in Wireshark.

4. What is the hostname of the system the PCAP was recovered from? (all caps) MSEDGEWIN10

This one may be slightly more tricky, as there’s no guarantee a PCAP will contain the hostnames of any systems related to the network traffic.

One way to find the hostname in this case is within the NBNS (Netbios Name Service) packets. This is a common broadcast protocol that should be turned off in your environment due to trivially executed poisoning attacks (see - details here: ).

This traffic can be filtered with a display filter of “nbns”.

The hostname is also in DHCP. You can find this with either a display filter of “bootp” or “udp.port == 68”.

This information can also be found in the dhcp packets for ipv6 using “dhcpv6” as a display filter.

If you used a display filter like the below to filter out all of the known protocols where we found this hostname, then searched the packet bytes for the hostname, this could have interesting results! I’m not going to do that here because it would lead to answers out of order, but perhaps a valid future CTF or investigation strategy. If you get a piece of information, pivot, and extract as much value from it as you can.

5. What exact version of browser did K3anu use? (exact number only) 63.0.3239.84

To determine the browser that the user was utilizing HTTP traffic is the best place to start. A “GET” request from the user’s browser will almost certainly have a user agent string unless it has been specifically configured not to, or is a strange browser of the user’s own creation :D.

Below we search for the user’s IP address AND destination port of 80, then find the first GET request and view the HTTP header via the right-click “Follow TCP Stream” option.

6. What operating system did K3anu use? (Name and number only) Windows 10

This question can be answered with the same user-agent string data used in question 5. The “Windows NT 10.0” designation in the UA string is exactly what it sounds like, Windows 10.
The site can break down some of the more confusing/obscure UA strings.

7. How many DNS queries in the PCAP received NXdomain responses? 5

Full transparency - I just had to Google how to do this one. I think that’s part of the fun of CTF, doing some things you don’t use every day but enhance understanding.

This question is specifically about how many requests actually received the “no such name” / “nxdomain” response. We can find this answer by filtering for “dns.flags.rcode == 3”.

8. What is the hidden message in the TufMups website? (decoded) ftp creds are p1ggy / ripgonzo

Ok now we have a cooler puzzle. We know the IP address of the website from the first question ( so presumably this is the website where we’re looking for the hidden message.

This could be found by running the display filter for ip.addr == or a myriad of other ways, but thinking about what we’ve already been provided why not search for a unique word from the web page we saw in the screenshot? In this case I searched the “packet details” for “mercifully”.

That surely looks like a secret code of some kind. bH56Kml4b255Kmt4byp6O21tcyolKnhjem1lZHBl
This is the first time we’re going to use Cyber Chef.

Right off the bat what do we know about this string. It’s upper and lowercase alphanumeric only. It seems like a likely base64 string.

This output doesn’t necessarily tell us it was base64, but there are some interesting aspects of the output. For instance, the asterisks almost look like they are separating words?

At this point I would try all the simple encryption/encoding methods I could think of (rotation, XOR, etc) because this is a CTF after all and it’s unlikely this string is so well encrypted it will be extremely difficult to crack.

Rotation is a bust in this case. On to XOR. Cyberchef has some very useful key bruteforcing functionality. In this case we’ll use the “XOR Brute Force” which by default tries all possible keys with a keylength of 1.

After reviewing the first several lines of the brute force, it’s clear “0a” is the key, and the secret message contains FTP credentials.

9. What is the key to decode the secret message? 0a

Explained in previous answer.

10. How did K3anu get access to the file? (lowercase, just protocol) ftp

They can’t all be hard questions :P. This one is pretty much answered by the previous answer.

11. What's the nickname of the operator on the IRC channel? K3rm1t

Searching with a display filter of “irc” or “tcp.port == 6667” will both lead us to tcp stream 2930 which is the IRC network traffic in this PCAP. By following this TCP stream we can get the answer to this question and the follow on questions.

When the users of the channel are listed, a “@” symbol before the name indicates that user is an operator.

12. What is the 1st operation needed to decode the IRC users "secure" comms? (just the format name) base64
13. What is the 2nd operation needed to decode the IRC users "secure" comms? (just the format name) rot13
14. What is the 3rd operation needed to decode the IRC users "secure" comms? (just the format name) hex
15. What is the 4th and final operation needed to decode the IRC users "secure" comms? (2 words lowercase) morse code

Fair warning - I received feedback that this was a “Guess what I’m thinking” CTF question and have taken that into account on future scenarios. That said - it is doable and several analysts got it quickly. Can you tell I had Cyberchef and simple encoding/decryption challenges on my mind when I made this?

When Keanu enters the IRC channel he’s asking to collaborate with the Tufmups on some epic hacks. Shortly thereafter the members switch to “secure comms” which are relayed right in front of Keanu in the IRC channel, but are obfuscated. Based upon the series of questions you can tell there are 4 operations that will have to be run against the messages to reveal the plaintext.

First step is to grab all of the “secure comms” and get them into Cyberchef. The compliant character set and trailing padding (=) is a dead giveaway that the first step is Base64.

Ok - the output from the Base64 decode almost looks like space delimited hex, but the characters aren’t compliant (see that there are letters beyond F). At this point I think we know what the THIRD step is (hex) but the second step isn’t clear. I’d run through the usual offenders (rot, xor) at this point. Rot13 gives us a hex compliant character set.

After adding hex to ASCII to our recipe we get the following mumbo-jumbo:

At this point I admit it’s a bit cryptic, but some of you might instantly recognize this as morse code, which is indeed an option within CyberChef.

It seems like the Tufmups were onto Keanu and his informant ways.

16. What is the password to decrypt the zip file that was downloaded by K3anu? fozzie

This question is going to demand a couple of things - extracting the file K3anu downloaded via FTP, and decrypting it.

First we can view the FTP commands run by using a display filter of “ftp” and following TCP stream (stream 4075).

We see in the FTP traffic that two files were downloaded by K3anu, “decrypttool.exe” and “”. Based upon the conversation we saw earlier in the IRC channel, it sounds like the mups were planning to “pwn” K3anu so I’d be skeptical of the contents of these files.

Pivoting to a display filter of “ftp-data” we can follow the two TCP streams to extract the files themselves. Simply select the server side of the conversation (drop down menu at the bottom of the follow TCP stream window), select “show and save data as RAW” and save the file to disk for each of the TCP streams.

We only need the zip file “” for this question, but it’s best to extract both files at this point as they will be needed for future questions.

Google searches for “how to crack zip password Kali Linux” will quickly lead you to fcrackzip, which is likely the most popular tool for this task. Fcrackzip syntax is a little finicky in my experience and it typically takes me 2 tries and a Google search to get it right (good article here). It also sometimes doesn’t like to be stopped with ctrl+c. That said it works!

By executing fcrackzip with a Dictionary attack (-D for dictionary, -p to specify the wordlist location, -u to unzip ensuring true positives, and -v for verbose) using the popular “rockyou.txt” wordlist we can identify the password “fozzie” within seconds.

17. How many total rows of “fullz” are represented in the file? 13377

This one is simple - the decrypted file “tufmups_fullz_dec17.csv has 13378 total rows, one of which is a header row, hence 13377 total rows of “fullz”.

18. How many people in the “fullz” are named Joshua, have a Mastercard, and use an OS X system? 12

This question is a simple series of grep commands to obtain the answer. Something to consider is capitalization, using the “-i” switch to make your query not case dependent is wise.

19. From the previous question (people named Joshua) - what is the most expensive car new in this filtered list? 2006 Pagani Zonda

One of the last columns in the CSV is the car the person owns. Cut or awk can be used to extract these values, they are the 37th comma in from the beginning of each line.

Ultimately there are two cars here that are quite exotic and expensive, the Koenigsegg CC8S and the Pagani Zonda. At this point you can research which car cost more new - at the time I found that the Zonda was more. They are both too rich for my blood.

20. What IP and port does the executable connect to? Ip:port

Perhaps the best way to get this answer is to simply run the executable in a sandbox or local VM. It should also be possible to decompile the executable (as we’ll find in question 22). It’s also possible that by this point you’ve found this highly suspicious traffic containing standard out from a Windows command line session on port 1234 as other questions led you to it.

21. What is the MD5 hash of the malicious executable? 20422a060c5f8ee5e2c3ba3329de514f I can’t recreate this answer now!  

At the time of the initial event for this CTF this was the answer I and others consistently got from the executable extracted via Wireshark. When extracting the file with a current version of Wireshark I am getting a different hash now. Apologies for this issue if anyone has had difficulty recreating this answer.

22. What was used to compile the malicious executable? Pyinstaller

The malicious executable contains a number of strings that are unique to the Pyinstaller compiler.

23. What executable did K3anu likely use to download files from the remote server? (exactly as written in source material) WinSCP.exe

This is a tricky one. K3anu only downloaded files via FTP from the remote server. This is a matter of reviewing the output the attacker received over port 1234 in TCP stream #4082
In the tasklist output we see “WinSCP.exe” which is the only FTP capable software running on the system.

24. What is the host system's exact BIOS version? innotek GmbH VirtualBox, 12/1/2006

This is another question directly answerable from the attacker’s C2 traffic in stream #4082. As part of the attackers “systeminfo” command output the BIOS version is revealed.

25. What is the filename of the first file taken from K3anu's computer?

This answer is also in the C2 traffic in steam #4082. Below we see a netcat command sending the “” file to the malicious server on tcp/1235.

26. What is the filename of the second file taken from K3anu's computer?

Directly below the exfiltration we see the same activity for “”.

27. What utility was used to steal the files from K3anu's computer? Ncat

Answered in 25/26.

28. What destination port was used to steal the files from K3anu's computer? 1235

Answered in 25/26.

29. What is the password to decrypt the file stolen from K3anu's computer? (it's lowercase) molder

To get this answer first you need to extract the ZIP file from the PCAP using the same process used to extract the mupsfullz ZIP. You can also use the exact same fcrackzip command and dictionary against this encrypted zip and get the password “molder” within seconds.

30. What is K3anu's real identity? Constantine
Unzipping the “” file reveals a series of pictures named “Constantine”.

Each of these images has a “Comment” section in the exif metadata that is a message from K3anu. Exiftool is the tool of choice for viewing this meta.

31. What city is K3anu likely to be in? Pontevedra

This is entirely based upon the coordinates in the previous question. Plug them into Google maps.

32. What is K3anu's likely status? (lowercase) dead

Unfortunately it looks like our informant was murdered by puppets.

33. What is the address of the restaurant closest to where K3anu is likely to be? (exactly as reported by Google maps) Camino C5 Illas Cies, 8, Vigo, Pontevedra, Spain

When you viewed the coordinates in Google maps this restaurant is essentially at the end of the dock where the coordinates land.

34. The hacker left a message for law enforcement on K3anu's system, what was it? (message only) yeah good luck finding this guy cops, great job picking an informant.. real winner with his grilled cheese

This answer is the last command issued by the attacker in the C2 network traffic (stream 4082).

No comments:

Post a Comment