[Training]

 

1. FOR 100- EXTRAC ME (WHITEHAT CONTEST 11)

Download file here

After download, we receive a .pcapng file named extract-me 

Analyze it with Wireshark

HTTP Export:

Nothing interesting ...

Let's look throuh by follow TCP stream

We have a compressed file here, claim it

Open rar file but it requires password. Seem like we on the right way to flag .

After analyzing and searching inform ation, I realize some connection useTLSv1 protocol. I try to find SSL certificate in order to extract this follow this WU 

Finally I found it

This is WhiteHat certificate from Ha Noi

Follow the WU above, we go on step-by-step

openssl x509 -inform DER -in puclic.der -text

We have RSA algorithm 696 bit. We have modulus(n), try to factordb it

p = 435958568325940791799951965387214406385470910265220196318705482144524085345275999740244625255428455944579

q = 562545761726884103756277007304447481743876944007510545104946851094548396577479473472146228550799322939273

Use rsatool to create a private key which could be used to decrypt TLSv1 protocol.

We already have p.pem as private key file.

Let's import it into Wireshark in order to decrypt TLS protocol

Check export HTTP object again 

Save file pass.txt to your machine and open it

This is the rar file's password. Import it and open flag.png

2. For 100 SVATTT17 

This file named "sniff.pcap" which has 27mb of size. Let's analyze it!

As usual, I try to export HTTP object and figure out this pcap file contained very much data.

After all, I found this file:

Really? :D

The code is here

The algorithm is simple, I think. Firstly, they had added 0xCA  to flag, then xor it with 0xFE.

So, thing that we should do just reverse these steps: xor again with 0xFE and subtract 0xCA. Let's do this with another script

3. Forensics MMA CTF

Download file: here

Open pcap mà analyze it.

HTTP export object

Download all files and check out :

I’m a little confused here. I think those files should be merged, but completely dont know which the first file to select. The files must be correctly and sequentially arranged!. So let's come back to .pcap file and look through this

After all, I figure out this interesting stuff : Content-Range - which could let you know the position of file! As you can see in the image above : this file is the first file of series.

And follow the clues, we will receive .psd file when we completely decompress those .zip file.

Finally, I get all zip files in exactly position that they supposed to be.

 

Simply unzip it, and open .psd file 

Nothing.

hmmm, let's analyze its header...

But nothing strange. I open it by GIMP and see whether It contains one more layer 

And I get it!

Bingo!

Happy Hacking!