Sunday, August 28, 2011

Defcon 19 Packet Challenge - Level 4


Inter0ptic arrived to Factory-Made-Winning, and casually made his way past the front security desk. He then slipped into a secure access area by tailgating behind an employee. On the way in he found a sticky note with a password on it "useonce@". The password might come in handy later! With a grin and a chuckle, Inter0ptic found an empty cubical and plugged in his laptop.
Use the packet capture in this folder to learn more about Inter0ptic's adventure at the pharmaceutical company and answer the question below:

1.       What is the 16th name inside the mysterious file transfered?


Very early in the pcap you will notice some SMB traffic.  I started there. First I created a new pcap with only the port 445 traffic.  Then I ran it through tshark to decode and see what we could find.  I found a file name CCfiles.7z. 

carl@bluestem:~/DRILL/04$ tcpdump -s0 -r Evidence04.pcap -w SMB.cap port 445
reading from file Evidence04.pcap, link-type EN10MB (Ethernet)
chester@bluestem:~/DRILL/04$ tshark –r SMB.cap
48   6.157845 172.30.1.214 -> 172.30.1.90  SMB NT Create AndX Response, FID: 0x8003
 49   6.158411  172.30.1.90 -> 172.30.1.214 SMB Close Request, FID: 0x8003
 50   6.158476 172.30.1.214 -> 172.30.1.90  SMB Close Response, FID: 0x8003
 51   6.163547  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \CCfiles.7z
 52   6.163652 172.30.1.214 -> 172.30.1.90  SMB NT Create AndX Response, FID: 0x8004
 53   6.163945  172.30.1.90 -> 172.30.1.214 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x8004, Query File Internal Info

This time we’ll use tcpxtract by Nick Harbour.

chester@bluestem:~/DRILL/04$ cat /etc/tcpxtract.conf
p7z(5000000, \x37\x7a\xbc\xaf\x27\x1c);
chester@bluestem:~/DRILL/04$ tcpxtract -c /etc/tcpxtract.conf -f SMB.cap
Found file of type "p7z" in session [172.30.1.214:48385 -> 172.30.1.90:4032], exporting to 00000000.p7z

I tried to decompress the 7zip with p7zip, but I got unsupported method error.  It appears to be due to a password protection on the file.  I copied the file over to windows and used 7zip there to decompress.  It opened fine there and prompted me for a password.  I first tried useonce@ but failed.  Then I tried Romulus password from challenge 3 and it was correct.  Inside is an xls file. 

chester@bluestem:~/DRILL/04$ p7zip -d 00000000.p7z

7-Zip (A) 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30
p7zip Version 9.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)
Processing archive: 00000000.p7z
Extracting  CCfiles.xlsx     Unsupported Method
Sub items Errors: 1

Scrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson
Posted by at

No comments:

Post a Comment

Comments are moderated and will appear only after being reviewed.

Subscribe to: Post Comments (Atom)