Post

Malicious Traffic

This is a writeup of the network challenge Malicious traffic from the Security Valley CTF

Level: 2, Score: 20

Premise

Strange things are happening here, help! Someone stole my flag. I only remember that I clicked on a file called “ICQ_PASSWORD_CRACKER.EXE”, after that everything was gone… I only know that my key was “bad”. Can you repeat my flag for me?

Link: https://github.com/SecurityValley/PublicCTFChallenges/tree/master/network/malicious_traffic

Challenge files:

traffic.pcapng

Observations

Looking at the traffic in the file, we can immediately narrow things down by applying the filter !arp, since the traffic here seems uninteresting for now. Looking at the DNS traffic, we can see a repeating pattern, that being that the traffic always end in 4530234dsf3.cdn.aws.com. traffic.pcapng traffic without arp

Solution

If we look at the contents with some text in front of it, followed by the previously mentioned 4530234dsf3.cdn.aws.com string, we get the following:

1
2
3
0xAABgQXCRULEkwW
EA8KFgsOPgANAQUB
FGxu0xFF

then there’s a break with a few calls to 4530234dsf3.cdn.aws.com.

1
2
3
0xAAMQQHNAAIGSwr
ISotLCY7ICg2Jhxp
aA==0xFF

If we connect these strings together, we get the two strings:

1
0xAABgQXCRULEkwWEA8KFgsOPgANAQUBFGxu0xFF
1
0xAAMQQHNAAIGSwrISotLCY7ICg2JhxpaA==0xFF

Looking at the second string, we see what is likely a base64 string, albeit with some padding, that being the 0xAA and 0xFF characters, so if we remove these from both of our strings we get the following:

1
BgQXCRULEkwWEA8KFgsOPgANAQUBFGxu
1
MQQHNAAIGSwrISotLCY7ICg2JhxpaA==

And if we now decode them from base64 in a tool like CyberChef, we dont get anything legible at first, but if we remember what the challenge description said, we have the key bad that we can use to decode the output. We can attempt this decoding by adding a XOR decoder. Since bad can be both a HEX and UTF-8 key, we try decoding it as HEX first (since its the default setting), but this doesnt give us any result. If we however try changing the key to UTF-8, we get more legible output, including our flag. Cyberchef Result

Tools used:

  • wireshark
  • CyberChef
This post is licensed under CC BY 4.0 by the author.