BloomCON 0x05 Networks CTF - Exfiltration Investigation (Challenge 2)

Posted by
Previous: Challenge 1 - Who Am I? 

Part 1 went into some general host and IP information about the network, part 2 will dive more deeply into the content of the packets.

Evidence: https://drive.google.com/file/d/1xhq0fyxhBpiQyqDyRQ0bpuF4CKkLjeT9/view?usp=sharing

Challenge 2 - Exfiltration Investigation

After your previous success getting familiar with your subnet, you've been promoted to network admin for the Linux department.  After a few months, your boss has suspicion that Tim Wallowitz is exfiltrating data.  Look into this matter by answering these questions.

Question 1

What is the IP address of the computer that sent the data out?

Since the evidence provided was a .pcapng and since I don't own NetworkMiner Pro, I  had to convert the file to a .pcap using Wireshark. All you have to do is open it and then save as the old format.

When opening in NetworkMiner we can switch over to the Sessions tab and see that each frame showed the Client host as "192.168.56.6".


Figure 1: Client host from Sessions

Question 2

What IP Address was the file placed on?

As seen in Figure 1, the data was being placed on the server host, "192.168.56.1".

Question 3

What type of server was the data sent to? (Not just the name of the protocol)

The question gives a hint of what we are looking for. Opening the Hosts and the Linux server from Question 2, we can drill down to the Host Details and see that this is an FTP server running vsFTPd 3.0.3, the answer they were looking for.


Figure 2: FTP server host info

Question 4

What is the trade secret for? (to produce)

Looking at the Files tab in NetworkMiner we can see two files:

  • BigConsultRecipe_CAUTION.txt
  • hotpix.zip
Opening the first reveals the answer, the trade secret was how to make "glue"  


Figure 3: recipe secrets

Question 5

What was the file name of the trade secret document?

We already found this answer in Question 4, it was titled "BigConsultRecipe_CAUTION.txt"

Question 6

What is the file name of the 2nd file that was exfiltrated?

We already found this one as well from Question 4, the second file was called "hotpix.zip", more on this coming right up.

Questions 7-10 related to the contents of the hotpix.zip file. It was password protected so I scoured the .pcap to see if I could find any messages or references, which ultimately ended in failure. So I decided on another measure, brute force it open. Luckily Passware made quick work of it. Other similar tools such as JohnTheRipper or Hashcat may have had just as quick success for free.


Figure 4: Passware cracking hotpix.zip

As we can see the password was simply "soccer1".

Question 7

What city was here?

In the city.png file we can open it to see a screenshot / meme from Call of Duty 4. The ferris wheel and building text font reveals that this was where the Chernobyl plant meltdown occurred, the city of "Pripyat".

Figure 5: Chernobyl site of Pripyat

Question 8

What person exfiltrating data an expert in?

The image ghidra.png reveals the person was an expert in "Ghidra", the reverse engineering tool.


Figure 6: The ghidra expert

Question 9

What can't chickens handle?

The image chicken.jpg shows that chickens can't handle "bandwidth".

Figure 7: Howdy, Colonel Sanders here!

Question 10

Who's credit card was sent?

The image card.png shows two Chase Freedom credit cards belonging to "D. Barrett".


Figure 8: D. Barrett's credit cards

Conclusion

Challenge 2 was much more difficult than part 1 but with the proper tools unlocking the answers was just another walk in the park.

Tool Listing

NetworkMiner v2.6.0 - https://www.netresec.com/?page=Networkminer