Open in app

Sign in

Write

Sign in

CCT2019 CTF full WriteUp

Emanuele Ciccolunghi
6 min readSep 7, 2023

--

This is my CTF write up for the CCT2019 Try hack me CTF, i had a lot of fun completing it, and i am thrilled to share with you the process involved in reversing all of the different kind of data found in this room.

Pasowrds will be filled with some “*”, just in case ;)

Following up with the WriteUp, have fun ^^
By Emanuele Ciccolunghi

TASK1:

1) file “pcap2.pcapng”

File analysis:

An initial analysis shows that few USB packages are contained inside:

By running the binwalk command to check its contents, you can see that it contains a second compressed file named “pcap_chal.pcapng”

A first try was to extract the contents directly, but it brought several problems, so after some research, it was possible to extract the contents exchanged via USB with “tshark” via CMD:

- Tshark -r pcap2.pcapng -T fields -e usb.capdata > out

The command allowed me to extract the hexadecimal data contained in the transfer, but in this form it is not possible to read the contents correctly.

Finally then using cyber chef it was possible to convert the file into usable form using the “From Hex” function:

Unzipping the file then results in the output “pcap_chal.pcapng” on which further traffic analysis needs to be performed.

2) Analysis of the traffic contained in the file pcap_chal.pcapng

this file contains a lot of different traffic, often in this situations i like to start from the HTTP/HTTPS (as it can give a lot of useful information about what is going on).
At first it jumped out at me the following GET request:

- fotoforensics.com/analysis.php?id=e7e47ecfd72c324519c9a72239cd2b399aaafc4b.9686&fmt=card

And by eliminating the last parameter (&fmt=card) we can trace the original analysis of the image and then download it:

Once the image is downloaded, via binwalk, one can see that it contains a RAR archive inside.
Analysis conducted on the image unfortunately was a washout as it turns out to be a rabbit hole.

By then delving deeper into the traffic, IRC connections could be identified from which it was possible to extract the following credentials:

USERNAME: binaryphalanx (nick: zoobah)

PASSWORD: Red********Rover$$

Uniq ID: 108AAAAAC

Still having no useful detections to work on, the rest of the traffic was delved into, particularly ICMP as it reports anomalous packets:
Delving then into the unanswered ICMP traffic, it is possible to find a conversation between two attackers embedded in the network, in which they exchange a chat in which they talk about which password to use. From the messages, it is possible to identify the following:

1) Hackers passed around a file on port 4444

2) The file was encrypted using cryptcat

3) The password is the one used by Angela Bennett in the movie “the net” (BER5348833)

From the pcap file we then extract the traffic on port 4444, retrieving the data as RAW following the traffic flow and saving the data.

Now we have to decipher them!

To do this, we will use cryptcat to listen and decrypt the file and netcat to relay it:

  • Server: cryptcat -vv -k BER5348833 -l -p 4444 > decrypt
  • Client: cat file_crypted > nc 127.0.0.1 4444

NOW the file can be analyzed, by doing some reverse engineering we can see that it tries to connect to a server, as it performs a DNS resolution for the domain “irc.cct”

By inserting the entry “127.0.0.1 irc.cct” in the “/etc/hosts” file and running the nc command listening on port 6667 (default IRC port) with the following command.

  • CMD: nc -lvnp 6667

It will be possible to receive the connections made by the file, and analyze the requests/traffic generated.

Now running the file will generate traffic:

And finally, we manage to get the FLAG!

TASK2:

Analyzing the code written in .NET identifies an IF statement whose solution allows the flag to be extracted; the operation requires that the sum of four numbers has to be equal to 711 and their product must be 7110000.

A mathematical resolution dictated by two equations (one addition and one product) with four unknowns was used, also using common factors to identify the span of values that could be used.

TASK3:

Starting point:

Binwalk:

By analyzing photos with exiftool we can find a morse code in the description section:

Which result to be the string: “jus********right?”

I tried to use it as a password for the previous ZIP found with binwalk and it worked!

From the extraction i got the file “fakeflag.txt” which contains the following text:

  • I didn’t say it would be easy, Neo. Peer into the Matrix. See what others cannot and witness the truth. Though I caution that it may be more than what you expect.
  • Morpheus
  • PW: Z10N****

Now we have a new password!

In addition, through the tool “steghide” I was able to extract an archive “archive.zipper,” which contains two files (cipher.txt and config.txt) and the flag.zipper.

To extract it, you can use the password just found in the file “fakeflag.txt” via the cmd “steghide -extract -sf file_original_CTF”

Deepening the image analysis, thanks to the luminescence gradient we obtain:

And from the image we can derive a plausible password:

  • 0ni********fu5c@ti0n

We can use this password to extract the zipper file found earlier (“archive zipper”) which will give us three files:

  • Cipher.txt
  • Config.txt
  • Flag.zipper

Below are the contents of the two txt files:

The former of which contain the text to be deciphered and the latter the configurations for the “enigma” machine.

By going to the site recommended by CTf (https://cryptii.com/) and doing some “truble shooting” (based on the data I have and the different options on the site) I was eventually able to find an enigma type (Enigma M4 “shark”) that allowed me to enter all the data obtained from the config.txt:

I then eventually got the password for the flag.zipper file

TASK4:

The last task is divided into three consequential parts, and in each of these there is a first file containing a clue and a second with text to be deciphered:

1) The first step requires conversion between keyboard layouts (Keybord layout substitution)

2) For this file you need to do some “OSINT” on YouTube looking for a specific video by which you can identify the password to be used to decrypt the contents of the file (encrypted via railfence cipher)

3) For this last section we need to write some python code, in which we will have to convert every number in the encoded file (all characters are numbers between 0 and 6) and going use the operator “%” to calculate the remainder, it will be possible to transform the number sequence to binary. Once converted to ASCII we will get the final text and thus the FLAG.

Forensics
Cybersecurity
Tryhackme
Wireshark
Reverse Engineering

--

--

Emanuele Ciccolunghi

Written by Emanuele Ciccolunghi

3 Followers

Malware analyst and threat hunter, working as a SOC specialist

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams