OPERATION: WIRETAP WRITEUP
PROLOGUE
“Welcome to my humble abode, Mr Kotova”
Hendrik opens the door to his house in the tiny German hamlet. The place he’s called home for many years now. The very place he joined the Ahemait online and does most of the work for the organization from.
“Very nice, but please call me Maksim. In Russia, we become friends after we get drunk together”
“Of course, Maksim. Speaking of drinks, let me get us some schnapps and explain our plans in more detail”
Hendrik opens a large wooden cabinet in the corner of the room. It’s filled with bottles of all kinds. He reaches for a fancy looking bottle of schnapps and gets two glasses to go with it. Filling both to the brim as he sits down in a leather chair and invites Maksim to take a seat as well. Both raise their glasses.
“To our future collaboration, prost!”
“Yes, to many years of good business and health. Na Zdorovie!”
The men both chug their glass in one go. Feeling the liquid courage glide down their throats as they exhale heavily. Hendrik wastes no time filling up again as Maksim begins to speak.
“So, besides saving me from the hand of the Tiberian Order, what am I doing here?”
“Yes, you see the annual Ahemait meeting is just around the corner. My superiors are planning to unveil all operations for the next year. However, the largest of these will require a substantial amount of small arms and various gasses. The small arms do not pose such a problem. However, we require some biological weapons as well. There are certain groups of people we want to eradicate a bit more efficiently.”
“I see, and these gasses. Do they have to kill nicely? And do they only need to affect airways?”
“Not at all, the more suffering and pain is induced on the sinners, the more clean their souls arrive in the afterlife. For some of them, the agony might be enough to redeem themselves.”
Maksim smiles as he downs another glass of schnapps.
“This should not be a problem. A train full of great materials can be moved next week already if needed. The stuff made in the Soviet Union never had to cater to those humane and sad Western standards.”
“Excellent. So, lets talk logistics and pricing….”
MISSION BRIEFING
Greetings, Special Agent K.
Excellent work on locating the residence of Hendrik Schneider. We’ve been in contact with local authorities and acquired a permission to wiretap the residency. Over the past several days we’ve had agents stationed around the area to observe all movements.
Several methods of intercepting communication were installed around the residence as well. Including a tap on the internet connection. Given the vast amounts of data we’ve recovered, all of this will need to be distributed among several teams for further analysis.
It has come to our attention that the Ahemait have a yearly conference. This event is always covered by some form of shell company or organization. Nothing is known of the location or time this event takes place. We hope though, that some of the intercepted data will give us more information about this event.
We’ve taken a part of the internet wiretap and assigned it to you. Please find out if it contains anything useful for finding the time and place for this conference.
As always, Special Agent K. Best of luck on this operation.
MATERIALS AND ANSWER INSTRUCTION
Steps to complete:
1 — Figure out the answer to the Operation
2 — Construct the password using instruction below to unlock the “flagfile”
3 — Use the “answer code” from the “answerfile” inside the “flagfile” to submit your score via the form below
Password format:
hotelname-city-dd-mm-yyyy-hhmm
Password sample:
avari-hotel-karachi-15–03–2023–0900
METHODOLOGY
TOPICS
- Wireshark
WIRESHARK
The beginning of the operation requires downloading eight massive .pcap files. The .pcap file extension refers to packet capture, which is a file used to store captured network traffic.
Wireshark is an excellent tool for analyzing PCAPs because it offers powerful network analysis features, intuitive GUI, and extensibility. Wireshark has a display filter feature that allows users to capture, view, and analyze network traffic based on specific criteria or patterns. Here are some examples of display filters I used to begin my investigation.
- Port Display Filter: “tcp.port == <PORT>” — This filter displays only the packets with TCP port 80, which is commonly used for HTTP traffic.
- IP Display Filter: “ip.src == <IP>” — This filter displays only the packets with the source IP address of 192.168.1.1.
- DNS Display Filter: “dns.qry.name == <Domain name>” — This filter displays only the DNS packets with a query for the domain name “example.com”.
However, none of these were successful in my search, so I opted for a different display filter. The ‘frame contains’ filter, which shows packets containing specific byte sequences or patterns.
DROPBOX CONTENTS
The invitation — ROT13 Encoding
#i'94:d}+(`:+)lXkiu>kj#@+$dd2i'R*(=_kguW+nhS2)N95i=T3:Ume=5=kj5T5(V<kiVN2n&85it82(qn2)#=kj=T5$d_3WdT5)k85)d;3n`N3>48*nuS+>'W+(q;+$d95ed_2i&8&n9=4>h_3np8$iu_+(U82(p8(>h?4>':kiuSkg+W2(#96$U8%(hW*n88|XgQkfkU|;|Qkih_kfgX~;cU{:d&2i&8*nuS+>'W+(q;+$d;+(q_+)k8*)"85i9=kh}@+)l95iuSkg9T5i'Qkiu>+>'W4WdX5ih_+$`T+:`_2i&R*)l_ki+9*n=Q2)#N+)|QkihS+edo+$d:+(VN+)+=ki=_kj5N3iU8*>&85i9=kjd=4>+=*o"84n'_5i=S+Wd>3ok83o'Wki'n+(q_{8@m'i9=ki}T3>+=4>'S*n&85n=Q3edU4>un2(#=kihSkiuU4iuW5j'S2)#qkj#Tki'p*n993>5=ki=<+(hXkihS+edX2ihW+$d:+)}_kjdW*(}_2(}=4Wd93(uS+WdT5)k83('R*>'W4Wp8'n&82ihn+$dQ2(q=+ed`4ed9kj+94>==5j<83n*82n'q3>u_+$dX4i'92n'W4Wd93>"84ihS+(U8+i=X*o'X4n=T3?|85it8+(qX5)l=kj#@*)"85i9=ki}T3>+=4>'S*n&82)|8*>u_2edN3>+T4>`95i=n+$d93>"8+(q?*(5N3>4Se8Nd4WdR+(`:+)lXkiu>kgh@+(`92)"Qkj5=ki9T4i&85i995edq3o&8*nhSkiNT2(p85)|8+>uWkj#@2)|8+)9;2)#N3>48+)+=3?"SkhdQ+(hX+$dR*)lPkj=T5)k8*nhQ+(q<*)lXkihS+edR*(R=kihW4>hS+n'R+(q_4Wd_3Wd95j#=3>"Skh5=kiVT3nQ8+>uW5nhW+ed_3WdX+('N3>486(u`ki=SkhN9+ol=*:gme<=>kj=T5$d@*)+=kihS6$dV5('X5i=T3?|83ok8*nuS*n'W3?|QkjdQ+(hX+$d<3WdS3o"82i'X2)#95i&85it8*nuS5ih;5ed`4Wpme<l=4o"84>'?*)l<4WUme=#@+$df3o'S*n=Q{c@m%np8*>'@*(V>kiu>kj#@+$dd2i'R*(=_kguW+nhS2)N95i=T38yy
Decoded to ROT47
#v'94:q}+(`:+)yKxvh>xw#@+$qq2v'E*(=_xthJ+auF2)A95v=G3:Hzr=5=xw5G5(I<xvIA2a&85vg82(da2)#=xw=G5$q_3JqG5)x85)q;3a`A3>48*ahF+>'J+(d;+$q95rq_2v&8&a9=4>u_3ac8$vh_+(H82(c8(>u?4>':xvhFxt+J2(#96$H8%(uJ*a88|KtDxsxH|;|Dxvu_xstK~;pH{:q&2v&8*ahF+>'J+(d;+$q;+(d_+)x8*)"85v9=xu}@+)y95vhFxt9G5v'Dxvh>+>'J4JqK5vu_+$`G+:`_2v&E*)y_xv+9*a=D2)#A+)|DxvuF+rqb+$q:+(IA+)+=xv=_xw5A3vH8*>&85v9=xwq=4>+=*b"84a'_5v=F+Jq>3bx83b'Jxv'a+(d_{8@z'v9=xv}G3>+=4>'F*a&85a=D3rqH4>ha2(#=xvuFxvhH4vhJ5w'F2)#dxw#Gxv'c*a993>5=xv=<+(uKxvuF+rqK2vuJ+$q:+)}_xwqJ*(}_2(}=4Jq93(hF+JqG5)x83('E*>'J4Jc8'a&82vua+$qD2(d=+rq`4rq9xw+94>==5w<83a*82a'd3>h_+$qK4v'92a'J4Jq93>"84vuF+(H8+v=K*b'K4a=G3?|85vg8+(dK5)y=xw#@*)"85v9=xv}G3>+=4>'F*a&82)|8*>h_2rqA3>+G4>`95v=a+$q93>"8+(d?*(5A3>4Fr8Aq4JqE+(`:+)yKxvh>xtu@+(`92)"Dxw5=xv9G4v&85v995rqd3b&8*auFxvAG2(c85)|8+>hJxw#@2)|8+)9;2)#A3>48+)+=3?"FxuqD+(uK+$qE*)yCxw=G5)x8*auD+(d<*)yKxvuF+rqE*(E=xvuJ4>uF+a'E+(d_4Jq_3Jq95w#=3>"Fxu5=xvIG3aD8+>hJ5auJ+rq_3JqK+('A3>486(h`xv=FxuA9+by=*:tzr<=>xw=G5$q@*)+=xvuF6$qI5('K5v=G3?|83bx8*ahF*a'J3?|DxwqD+(uK+$q<3JqF3b"82v'K2)#95v&85vg8*ahF5vu;5rq`4Jczr<y=4b"84>'?*)y<4JHzr=#@+$qs3b'F*a=D{p@z%ac8*>'@*(I>xvh>xw#@+$qq2v'E*(=_xthJ+auF2)A95v=G38ll
ROT47 decoded to Base64
RGVhciBNZW1iZXJzIG9mIHRoZSBBaGVtYWl0IE9yZ2FuaXphdGlvbiwKCldlIHdvdWxkIGxpa2UgdG8gaW52aXRlIHlvdSB0byBvdXIgdXBjb21pbmcgY29uZmVyZW5jZSBhdCB0aGUgU2hlcmF0b24gSG90ZWwgaW4gWmFncmViIG9uIEZyaWRheSwgTWFyY2ggMzEsIDIwMjMsIGF0IDEzOjAwLiBUaGUgY29uZmVyZW5jZSBjZW50ZXIgYXQgdGhlIFNoZXJhdG9uIEhvdGVsIG9mZmVycyBzdGF0ZS1vZi10aGUtYXJ0IGZhY2lsaXRpZXMsIGFuZCB3ZSBiZWxpZXZlIGl0IHdpbGwgYmUgdGhlIHBlcmZlY3Qgc2V0dGluZyBmb3Igb3VyIGV2ZW50LgoKVGhlIGNvbmZlcmVuY2Ugd2lsbCBwcm92aWRlIGFuIG9wcG9ydHVuaXR5IHRvIGV4Y2hhbmdlIGlkZWFzIGFuZCBzaGFyZSBiZXN0IHByYWN0aWNlcyBhbW9uZyBvdXIgbWVtYmVycy4gV2UgaGF2ZSBsaW5lZCB1cCBhIHZhcmlldHkgb2Yga2V5bm90ZSBzcGVha2VycyBhbmQgcGFuZWwgZGlzY3Vzc2lvbnMgdG8gZW5zdXJlIHRoYXQgdGhlIGNvbmZlcmVuY2UgaXMgYm90aCBpbmZvcm1hdGl2ZSBhbmQgZW5nYWdpbmcuCgpBcyBtZW1iZXJzIG9mIEFoZW1haXQsIHdlIGhvcGUgdGhhdCB5b3UgY2FuIGpvaW4gdXMgZm9yIHRoaXMgZXhjaXRpbmcgZXZlbnQuIFBsZWFzZSBtYXJrIHlvdXIgY2FsZW5kYXJzIGFuZCBtYWtlIGFycmFuZ2VtZW50cyB0byBhdHRlbmQuIFdlIGxvb2sgZm9yd2FyZCB0byBzZWVpbmcgeW91IGluIFphZ3JlYiEKCklmIHlvdSBoYXZlIGFueSBxdWVzdGlvbnMgb3IgY29uY2VybnMsIHBsZWFzZSBkbyBub3QgaGVzaXRhdGUgdG8gY29udGFjdCB1cy4KCkJlc3QgcmVnYXJkcywKClRoZSBDb3VuY2lsLAoKT24gYmVoYWxmIG9mIHRoZSBBaGVtYWl0IE9yZ2FuaXphdGlvbg==
Base64 decoded to human-readable text
Dear Members of the Ahemait Organization,
We would like to invite you to our upcoming conference at the Sheraton Hotel in Zagreb on Friday, March 31, 2023, at 13:00. The conference center at the Sheraton Hotel offers state-of-the-art facilities, and we believe it will be the perfect setting for our event.
The conference will provide an opportunity to exchange ideas and share best practices among our members. We have lined up a variety of keynote speakers and panel discussions to ensure that the conference is both informative and engaging.
As members of Ahemait, we hope that you can join us for this exciting event. Please mark your calendars and make arrangements to attend. We look forward to seeing you in Zagreb!
If you have any questions or concerns, please do not hesitate to contact us.
Best regards,
The Council,
On behalf of the Ahemait Organization
ANSWER: sheraton-hotel-zagreb-31–03–2023–1300