OPERATION: WIRETAP WRITEUP

VEEXH
The Sleuth Sheet
Published in
5 min readApr 1, 2023
Support Your Local Law Enforcement

PROLOGUE

“Welcome to my humble abode, Mr Kotova”

Hendrik opens the door to his house in the tiny German hamlet. The place he’s called home for many years now. The very place he joined the Ahemait online and does most of the work for the organization from.

“Very nice, but please call me Maksim. In Russia, we become friends after we get drunk together”

“Of course, Maksim. Speaking of drinks, let me get us some schnapps and explain our plans in more detail”

Hendrik opens a large wooden cabinet in the corner of the room. It’s filled with bottles of all kinds. He reaches for a fancy looking bottle of schnapps and gets two glasses to go with it. Filling both to the brim as he sits down in a leather chair and invites Maksim to take a seat as well. Both raise their glasses.

“To our future collaboration, prost!”

“Yes, to many years of good business and health. Na Zdorovie!”

The men both chug their glass in one go. Feeling the liquid courage glide down their throats as they exhale heavily. Hendrik wastes no time filling up again as Maksim begins to speak.

“So, besides saving me from the hand of the Tiberian Order, what am I doing here?”

“Yes, you see the annual Ahemait meeting is just around the corner. My superiors are planning to unveil all operations for the next year. However, the largest of these will require a substantial amount of small arms and various gasses. The small arms do not pose such a problem. However, we require some biological weapons as well. There are certain groups of people we want to eradicate a bit more efficiently.”

“I see, and these gasses. Do they have to kill nicely? And do they only need to affect airways?”

“Not at all, the more suffering and pain is induced on the sinners, the more clean their souls arrive in the afterlife. For some of them, the agony might be enough to redeem themselves.”

Maksim smiles as he downs another glass of schnapps.

“This should not be a problem. A train full of great materials can be moved next week already if needed. The stuff made in the Soviet Union never had to cater to those humane and sad Western standards.”

“Excellent. So, lets talk logistics and pricing….”

MISSION BRIEFING

Greetings, Special Agent K.

Excellent work on locating the residence of Hendrik Schneider. We’ve been in contact with local authorities and acquired a permission to wiretap the residency. Over the past several days we’ve had agents stationed around the area to observe all movements.

Several methods of intercepting communication were installed around the residence as well. Including a tap on the internet connection. Given the vast amounts of data we’ve recovered, all of this will need to be distributed among several teams for further analysis.

It has come to our attention that the Ahemait have a yearly conference. This event is always covered by some form of shell company or organization. Nothing is known of the location or time this event takes place. We hope though, that some of the intercepted data will give us more information about this event.

We’ve taken a part of the internet wiretap and assigned it to you. Please find out if it contains anything useful for finding the time and place for this conference.

As always, Special Agent K. Best of luck on this operation.

MATERIALS AND ANSWER INSTRUCTION

Steps to complete:

1 — Figure out the answer to the Operation

2 — Construct the password using instruction below to unlock the “flagfile”

3 — Use the “answer code” from the “answerfile” inside the “flagfile” to submit your score via the form below

Password format:

hotelname-city-dd-mm-yyyy-hhmm

Password sample:

avari-hotel-karachi-15–03–2023–0900

Download the starting materials

Download the flagfile

METHODOLOGY

TOPICS

  • Wireshark

WIRESHARK

The beginning of the operation requires downloading eight massive .pcap files. The .pcap file extension refers to packet capture, which is a file used to store captured network traffic.

Wireshark Packet Capture

Wireshark is an excellent tool for analyzing PCAPs because it offers powerful network analysis features, intuitive GUI, and extensibility. Wireshark has a display filter feature that allows users to capture, view, and analyze network traffic based on specific criteria or patterns. Here are some examples of display filters I used to begin my investigation.

  • Port Display Filter: “tcp.port == <PORT>” — This filter displays only the packets with TCP port 80, which is commonly used for HTTP traffic.
  • IP Display Filter: “ip.src == <IP>” — This filter displays only the packets with the source IP address of 192.168.1.1.
  • DNS Display Filter: “dns.qry.name == <Domain name>” — This filter displays only the DNS packets with a query for the domain name “example.com”.

However, none of these were successful in my search, so I opted for a different display filter. The ‘frame contains’ filter, which shows packets containing specific byte sequences or patterns.

frame contains “dropbox”
External Dropbox Location

DROPBOX CONTENTS

Dropbox content

The invitation — ROT13 Encoding

#i'94:d}+(`:+)lXkiu>kj#@+$dd2i'R*(=_kguW+nhS2)N95i=T3:Ume=5=kj5T5(V<kiVN2n&85it82(qn2)#=kj=T5$d_3WdT5)k85)d;3n`N3>48*nuS+>'W+(q;+$d95ed_2i&8&n9=4>h_3np8$iu_+(U82(p8(>h?4>':kiuSkg+W2(#96$U8%(hW*n88|XgQkfkU|;|Qkih_kfgX~;cU{:d&2i&8*nuS+>'W+(q;+$d;+(q_+)k8*)"85i9=kh}@+)l95iuSkg9T5i'Qkiu>+>'W4WdX5ih_+$`T+:`_2i&R*)l_ki+9*n=Q2)#N+)|QkihS+edo+$d:+(VN+)+=ki=_kj5N3iU8*>&85i9=kjd=4>+=*o"84n'_5i=S+Wd>3ok83o'Wki'n+(q_{8@m'i9=ki}T3>+=4>'S*n&85n=Q3edU4>un2(#=kihSkiuU4iuW5j'S2)#qkj#Tki'p*n993>5=ki=<+(hXkihS+edX2ihW+$d:+)}_kjdW*(}_2(}=4Wd93(uS+WdT5)k83('R*>'W4Wp8'n&82ihn+$dQ2(q=+ed`4ed9kj+94>==5j<83n*82n'q3>u_+$dX4i'92n'W4Wd93>"84ihS+(U8+i=X*o'X4n=T3?|85it8+(qX5)l=kj#@*)"85i9=ki}T3>+=4>'S*n&82)|8*>u_2edN3>+T4>`95i=n+$d93>"8+(q?*(5N3>4Se8Nd4WdR+(`:+)lXkiu>kgh@+(`92)"Qkj5=ki9T4i&85i995edq3o&8*nhSkiNT2(p85)|8+>uWkj#@2)|8+)9;2)#N3>48+)+=3?"SkhdQ+(hX+$dR*)lPkj=T5)k8*nhQ+(q<*)lXkihS+edR*(R=kihW4>hS+n'R+(q_4Wd_3Wd95j#=3>"Skh5=kiVT3nQ8+>uW5nhW+ed_3WdX+('N3>486(u`ki=SkhN9+ol=*:gme<=>kj=T5$d@*)+=kihS6$dV5('X5i=T3?|83ok8*nuS*n'W3?|QkjdQ+(hX+$d<3WdS3o"82i'X2)#95i&85it8*nuS5ih;5ed`4Wpme<l=4o"84>'?*)l<4WUme=#@+$df3o'S*n=Q{c@m%np8*>'@*(V>kiu>kj#@+$dd2i'R*(=_kguW+nhS2)N95i=T38yy

Decoded to ROT47

#v'94:q}+(`:+)yKxvh>xw#@+$qq2v'E*(=_xthJ+auF2)A95v=G3:Hzr=5=xw5G5(I<xvIA2a&85vg82(da2)#=xw=G5$q_3JqG5)x85)q;3a`A3>48*ahF+>'J+(d;+$q95rq_2v&8&a9=4>u_3ac8$vh_+(H82(c8(>u?4>':xvhFxt+J2(#96$H8%(uJ*a88|KtDxsxH|;|Dxvu_xstK~;pH{:q&2v&8*ahF+>'J+(d;+$q;+(d_+)x8*)"85v9=xu}@+)y95vhFxt9G5v'Dxvh>+>'J4JqK5vu_+$`G+:`_2v&E*)y_xv+9*a=D2)#A+)|DxvuF+rqb+$q:+(IA+)+=xv=_xw5A3vH8*>&85v9=xwq=4>+=*b"84a'_5v=F+Jq>3bx83b'Jxv'a+(d_{8@z'v9=xv}G3>+=4>'F*a&85a=D3rqH4>ha2(#=xvuFxvhH4vhJ5w'F2)#dxw#Gxv'c*a993>5=xv=<+(uKxvuF+rqK2vuJ+$q:+)}_xwqJ*(}_2(}=4Jq93(hF+JqG5)x83('E*>'J4Jc8'a&82vua+$qD2(d=+rq`4rq9xw+94>==5w<83a*82a'd3>h_+$qK4v'92a'J4Jq93>"84vuF+(H8+v=K*b'K4a=G3?|85vg8+(dK5)y=xw#@*)"85v9=xv}G3>+=4>'F*a&82)|8*>h_2rqA3>+G4>`95v=a+$q93>"8+(d?*(5A3>4Fr8Aq4JqE+(`:+)yKxvh>xtu@+(`92)"Dxw5=xv9G4v&85v995rqd3b&8*auFxvAG2(c85)|8+>hJxw#@2)|8+)9;2)#A3>48+)+=3?"FxuqD+(uK+$qE*)yCxw=G5)x8*auD+(d<*)yKxvuF+rqE*(E=xvuJ4>uF+a'E+(d_4Jq_3Jq95w#=3>"Fxu5=xvIG3aD8+>hJ5auJ+rq_3JqK+('A3>486(h`xv=FxuA9+by=*:tzr<=>xw=G5$q@*)+=xvuF6$qI5('K5v=G3?|83bx8*ahF*a'J3?|DxwqD+(uK+$q<3JqF3b"82v'K2)#95v&85vg8*ahF5vu;5rq`4Jczr<y=4b"84>'?*)y<4JHzr=#@+$qs3b'F*a=D{p@z%ac8*>'@*(I>xvh>xw#@+$qq2v'E*(=_xthJ+auF2)A95v=G38ll

ROT47 decoded to Base64

RGVhciBNZW1iZXJzIG9mIHRoZSBBaGVtYWl0IE9yZ2FuaXphdGlvbiwKCldlIHdvdWxkIGxpa2UgdG8gaW52aXRlIHlvdSB0byBvdXIgdXBjb21pbmcgY29uZmVyZW5jZSBhdCB0aGUgU2hlcmF0b24gSG90ZWwgaW4gWmFncmViIG9uIEZyaWRheSwgTWFyY2ggMzEsIDIwMjMsIGF0IDEzOjAwLiBUaGUgY29uZmVyZW5jZSBjZW50ZXIgYXQgdGhlIFNoZXJhdG9uIEhvdGVsIG9mZmVycyBzdGF0ZS1vZi10aGUtYXJ0IGZhY2lsaXRpZXMsIGFuZCB3ZSBiZWxpZXZlIGl0IHdpbGwgYmUgdGhlIHBlcmZlY3Qgc2V0dGluZyBmb3Igb3VyIGV2ZW50LgoKVGhlIGNvbmZlcmVuY2Ugd2lsbCBwcm92aWRlIGFuIG9wcG9ydHVuaXR5IHRvIGV4Y2hhbmdlIGlkZWFzIGFuZCBzaGFyZSBiZXN0IHByYWN0aWNlcyBhbW9uZyBvdXIgbWVtYmVycy4gV2UgaGF2ZSBsaW5lZCB1cCBhIHZhcmlldHkgb2Yga2V5bm90ZSBzcGVha2VycyBhbmQgcGFuZWwgZGlzY3Vzc2lvbnMgdG8gZW5zdXJlIHRoYXQgdGhlIGNvbmZlcmVuY2UgaXMgYm90aCBpbmZvcm1hdGl2ZSBhbmQgZW5nYWdpbmcuCgpBcyBtZW1iZXJzIG9mIEFoZW1haXQsIHdlIGhvcGUgdGhhdCB5b3UgY2FuIGpvaW4gdXMgZm9yIHRoaXMgZXhjaXRpbmcgZXZlbnQuIFBsZWFzZSBtYXJrIHlvdXIgY2FsZW5kYXJzIGFuZCBtYWtlIGFycmFuZ2VtZW50cyB0byBhdHRlbmQuIFdlIGxvb2sgZm9yd2FyZCB0byBzZWVpbmcgeW91IGluIFphZ3JlYiEKCklmIHlvdSBoYXZlIGFueSBxdWVzdGlvbnMgb3IgY29uY2VybnMsIHBsZWFzZSBkbyBub3QgaGVzaXRhdGUgdG8gY29udGFjdCB1cy4KCkJlc3QgcmVnYXJkcywKClRoZSBDb3VuY2lsLAoKT24gYmVoYWxmIG9mIHRoZSBBaGVtYWl0IE9yZ2FuaXphdGlvbg==

Base64 decoded to human-readable text

Dear Members of the Ahemait Organization,

We would like to invite you to our upcoming conference at the Sheraton Hotel in Zagreb on Friday, March 31, 2023, at 13:00. The conference center at the Sheraton Hotel offers state-of-the-art facilities, and we believe it will be the perfect setting for our event.

The conference will provide an opportunity to exchange ideas and share best practices among our members. We have lined up a variety of keynote speakers and panel discussions to ensure that the conference is both informative and engaging.

As members of Ahemait, we hope that you can join us for this exciting event. Please mark your calendars and make arrangements to attend. We look forward to seeing you in Zagreb!

If you have any questions or concerns, please do not hesitate to contact us.

Best regards,

The Council,

On behalf of the Ahemait Organization

ANSWER: sheraton-hotel-zagreb-31–03–2023–1300

--

--

The Sleuth Sheet
The Sleuth Sheet

Published in The Sleuth Sheet

🔍 The Sleuth Sheet: Your favorite All Source Intel resource! Explore curated tools, tips, & captivating CTFs to help you excel in the intelligence field. MULTI-INT strategies that boost your skills to keep you ahead in the intel game! 🌐🏆

VEEXH
VEEXH

Written by VEEXH

I analyze how technology and systematic approaches can address complex global challenges and educate you as best as possible.

No responses yet