BSides 2015 SF and Asheville PCAP Writeup
As promised, the writeup for the 3 pcap challenges used during both BSides SF 2015 and BSides Asheville 2015.
The challenge started with a single pcap, albeit large at roughly ~300MB. The pcap was full of general networking traffic and specifically lots of odd web traffic. Ultimately, the challenge consisted of 3 questions.
1) What was the malware operators password?
This is where the challenge starts, and also the easiest question to solve. Simply open the capture file in Wireshark and use ctrl+f searching for the string 'Password=' until you find the c2 login prompt. It takes a few searches but this will also quickly reveal the attacker's hostname as 'emergencyreset.com' and IP address as '104.130.131.113'. These TTPs will be helpful in identifying the rest of the attacker traffic.
2) What was the contents of the flag.txt, a file which the malware operator stole from the victim?
After originally locating the attackers c2 traffic, this challenge becomes much easier. We can sort the traffic specific to the attacker, and then begin to see how the rat operates. There seems to be a lot of calls to ajax.asp and a few to show.asp. Investigating any of these streams shows the attacker's server returning chunked and gzip encoded data, for the client to render. Wireshark uncompressed this for us in the bottom field. Further, it becomes apparent that the ajax.asp pages gather current victim information and the show.asp pages contain data pulled from the victim. Searching our show.asp pages quickly reveals a flag in the last one.
3) What was the image on the victim's deskop?
Finally, we must locate a screenshot of the victims desktop that the attacker took. Doing some searching for the word 'Desktop' reveals a screenshot being pulled in the 'show.asp?b_id=76' stream, however this stream seems to be missing some key packets.
Lucky for us, the data is missing out of a gzip encoded blob, so we can extract the corrupt gzip we have and recover as much of it as possible. Doing this leaves us with an HTML page that has a partial image. Google Chrome will render the partial image, which is just enough to give us the flag.
There you have it, the solution to unsolved pcap challenge of BSides 2015 SF and BSides 2015 Asheville. Until next time, keep your nose on the wire!
The challenge started with a single pcap, albeit large at roughly ~300MB. The pcap was full of general networking traffic and specifically lots of odd web traffic. Ultimately, the challenge consisted of 3 questions.
1) What was the malware operators password?
This is where the challenge starts, and also the easiest question to solve. Simply open the capture file in Wireshark and use ctrl+f searching for the string 'Password=' until you find the c2 login prompt. It takes a few searches but this will also quickly reveal the attacker's hostname as 'emergencyreset.com' and IP address as '104.130.131.113'. These TTPs will be helpful in identifying the rest of the attacker traffic.
2) What was the contents of the flag.txt, a file which the malware operator stole from the victim?
After originally locating the attackers c2 traffic, this challenge becomes much easier. We can sort the traffic specific to the attacker, and then begin to see how the rat operates. There seems to be a lot of calls to ajax.asp and a few to show.asp. Investigating any of these streams shows the attacker's server returning chunked and gzip encoded data, for the client to render. Wireshark uncompressed this for us in the bottom field. Further, it becomes apparent that the ajax.asp pages gather current victim information and the show.asp pages contain data pulled from the victim. Searching our show.asp pages quickly reveals a flag in the last one.
3) What was the image on the victim's deskop?
Finally, we must locate a screenshot of the victims desktop that the attacker took. Doing some searching for the word 'Desktop' reveals a screenshot being pulled in the 'show.asp?b_id=76' stream, however this stream seems to be missing some key packets.
Lucky for us, the data is missing out of a gzip encoded blob, so we can extract the corrupt gzip we have and recover as much of it as possible. Doing this leaves us with an HTML page that has a partial image. Google Chrome will render the partial image, which is just enough to give us the flag.
There you have it, the solution to unsolved pcap challenge of BSides 2015 SF and BSides 2015 Asheville. Until next time, keep your nose on the wire!
