FCSC 2022 - À l'ancienne

ZarKyo included in Writeups Fcsc-2022

Oct 29, 2022 445 words 3 minutes

Contents

Catégorie : Forensics

Difficulté : ⭐

À l’ancienne

Ennoncé

Vous devez récupérer et analyser les données échangées dans cette capture. On préfère prévenir, avant de paniquer, il va falloir se décontracter et décompresser pour faire ça tranquillement.

SHA256(cap) = 27117fc9487e8ca1a54f7d6a55f39b3223153451a8df41bb02488c2a99dbf059.

Solve

1
2


└─$ file cap            
cap: Sniffer capture file - version 4.0 (Ethernet)

We open the file with wireshark, we quickly browse the file.

There are practically only DNS requests, the objective is therefore to recover the data of its requests

PI :

Format DNS queries –> data.data.domain

Here the data is encoded in base64 and some characters have been replaced by others.

For base64 : * = +

For parsing : -. = .

By scripting with python, we can add all the base64 strings, decode them and make a file

first draft script :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


import pyshark
#import codecs

last_qry = ""
data = ""
      
with pyshark.FileCapture('./cap', display_filter=('dns')) as packets:

    packets.load_packets()

    for pkt in packets:

      # parsing
      qry = pkt.dns.qry_name

      qry = qry.replace("*","+").strip().split("-.")
      qry = ''.join(qry)
      
      if last_qry != qry:
        data += qry

      last_qry = qry

print(data)

We recover the base64 –> cyberchef and we recover a file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


$ file passwd         
passwd: gzip compressed data, was "passwd", last modified: Thu Mar 17 12:45:11 2022, from Unix, original size modulo 2^32 3365188005

$ mv passwd passwd.gz 

$ gunzip -d passwd.gz                                                                                                                           ✔ 

gzip: passwd.gz: invalid compressed data--crc error

gzip: passwd.gz: invalid compressed data--length error

I decide to look first if the header is not a little damaged

Header normal : 1f 8b 08 08

1
2
3


xxd -l 18 files/passwd.gz                                                                                                                         1 ✘ 
00000000: 1f8b 0808 572d 3362 0003 7061 7373 7764  ....W-3b..passwd
00000010: 0095                                     ..

No anomaly, when we take a closer look at the base64 and the requests, we see that several files are exchanged

Second script draft:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


import pyshark
from base64 import b64decode

last_qry = ""
data = {}
      
with pyshark.FileCapture('./cap', display_filter=('dns')) as packets:

    packets.load_packets()

    for pkt in packets:

      # parsing
      qry = pkt.dns.qry_name

      qry = qry.replace("*","+").strip().split("-.")
      filename = qry[-1]
      qry = ''.join(qry)
      qry = qry.replace(filename,"").strip()  
      
      if last_qry != qry:

        if filename not in data:
          data[filename] = qry
        else:
          data[filename] += qry

      last_qry = qry

for key,value in data.items():
    with open(f'files/{b64decode(key).decode()}.gz','wb+') as f:
        f.write(b64decode(value))

transform the file into .doc –> rename

Flag : FCSC{18e955473d2e12feea922df7e1f578d27ffe977e7fa5b6f066f7f145e2543a92}