HacktivityCon CTF

CTF Writeup - https://ctftime.org/event/1101

Home Other writeups of HacktivityCon CTF
2 August 2020

Incredibly Covert Malware Procedures

by vishalananth

We got hacked! Can you see what they took?

Solution

We open the pcap file given to us using Wireshark and we see a lot of ICMP messages going back and forth. On closer inspection, we are able to figure out that a PNG file is involved. We tried exporting Objects but nothing was there, so we realized we had to parse the wireshark dump manually to retrieve the PNG image.

We can export the Wireshark Packet Dissections using File -> Export Packet Dissections. Once we clean the unnecessary stuff using regex, we are left with this:

0000  95 14 00 00 00 00 00 00 89 50 4e 47 0d 0a 1a 0a   .........PNG....
0010  00 00 00 0d 49 48 44 52 89 50 4e 47 0d 0a 1a 0a   ....IHDR.PNG....
0020  00 00 00 0d 49 48 44 52 89 50 4e 47 0d 0a 1a 0a   ....IHDR.PNG....
0000  95 14 00 00 00 00 00 00 89 50 4e 47 0d 0a 1a 0a   .........PNG....
0010  00 00 00 0d 49 48 44 52 89 50 4e 47 0d 0a 1a 0a   ....IHDR.PNG....
0020  00 00 00 0d 49 48 44 52 89 50 4e 47 0d 0a 1a 0a   ....IHDR.PNG....
0000  82 a8 01 00 00 00 00 00 00 00 03 6c 00 00 00 5d   ...........l...]
0010  08 06 00 00 00 d9 a2 e5 00 00 03 6c 00 00 00 5d   ...........l...]
0020  08 06 00 00 00 d9 a2 e5 00 00 03 6c 00 00 00 5d   ...........l...]
0000  82 a8 01 00 00 00 00 00 00 00 03 6c 00 00 00 5d   ...........l...]
0010  08 06 00 00 00 d9 a2 e5 00 00 03 6c 00 00 00 5d   ...........l...]
0020  08 06 00 00 00 d9 a2 e5 00 00 03 6c 00 00 00 5d   ...........l...]
0000  e6 c5 01 00 00 00 00 00 c4 00 00 01 85 69 43 43   .............iCC
0010  50 49 43 43 20 70 72 6f c4 00 00 01 85 69 43 43   PICC pro.....iCC
0020  50 49 43 43 20 70 72 6f c4 00 00 01 85 69 43 43   PICC pro.....iCC
0000  e6 c5 01 00 00 00 00 00 c4 00 00 01 85 69 43 43   .............iCC
0010  50 49 43 43 20 70 72 6f c4 00 00 01 85 69 43 43   PICC pro.....iCC
0020  50 49 43 43 20 70 72 6f c4 00 00 01 85 69 43 43   PICC pro.....iCC
.....
......

We see that everything is repeated multiple times and hence we need to remove duplicate lines to reconstruct the PNG image. We do this using the following python code:

import binascii

f = open('hexdump.txt','r')
f2 = open('flag.png','wb')
ctr = 0
lc = 1
while(lc<=4824):
    lc = lc + 1
    ctr = ctr + 1
    line = f.readline()
    if ctr%5 == 1:
        str1 = ''.join(line.split()[9:17])
        line = f.readline()
        lc = lc + 1
        str2 = ''.join(line.split()[1:9])
        f2.write(binascii.unhexlify(str1+str2))

On running this code we get the reconstructed PNG File:

python3 solve.py
xxd flag.png 
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 036c 0000 005d 0806 0000 00d9 a2e5  ...l...]........
00000020: c400 0001 8569 4343 5049 4343 2070 726f  .....iCCPICC pro
00000030: 6669 6c65 0000 2891 7d91 3d48 c340 1cc5  file..(.}.=H.@..
00000040: 5f5b b522 9582 7690 e290 a13a 5914 1571  _[."..v....:Y..q
00000050: d42a 14a1 42a8 155a 7530 b9f4 4368 d290  .*..B..Zu0..Ch..
.......
.......

Opening the file gives us the flag:

alt-text

Flag

flag{not_so_stealthy_exfil}
tags: Forensics