USCG IV: Forensics
Last updated
Last updated
Open, (room, author) : Forensics (category) : Certified (title) :
"One of our machines was recently hit with malware and appears to have opened a backdoor. We were able to get this PCAP from around the time when it was accessed but aren't sure what was exfiltrated from the network. Take a look and see if you can make sense of it! File: certified.pcapng (11.9kb)"
Solution: RSA private key is needed to decrypt TLS traffic. Lucky for us, that was sent via HTTP by an exploit used by the attacker. So copy the key with the hyphens included, save it as text file with a ".pem" extension. Then apply it to the pcap by going to Edit > Preferences > TLS > RSA keys list > Edit > . When you follow the TLS stream again, the data will be decrypted.
Flag: SIVUSCG{c3rtif1abl3_h4ck3rs}
===
Open, r0m (room, author) : Web (category) : Timing is Everything (title) :
"Timing is everything.... File: timingiseverything.pcap (1.7kb)"
Amid 30 rows of ICMP echo requests, the only column that changes is "Time". But what matters here is the time between requests, which is kept in the WireShark field called "Time delta from previous captured frame" aka "frame.time_delta".
tshark -r timingiseverything.pcap -T fields -e frame.time_delta | awk -F. '{print $2}' | grep -o '^...' | tr "\n" " "
How to get the "Field Name", you ask? Go to the bottom pane of WireShark, where the packet summary is, right-click "Copy" in the field you want, then "Field Name". Finally, put the numbers in CyberChef using the "Decimal" recipe for the flag.
NOTE: CyberChef couldn't automatically detect the encoding when all the numbers are 3-digit. But other decoders can.
Flag: SIVUSCG{T1m1n9_15_3v3ryth1n9}
===
Beginner's, N/A (room, author) : Forensics (category) : The Email Where It Happens (title) :
"Howdy Truth Seekers! It seems that some malware that was strategically shared has begun to phone back home! We believe that this might have some very important information that could help lead us to finally getting to the bottom of this conspiracy regarding extraterrestrial life. Unfortunately the original developer of this tool was recently promoted to customer status and is no longer on good terms with the orginization. This means that we don't have any information on how to decode this traffic. Unfortunately all I have is a PCAP. Can you help us out here? File: intercepted_communication.pcap (3.8kb)"
Solution: Twenty-seven lines of encoded text are hidden in network traffic across multiple packets. Put 'em together and decode for the flag.
Much of the work here is cleaning up the text first, before submitting it to a decoder.
tshark -r intercepted_communication.pcap -T fields -e dns.qry.name | awk -F\. '{print $1}' | tr -d "\n" | base32 -d
Flag: SIVBGR{wh0_n33ds_32_b4s3s}
===
Beginner's, N/A (room, author) : Forensics (category) : I Want to Believe (title) :
"We've received a GIFt from what appears to be a signal coming from extraterrestrial life! Although, it appears they've used steganography to hide it inside of this .gif file. All we know is that it's in the form of a text file named 'iwanttobelieve.txt'. Can you recover it? File: gift.gif (3.2MB)"
python3 gift-cli.py --source ~/Downloads/beginners/gift.gif recover iwanttobelieve.txt
Flag: SIVBGR{y0ur_g1ft_1s_h3r3}
Solution: Find the relevant data hiding in the network traffic, extract it, clean it up, and decode it for the flag. As for the encoding, since the data is all numbers, it was likely to be .
To export those 30 fields, I use , awk (treats strings as fields separated by spaces; set period as a delimiter and print the 2nd column), (match only the first 3 characters in a string), and tr (replace all new lines with one space).
I used , awk (treats strings as fields separated by spaces; set period as a delimiter and print the first column), and tr (delete new lines) commands.
Alternative: .
Solution: The last frame of a 10 frame gif is half-covered by a black background, but this anomaly is a red herring. There's no real way to solve this without the that created it: "gifT" aka "GIF Analysis Steganography Library/Tool" by dtmsecurity. After days of research, I found it thanks to this Sept 2023 , which is also by dtmsecurity.
