[Trend Micro 2016] [Misc 100 – PCAP] Write UpDescription
Category: Misc(iot and network)
Points: 100Please analyze this pcap.
Download the fileDecrypt the downloaded file by the following command.
> unzip files21.zip
> openssl enc -d -aes-256-cbc -k gcCbBJN5pIHiL8JiJ8Xj -in files21.enc -out files21_ok.zip
> unzip files21_ok.zip
Resolution
We can see a telnet session in the pcap file.
The telnet session is a configuration made by an system admin on a remote machine.
Login and password of the administrator are :
Login : reds Password : ynwa
We can see that the admin configures ESP protocol on the remote machine :
src 1.1.1.11 dst 1.1.1.10 proto esp spi 0xfab21777 reqid 16389 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x11cf27c5b3357a5fd5d26d253fffd5339a99b4d1 enc cbc(aes) 0xfa19ff5565b1666d3dd16fcfda62820da44b2b51672a85fed155521bedb243ee src 1.1.1.10 dst 1.1.1.11 proto esp spi 0xbfd6dc1c reqid 16389 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x829b457814bd8856e51cce1d745619507ca1b257 enc cbc(aes) 0x2a340c090abec9186c841017714a233fba6144b3cb20c898db4a30f02b0a003d src 1.1.1.10 dst 1.1.1.11 proto esp spi 0xeea1503c reqid 16389 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x951d2d93498d2e7479c28c1bcc203ace34d7fcde enc cbc(aes) 0x6ec6072dd25a6bcb7b9b3b516529acb641a1b356999f791eb971e57cc934a5eb src 1.1.1.11 dst 1.1.1.10 proto esp spi 0xd4d2074d reqid 16389 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x100a0b23fc006c867455506843cc96ad26026ec0 enc cbc(aes) 0xdcfbc7d33d3c606de488c6efac4624ed50b550c88be0d62befb049992972cca6
And it’s a good news because we have encrypted ESP packets in our PCAP file !
So, we decrypt ESP packets with wireshark :
Now we have data in clear text in wireshark.
We see HTTP request with a file “flag.png”, it’s our flag !
TMCTF{GO_FOR_THE_CL}