2024, CTF, Defcamp Quals

English [Defcamp Quals 2024] [FORENSiCS 50 – rerdp] Write Up

2 Comments

Description

Gr0uP has infiltrated your digital fortress and seized your deepest web secrets. Want proof? It’s right here.

Flag format: ctf{sha256sum}
Files: capture_output.pcap

Resolution

We analyze the capture file with Wireshark and we see HTTP packets.
By opening the HTTP Streams view, we notice that 6 files are sent to a server via curl.
We proceed to extract them using Wireshark:
File > Export objects > HTTP.

Looking at the filetypes for the 6 files, we have:

$ file *
%2f:                     pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
%2f(1):                  ASCII text
%2f(2):                  PDF document, version 1.3, 1 pages
%2f(3):                  PDF document, version 1.3, 1 pages
%2f(4):                  PDF document, version 1.3, 1 pages
%2f(5):                  PDF document, version 1.3, 1 pages

– The first file contains a pcap capture.
– The second contains 2 lines prefixed by `CLIENT_RANDOM`.
– The PDF files contain only sample text.

The `CLIENT_RANDOM` value is used to decrypt TLS (Transport Layer Security) or SSL traffic, when we have access to the session key used during the secure communication.

We open the capture and decrypt the TLS traffic:

Edit > Preferences > Protocols > TLS
(Pre)-Master-Secret log filename: File containing the `CLIENT_RANDOM` lines.

The capture now displays RDP exchanges, which aligns with the challenge’s name.

We export the decoded Wireshark’s session into rerdp.pcap by selecting File > Export PDUs and selecting OSI Layer 7.

To analyze the RDP session, we use pyrdp:

pipx install pyrdp-mitm[full]
pyrdp-convert -o output rerdp.pcap

We begin by visualizing if any keys were used:

$ pyrdp-player --headless output/20240920132022_192.168.109.42:45410-192.168.109.127:3389.pyrdp
[2024-09-29 15:33:45,619] - INFO - pyrdp - Starting PyRDP Player in headless mode.
== REPLAY FILE: output/20240920132022_192.168.109.42:45410-192.168.109.127:3389.pyrdp

--------------------
HOST: h

--------------------

--------------------
USERNAME: vboxuser
PASSWORD: changeme
DOMAIN: 

--------------------
<Resolution: 1920x1080>
[...]
<Click (Left) @ (570, 55)>shorturl.at/w
<Shift pressed>SH
<Shift released>kd
<Return pressed>
<Return released>
[...]
<Connection closed>
-- END --------------------------------

We gather the URL https://shorturl.at/wSHkd and input it into our browser.

We are redirected to https://gist.githubusercontent.com/NitescuLucian/140502f727bc71ddcbdb80b256120a67/raw/b80528e970f4f2f62849f2f1c1705a7924fd41e8/flag.

This page then displays the flag.

Flag was ctf{1eaa9d65d69a92b75e6cbc68ea78e346ad0452b1a2931aba4a530ee1a3f04dad}.

2 thoughts on “[Defcamp Quals 2024] [FORENSiCS 50 – rerdp] Write Up”

  1. thanks for your help, I have a question after I put those lines into file
    CLIENT_RANDOM 3a59c211663a5bffe1d7c216ec5fd10db830043423cc8384aa522baf55622c73 9bedb2b2685c2e6fb82a3e6a23fe7e9407d9a8bcf5417ee49b02b8cc6edb4316ec90fe37dcc0171378e8fd790ad9c307
    CLIENT_RANDOM e4dddc52093aaa44867506e88f778737dcae9da4e297093c678049ef80136b1f 2e080bdc8fdc85862b185b3ad0a24f050d6576a520eb154afa0dcaf286daa420230d4914d101916c3c44c33819cff420

    the file name is keylog.log and I followed what you write
    Edit > Preferences > Protocols > TLS
    (Pre)-Master-Secret log filename: File containing the `CLIENT_RANDOM` lines.
    but there is no difference in the pcap file I used rdp as a filter but there is no any rdp packets
    can you help

    Reply

    1. even when I tried this
      We export the decoded Wireshark’s session into rerdp.pcap by selecting File > Export PDUs and selecting OSI Layer 7.
      I get an empty file

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *