{"id":2669,"date":"2016-07-31T13:40:21","date_gmt":"2016-07-31T11:40:21","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=2669"},"modified":"2016-07-31T13:41:29","modified_gmt":"2016-07-31T11:41:29","slug":"trend-micro-2016-misc-100-pcap-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2016\/07\/31\/trend-micro-2016-misc-100-pcap-write-up\/","title":{"rendered":"[Trend Micro 2016] [Misc 100 – PCAP] Write Up"},"content":{"rendered":"

Description<\/h2>\n

Category: Misc(iot and network)
\nPoints: 100<\/p>\n

Please analyze this pcap.
\nDownload the file<\/a><\/p>\n

Decrypt the downloaded file by the following command.<\/p>\n

> unzip files21.zip
\n> openssl enc -d -aes-256-cbc -k gcCbBJN5pIHiL8JiJ8Xj -in files21.enc -out files21_ok.zip
\n> unzip files21_ok.zip<\/p><\/blockquote>\n

<\/p>\n

R\u00e9solution<\/h2>\n

La capture PCAP contient une session telnet.
\nEn observant cette session nous voyons qu’il s’agit d’un administrateur syst\u00e8me qui configure des services sur une machine distante.<\/p>\n

Les identifiants et mot de passes de l’administrateur sont :<\/p>\n

\r\nIdentifiant : reds\r\nMot de passe : ynwa\r\n<\/pre>\n
Nous remarquons \u00e9galement que l’administrateur syst\u00e8me configure le protocole ESP<\/a> de la machine :<\/p>\n
\r\nsrc 1.1.1.11 dst 1.1.1.10\r\n\tproto esp spi 0xfab21777 reqid 16389 mode tunnel\r\n\treplay-window 32 flag 20\r\n\tauth hmac(sha1) 0x11cf27c5b3357a5fd5d26d253fffd5339a99b4d1\r\n\tenc cbc(aes) 0xfa19ff5565b1666d3dd16fcfda62820da44b2b51672a85fed155521bedb243ee\r\nsrc 1.1.1.10 dst 1.1.1.11\r\n\tproto esp spi 0xbfd6dc1c reqid 16389 mode tunnel\r\n\treplay-window 32 flag 20\r\n\tauth hmac(sha1) 0x829b457814bd8856e51cce1d745619507ca1b257\r\n\tenc cbc(aes) 0x2a340c090abec9186c841017714a233fba6144b3cb20c898db4a30f02b0a003d\r\nsrc 1.1.1.10 dst 1.1.1.11\r\n\tproto esp spi 0xeea1503c reqid 16389 mode tunnel\r\n\treplay-window 32 flag 20\r\n\tauth hmac(sha1) 0x951d2d93498d2e7479c28c1bcc203ace34d7fcde\r\n\tenc cbc(aes) 0x6ec6072dd25a6bcb7b9b3b516529acb641a1b356999f791eb971e57cc934a5eb\r\nsrc 1.1.1.11 dst 1.1.1.10\r\n\tproto esp spi 0xd4d2074d reqid 16389 mode tunnel\r\n\treplay-window 32 flag 20\r\n\tauth hmac(sha1) 0x100a0b23fc006c867455506843cc96ad26026ec0\r\n\tenc cbc(aes) 0xdcfbc7d33d3c606de488c6efac4624ed50b550c88be0d62befb049992972cca6\r\n<\/pre>\n
Cela tombe bien puisque dans notre capture r\u00e9seau nous voyons des \u00e9changes ESP crypt\u00e9 !<\/p>\n
Nous allons donc d\u00e9crypter ces \u00e9changes via wireshark :<\/p>\n
\"Trend-micro-2016-misc-100-esp\"<\/a><\/p>\n
Nous avons maintenant les \u00e9changes en clair dans wireshark.<\/p>\n
Nous remarquons un \u00e9change HTTP avec un fichier \u00ab\u00a0flag.png\u00a0\u00bb, bingo nous avons le flag !<\/p>\n
\"Trend-micro-2016-misc-100-flag\"<\/a><\/p>\n
\r\nTMCTF{GO_FOR_THE_CL}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Description Category: Misc(iot and network) Points: 100 Please analyze this pcap. Download the file Decrypt the downloaded file by the following command. > unzip files21.zip > openssl enc -d -aes-256-cbc -k gcCbBJN5pIHiL8JiJ8Xj -in files21.enc -out files21_ok.zip > unzip files21_ok.zip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[130,35,191],"tags":[122,5,177,193],"class_list":["post-2669","post","type-post","status-publish","format-standard","hentry","category-2016-fr","category-ctf-fr","category-trend-micro-2016-fr","tag-122","tag-ctf","tag-write-up","tag-trend-micro"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=2669"}],"version-history":[{"count":7,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2669\/revisions"}],"predecessor-version":[{"id":2680,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2669\/revisions\/2680"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=2669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=2669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=2669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}