Ghost In The Shellcode 2015 CTF: Write-up for cloudfs challenge

Posted by XoN on January 19th, 2015

Hello there, in this post I will describe how I solved the cloudfs challenge of Ghost In The Shellcode 2015. This challenge was under the Forensics category and was awarding 200 points (middle ground!). It wasn’t so hard, and someone could argue that shouldn’t award the same points with “the alpha molecular” or the similars from the crypto category but its okay (its very common actually in every CTF to argue about points etc..). The point of that challenge was that it was using ICMP (so there isn’t any TCP Follow Stream option…) and that the file that was included was scattered across multiple packets.

So the file of the challenge was an .xz file meaning that we had to decompress it first.

xz file awaits xz file awaits

We open the pcap file with wireshark and we see all these ICMP ping requests/replies.

Lots of ICMP ping requests/replies

Lots of ICMP ping requests/replies

By doing tshark -r pcapfile -T fields -e data -w outputfilee ; strings outputfilee we can dump all the data from the pcap and search for ASCII characters. There is a bunch of delicious apples and ripe yellow bananas there (at some point I thought that the key is something related to that!).

Exporting all data

Exporting all data

strings show bananas and apples

strings show bananas and apples

Since I was searching for the key I did the following filter initially icmp contains key and manage to find a packet that was giving away the existence of a key.tbz file. So I know that there is a tbz file somewhere around…

icmp contains key filter saved half aday

icmp contains key filter saved half aday

I created a file and make it .tbz to see the header and right after I updated my wireshark filter to icmp contains 425a
The data section of the first [No. 1041] packet ended with the bytes “da 61”. I saw that the replies where basically having the same data so I filtered em out.

header of a random.tbz file

header of a random.tbz file

Updating filter for searching for the tbz file

Updating filter for searching for the tbz file

Then the 2nd piece of the tbz file is in packet [No. 1051] ending with bytes “30 98”. The 3rd piece was in the next packet [No. 1052]. Then there is a series of packet exchanges with these 3 pieces and in packet [No. 1075] it is the last part of the .tbz file which ends with bytes “f0 c0”. I exported these 4 data sections of these packets and then I used the HxD editor for copy/paste the bytes (I had also to remove some bytes from the first packet’s data section)

2nd part of the file

2nd part of the file

3rd part of the file

3rd part of the file

Top of the final assembled file

Top of the final assembled file

The end of the final file

The end of the final file

Size of the file

Size of the file

I renamed the file to be able to extract it and then that was it. The ping.py was also included in that tbz file!

Renaming and extracting. Boom ;)

Renaming and extracting. Boom 😉

boom