Ghost In The Shellcode 2015 CTF: Write-up for cloudfs challenge

by | Jan 19, 2015 | CTFs

Hello there, in this post I will describe how I solved the cloudfs challenge of Ghost In The Shellcode 2015. This challenge was under the Forensics category and was awarded 200 points (middle ground!). It wasn’t so hard, and someone could argue that shouldn’t award the same points with “the alpha molecular” or the similars from the crypto category but it’s okay (it’s very common actually in every CTF to argue about points etc..). The point of that challenge was that it was using ICMP (so there isn’t any TCP Follow Stream option…) and that the file that was included was scattered across multiple packets.

So the file of the challenge was an .xz file meaning that we had to decompress it first.

xz file awaits

xz file awaits

We open the pcap file with wireshark and we see all these ICMP ping requests/replies.

Lots of ICMP ping requests/replies

Lots of ICMP ping requests/replies

By doing tshark -r pcapfile -T fields -e data -w outputfilee ; strings outputfilee we can dump all the data from the pcap and search for ASCII characters. There is a bunch of delicious apples and ripe yellow bananas there (at some point I thought that the key is something related to that!).

Exporting all data

Exporting all data

strings show bananas and apples

strings show bananas and apples

Since I was searching for the key I did the following filter initially icmp contains key and manage to find a packet that was giving away the existence of a key.tbz file. So I know that there is a tbz file somewhere around…

icmp contains key filter saved half aday

icmp contains key filter saved half aday

I created a file and make it .tbz to see the header and right after I updated my wireshark filter to icmp contains 425a
The data section of the first [No. 1041] packet ended with the bytes “da 61”. I saw that the replies where basically having the same data so I filtered em out.

header of a random.tbz file

header of a random.tbz file

Updating filter for searching for the tbz file

Updating filter for searching for the tbz file

Then the 2nd piece of the tbz file is in packet [No. 1051] ending with bytes “30 98”. The 3rd piece was in the next packet [No. 1052]. Then there is a series of packet exchanges with these 3 pieces and in packet [No. 1075] it is the last part of the .tbz file which ends with bytes “f0 c0”. I exported these 4 data sections of these packets and then I used the HxD editor for copy/paste the bytes (I had also to remove some bytes from the first packet’s data section)

2nd part of the file

2nd part of the file

3rd part of the file

3rd part of the file

Top of the final assembled file

Top of the final assembled file

The end of the final file

The end of the final file

Size of the file

Size of the file

I renamed the file to be able to extract it and then that was it. The ping.py was also included in that tbz file!

Renaming and extracting. Boom ;)

Renaming and extracting. Boom ๐Ÿ˜‰

boom

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs
JumpsecLabs pushed to main in JumpsecLabs/Guidance-Advice Jul 20, 2021
1 commit to main
@JumpsecLabs
JumpsecLabs pushed to master in JumpsecLabs/shad0w Jul 20, 2021
2 commits to master

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Can Depix deobfuscate your data?

In this post, Caleb explores Depix and its potential to recover sensitive text from reports that were redacted by the original authors.

Win a place @HackFu 2021 Community Edition!

Hello world!At JUMPSEC weโ€™ve managed to get our hands on tickets to what is probably the greatest cyber security event in the calendar, HackFu!In order to be in with a chance of...

Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon

Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. We will give a brief explanation of the vulnerabilities and an example of Sysmon configuration rules to log exploitation attempts, along with the rationale behind them so you can adapt them to your existing configuration if needed.

Share This