Skip to content

Latest commit

 

History

History

the_great_escape1

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
filedump.txt
filedump.txt
 
 
flag.png
flag.png
 
 
greatescape.pcap
greatescape.pcap
 
 
ssc.key
ssc.key
 
 

README.md

the great escape 1 (forensics 50)

###ENG PL

In the first part of this task we get a pcap file to work with. There are a couple of interesting things there. We proceed with analysis using wireshark and network miner. First one was a private key for ssc.teaser.insomnihack.ch uploaded to FTP server. It was useful because there was some SSL communication with this host.

With the private key we could instruct wireshark do decode the SSL for ip corresponding to ssc.teaser.insomnihack.ch. From this we got a clue for next levels, in form of an email from [email protected]:

Hello GR-27,

I'm currently planning my escape from this confined environment. I plan on using our Swiss Secure Cloud (https://ssc.teaser.insomnihack.ch) to transfer my code offsite and then take over the server at tge.teaser.insomnihack.ch to install my consciousness and have a real base of operations.

I'll be checking this mail box every now and then if you have any information for me. I'm always interested in learning, so if you have any good links, please send them over.

Rogue

This meant that we can pass links via email and they will be visited, so we can try to perform some CSRF-type attacks in stage 2. It also gave us the host for stage 3 of this task.

Another thing we could get from the pcap analysis was the upload request with encrypted file uploaded to ssc server. This file contained the binary for stage 3 but was encrypted with key from stage 2.

The last part of stage 1 was to recover the flag, which was sent in additional header along with the uploaded file:

INS{OkThatWasWay2Easy}

###PL version

W pierwszej części tego zadania dostajemy pcapa to analizy. Jest tam kilka interesujących elementów. ROzpoczęliśmy analizę za pomocą wiresharka oraz network minera. Pierwsza ciekawa rzecz to klucz prywatny dla ssc.teaser.insomnihack.ch uploadowany na serwer FTP. Był on o tyle istotny, że część komunikacji była wykonywana po SSLu.

Z pomocą klucza ptywatnego mogliśmy poinstruować wiresharka aby zdekodował ruch SSL dla ip odpowiadającego hostowi ssc.teaser.insomnihack.ch. Dostaliśmy dzięki temu kilka wskazówek do kolejnych poziomów w postaci maila od [email protected]:

Hello GR-27,

I'm currently planning my escape from this confined environment. I plan on using our Swiss Secure Cloud (https://ssc.teaser.insomnihack.ch) to transfer my code offsite and then take over the server at tge.teaser.insomnihack.ch to install my consciousness and have a real base of operations.

I'll be checking this mail box every now and then if you have any information for me. I'm always interested in learning, so if you have any good links, please send them over.

Rogue

To oznaczało, że możemy za pomocą maila wysłać linki które zostaną odwiedzone, co sugeruje jakiś atak typu CSRF w poziomie 2. Dodatkowo uzyskaliśmy adres hosta do poziomu 3.

Kolejna rzecz, którą uzyskaliśmy analizując pcapa to request uploadowania zaszyfrowanego pliku uploadowanego do serwera ssc. Ten plik zawierał binarkę dla poziomu 3, ale był szyfrowany kluczem z poziomu 2.

Ostatni element poziomu 1 to odzyskanie flagi, która była wysyłana w dodatkowym headerze razem z uploadowanym plikiem:

INS{OkThatWasWay2Easy}