Description

It’s time for CERT-SE’s annual challenge (CTF) to coincide with the European cyber security month. This challenge is aimed at anyone with an interest in IT security. [1, 2]

<scenario>
CERT-SE has, yet again, come across network traffic from the fictional hacker group "Medelålders Sura Blackhats".
Can you find all the flags?
</scenario>

In the .zip file below there is a network dump (PCAP) that contains a total of six flags in the format “CTF[xxxxxxxxxx]“, these are words or names, so not random letters.

Solution

Analysis

Opening the attached PCAP file and looking at the packet hierarchy, we see the following.

Here we find some interesting unencrypted traffic like IRC, HTTP, FTP, FTP-DATA, and some generic Data.

Extracting the IRC session, we get the following conversation.

Hejarn: Ok, less chit chat this time, let's try to have better op-sec this year!
Kammen: It wasn't only my fault last time... :'(
Hejarn: @Kammen, noone is blaming you. Let's just do it better this time...
Frallan: Sure...
Hejarn: Aaaanyway... Is everyone here?
Eran: Erm, I think Rosen, Anaforan and Pekarn is away. But I think their parts are done.
Kammen: Yeah, Rosen told me the data to the ROM is "eb a3 8a e8 ba e2 ea 3b b8 ee 8a 3a e8 bb ae 00".
Hejarn: @Kammen, thanks. 
Hejarn: Ok, @Frallan, is the sequence ready?
Frallan: Sure it's here: "444 6 2 4 444 66 33 0 444 333 0 444 0 9 33 777 33 0 2 7777 0 4 666 666 3 0 2 8 0 7 777 666 4 777 2 6 6 444 66 4 0 2 7777 0 222 8 333 [ 2 3 2 0 555 666 888 33 555 2 222 33 ]".
Hejarn: Great! This should get the message out!
Kammen: I still don't get it...
Eran: @Kammen, well d......h! ;-)
Kammen: Ha ha, very funny... 
Kammen: @Eran, did you find a solution for the missing characters? 
Eran: Erm, no... The [ and ] doesn't exist... But everyone should understand that they're represented by .. and .. on the Swedish keyboard. Right?
Frallan: Maybe, let's hope so!
Kammen: I just don't get why we should use such old tech?!?
Eran: I did it as an homage to Faggin and Kildall for their contributions. And it serves our purpose extremely well! 
Hejarn: Shut up!!! We need to keep quiet this time!
Eran: Right, sorry...
Kammen: @Eran, lol! What's next? You telling that the encrypted flag is "CTF[RRCJFW]" the code is "BBB" too? X-D
Frallan: ...
Eran: Shut up!
Kammen: Erm, oups.... :-/
Kammen: But I'm pretty sure no one listens to this... 
Hejarn: Sigh... 
Hejarn: Anyway... We only have one shot of this. @Eran, is the package ready?
Eran: Yes, sending it now...
Eran: Done.
Hejarn: Good! 
Hejarn: @Kammen, is the website finished?
Kammen: Yes! :-D
Hejarn: Where is it?
Kammen: http://192.168.122.129/
Hejarn: Ok, let's see...
Hejarn: Still no https?!?
Kammen: There's really no need...
Hejarn: Yeah, we said that last year too... :-/
Eran: Is the link to Rosens part still there?
Hejarn: Yes, I checked it. The link is ok. 
Hejarn: Anyway, it has to do...
Hejarn: Ok. We're done. 
Hejarn: Now everyone logout and destroy your data.
Frallan: Ok, see you.
Kammen: k
Eran: See you at the meeting point.

From the conversation, we can find some interesting messages.

• Kammen: Yeah, Rosen told me the data to the ROM is "eb a3 8a e8 ba e2 ea 3b b8 ee 8a 3a e8 bb ae 00".
• Hejarn: Ok, @Frallan, is the sequence ready? Frallan: Sure it's here: "444 6 2 4 444 66 33 0 444 333 0 444 0 9 33 777 33 0 2 7777 0 4 666 666 3 0 2 8 0 7 777 666 4 777 2 6 6 444 66 4 0 2 7777 0 222 8 333 [ 2 3 2 0 555 666 888 33 555 2 222 33 ]".
• Kammen: @Eran, lol! What's next? You telling that the encrypted flag is "CTF[RRCJFW]" the code is "BBB" too? X-D
• Kammen: http://192.168.122.129/

Flag 1

Let’s start with the sequence mentioned in the chat, “444 6 2 4 444 66 33 0 444 333 0 444 0 9 33 777 33 0 2 7777 0 4 666 666 3 0 2 8 0 7 777 666 4 777 2 6 6 444 66 4 0 2 7777 0 222 8 333 [ 2 3 2 0 555 666 888 33 555 2 222 33 ]“.

This looks like it can be an SMS entered on a multi-tap phone. Entering the sequence in dCode’s SMS Phone Tap Code Cipher decoder we get the message IMAGINE IF I WERE AS GOOD AT PROGRAMMING AS CTF[ADA LOVELACE]

CTF[ADA LOVELACE]

Flag 2

As mentioned in the chat, there’s a web page. Let’s take a look at the HTTP traffic and see if we can get anything interesting from the traffic. Taking a look at the HTTP objects we see the following objects.

Saving all objects transferred from 192.168.122.129 we end up with an HTML file and two PNG images.

Opening the HTML file and taking a look at the source we can find an HTML comment containing the next flag, <! CTF%5BROSPIGG%5D>, and URL decoded CTF[ROSPIGG].

Flag 3

Checking out the image brus.png we see a QR-code. Using zbarimg to read the code we get the following data.

QR-Code:01080B0842069E3230363100000078A0B7BE1A08960088D0F84C0300340288B9FC0C9900FF98D0F6C606A9F9C709D0EEA9014602B05A20A500AAF050B9D6FA9163E622D002E623E663D002E664CAD0ECA56BD0382A4602B03720A500E901B002C76B49FFA849FF65638563B002C66418E9008560A564E9008561B9EFBE99300BC8D0F7E664A900F0A798F0D0C66BB0AC20A500E90190394A855CB1226A8556E622D002E623A90120A700B0B6AAB1226A8502E622D002E6238AB01446022AB007460290F7F0E660489820A200856B68604C300B78A97F8D0DDC0560DDA9358501AD12D0CD0442F0FB30F6C937F00CC906D003A9C62CA9EA8D6C0CA9068D20D0851FA9098518A0008C11D05115D4A051FF3F8428842D842E842084218417A9209900040514067907A9010917D821D945DAA844DB88D0E1A204BD200F9533CA10F8A618BD2C0F851E20590DA735CB5C8635A9058536C61810E8A9D88D6D0DA97E8511043CA61FBD25489404651F150499E940A20E5DEF0E9DE7059DF7A96C5963A62E86DFBD21A40439DCA21F8624BD000F99DBC871D9F68EE95CA23F1C5C9D400580D4C03163F1ADE17D30FBA22FEC54D3D09EA91B8D1BEAA90E8525A9328D500CA424A625BDCF0E8D16D0BE000F8630F0583046A93ACD774EEA0197186EDC690129070918645F1F022471862662D5C1AAE4B910A6261644708D21D0CAD0D5A2080972FDEAA206EA8E1D078E29E71010E630B18617DE315110051DDD9D5FF2C625F012A5301869086DE975EE880081474C3E0CE624A006A9F8DE138C0BB8204110A528C907D037691F38E72DD01AA900CD2DD8C9D000C62E1004C603862E4CEDE8865EA62DB5608DB605B5648DDE0968510606556C2E6AC6281016A9078528A203BD18108529451CB02A20A90D1D01F0ADC749C02B9DD0167C0817FAA617F01FE006101BE0023017BCC20EB92010BCBC0E8419BCB60E841AA02691198810FBF07A174C220CA03184010A26210486508520A521290769108521A0078426A426B120A203E4330050240037984AB019A003B135290FAABDDF0E913587F354D42864B002C654261ED0A035957260A001B129889129C8C80C00485C60DA01D98C21DF6F08E0B8900504030201000A17C70081C0C80150207E7CE27B61FFEC6C7FE1FB62FCFEA03D18131903031D061117095D12170300590B0A1409550807D506057F9D9FA101510100265C4A3E180560455362545245432AF500020001545448454B205130572041544C2032303200A84070FFE0C0800E64070301F830ECB2BB19851AFB0A070D030E2FE04055A2A096F045A9B2D023B91313F01210190A8D9710B971CD8D920BE514D01FC857168DF84C7D108D482EF1186D19751ECE195CD0114094C9FF5F98900346440F897695D408651748090F8D18D420A710A207904A0EDE5412F00B1006BD53129D54124C3611BD2A12D030BC5112B9EF12850245F21603BC274FB1029B6977C80DA81295E05C08E9F09D28121CDE9D5212C99DE13FBC5612BD3EE98F4238E9609D551271D19D3E09550940DCFE578F01E477089D41772842193904311E7764FEE5773FCFFB0B5406D4F854057C4C1D932370F031B90767DF037D5D08648AF80418B90913561D087D581410057D5512297FA8516E6914A83D6AF9C989C902F04CBC41F979441D2A09E8D35BD708050B371009B90F736BF5B1A4FDC74D111879711F690022DDDE42EDC10C4CFC4A4F793F17C5029D031411116D520541F541F7412AA540F714C9C09016BD2B73021D9D8A11ECF021D0289D5614E1C9BDF0157DCE29F2B73106CDD90F9FD509FE57C736F00176492ABB51690071BD6A0BB10175373DD9B5046024BE1AE5050101FE01590C02724E428A7E507398C0E9164577ABE31E5D9FE6307FD32C8AED56C63DBA3FCB61FFA65713DAAD8C79747D97C1FD4CAE26B45A19F2E8FB2E82FA985D4C68B43202004103590405140655070855090A590B0C0D2A910E0F10111213141517181A1B1D1F20222427292B2E3134373A3E1E262E13453F43137520417B592901B254F1417580802562FF4310EF0298006060FFD20A011B25AC00EE00EC5526FC75FAF80E7DF05E5FEE08F37031160171C11C0295039506E5985517989A589AE593313793000040

If we then covert the hex values to bytes and save the file we get a Commodore BASIC file.

file download.dat
download.dat: CBM BASIC, SYS 2061

The binary we got can be run in a C64 emulator, and when started we get a mini-demo containing the third flag.

CTF[retrolove]

Flag 4

The PNG file is krets.png which is an image of a circuit diagram.

A search for “circuitverse” leads us to the page where this image is created, which is a logic circuit simulator page.

After recreating the circuit in the tool we need to fill the ROM with data. Taking a look at the interesting messages in the chat we can find a message talking about data for the ROM.

Kammen: Yeah, Rosen told me the data to the ROM is "eb a3 8a e8 ba e2 ea 3b b8 ee 8a 3a e8 bb ae 00".

After filling the ROM with this data we end up with the following circuit.

Simulating the circuit will make the LED blink with long and short signals. Converting the blinks to morse code and then to text we get the flag.

CTF[LOGIC]

Flag 5

For the next flag, we need to figure out the meaning of the following message.

Kammen: @Eran, lol! What's next? You telling that the encrypted flag is "CTF[RRCJFW]" the code is "BBB" too? X-D

A couple of messages after that message there’s talk about a package being sent somewhere.

Hejarn: Anyway... We only have one shot of this. @Eran, is the package ready?
Eran: Yes, sending it now...
Eran: Done.

Taking a look at the FTP traffic we can see that a file is transferred which is the package they’re talking about.

220 (vsFTPd 3.0.3)
USER eran
331 Please specify the password.
PASS Sn0mosglass
230 Login successful.
SYST
215 UNIX Type: L8
TYPE I
200 Switching to Binary mode.
PORT 192,168,122,156,227,163
200 PORT command successful. Consider using PASV.
STOR FAGGIN.zip
150 Ok to send data.
226 Transfer complete.
QUIT
221 Goodbye.

Dumping the FTP-DATA stream containing this file, we get the file FAGGIN.zip. Extracting the zip file we get the file FAGGIN.COM.

Some more clues about this file can be seen in the chat.

Kammen: I just don't get why we should use such old tech?!?
Eran: I did it as an homage to Faggin and Kildall for their contributions. And it serves our purpose extremely well! 

Looking up the names Faggin and Kildall tells us that Faggin designed the Intel 4004 and Kildall created CP/M. So the file is most likely a CP/M program.

Executing the program using a CP/M emulator, we get the following output.

Rotor position: C C C
Input the message, one key at the time.

To decrypt the flag, we need to change the initial rotor positions from CCC to BBB. Opening FAGGIN.COM in a hex editor, we can find the following hints.

Here we find the start setting data, changing them from CCC to BBB, and executing the program we can now enter the encrypted flag and get the decrypted flag.

CTF[POLAND]

Flag 6

To find the last flag, we need to take a look at the traffic in the PCAP again and find the generic Data stream. Taking a look at that stream, we can see that there’s a bunch of data sent to 192.168.122.129 on port 1337.

Opening a packet we can see that there seem to be only spaces and dots that are sent.

Following the data stream, we can find one row that stands out.

Resizing the window reveals that there seem to be rows with dots and some pattern in between.

By copying this data and opening it in a text editor, we can mark the dots and see the last flag.

CTF[RENARAMA]