Sogeti Qualif - misc - N3tC4p

N3tC4p [ 479 points ] (Author: Syngard)


We are given a file named USB.iso, which appears to be a disk image.

$ file USB.iso 
USB.iso: ISO 9660 CD-ROM filesystem data 'CDROM'

Step 1: Extrating the files

The first thing we have to do is to extract whatever file is in the image. There are several ways to do so via the command line and I chose to use 7zip as it’s pretty straightforward.

$ 7z x USB.iso     

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs 
Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (406E3),ASM)

Scanning the drive for archives:
1 file, 391168 bytes (382 KiB)

Extracting archive: USB.iso
Path = USB.iso
Type = Iso
Physical Size = 391168
Comment = 
System: LINUX
Volume: CDROM
Created = 2019-01-20 13:49:22
Modified = 2019-01-20 13:49:22

$ ls

We then find a zip archive in the DOCUMENT folder. Inside are two files: challenge_network.keys and challenge_network.pcapng

Step 2: Exploiting the network capture

Let’s open the pcap file in WireShark. We can see that there are some TLS 1.2 packets, which means that the part of the traffic is encrypted. But we also found a .keys file, so that may be useful.

$ cat challenge_network.keys 
CLIENT_RANDOM 5c44694d7d7869bfe4b0717a11393859b46494580e7ca4326e3d2d80aadd158a 14e4

What kind of file is that ? A quick google search gives us all the answers we need. So now we now where to plug the key in WireShark and hopefully that will decrypt the network traffic.

Once we tell WireShark to use the key file, we can see the network traffic in clear.

The most apparent thing is the HTTP request/response that is now appearing. It seems like it was a request to download a file named secret.zip. To retrieve it, we ccan use File -> Export Object -> HTTP and save the only file detected.

Before moving on with the zip file, I’d like to mention that there is another interesting element in the .pcap file: some IRC packets excange. Choosing Follow -> TCP Stream on one of them gives us the following conversation :

USER pixis kali :*Unknown*
:work 432 * /SERVER :Erroneous nickname
NICK pixis
:work 001 pixis :Hi, welcome to IRC
:work 002 pixis :Your host is work, running version miniircd-1.2.1
:work 003 pixis :This server was created sometime
:work 004 pixis work miniircd-1.2.1 o o
:work 251 pixis :There are 2 users and 0 services on 1 server
:work 422 pixis :MOTD File is missing
JOIN #secret 
:pixis!pixis@ JOIN #secret
:work 331 pixis #secret :No topic is set
:work 353 pixis = #secret :J0hnD0e pixis
:work 366 pixis #secret :End of NAMES list
MODE #secret
:work 324 pixis #secret +
PRIVMSG #secret :Yo
:J0hnD0e!pixis@ PRIVMSG #secret :Yo man
PRIVMSG #secret :Il marche plus le mot de passe ?
:J0hnD0e!pixis@ PRIVMSG #secret :Nan il est updated
:J0hnD0e!pixis@ PRIVMSG #secret :
PRIVMSG #secret :Ah merci ! Mais c'est password protected :(
PRIVMSG #secret :Ah c'est bon, password found, easy to guess !
PRIVMSG #secret :++ (Au fait, t'as vu mon blog ? https://beta.hackndo.com)
:J0hnD0e!pixis@ PRIVMSG #secret :Nickel ! Ouais, of course
:J0hnD0e!pixis@ PRIVMSG #secret :++
:J0hnD0e!pixis@ PART #secret :J0hnD0e
PART #secret  
:pixis!pixis@ PART #secret :pixis
QUIT :Leaving

The interesting thing here is that they indicate that the zip file is password-protected but that the password is easy to guess.

Step 3: Cracking the zip file

Since the password is supposedly easy to guess, it’s pretty likely that it is in a classic password dictionnary. Obviously we won’t try to guess it by hand but there is a plethora of tools to do this kind of work. As for me, I tend to use this one. We upload the zip file and are almost immediately rewarded with: Success!! The password for secret.zip was found: thuglife

We then juste have to open the archive with this password.

$ unzip secret.zip  
Archive:  secret.zip
[secret.zip] newpassword.txt password: 
 extracting: newpassword.txt         
$ cat newpassword.txt