Tolkien Ring - Wireshark Practice walkthrough

-

By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark

Difficulty Rating: 1/5


Hints

Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark

 

Solutions


1.What kinds of objects can be exported in the pcap file ?  HTTP

Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty. 



2. Name of the biggest file you can export ?  app.php (808kB)

Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php 

 

3. Packet number where app.php starts ?  687

In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for that specific conversation highlighted. App.php conversation traffic starts at packet number 687


4. IP Address of the Apache Server ? 192.85.57.242

When we click on the app.php (808kB) file, the Wireshark window in highlights on the starting packet for this conversation at 687th packet, where the source address is the Apache server IP address.



5. What file is saved on the infected host?  Ref_Sept24-2020.zip

There are 2 options to look for this information. 

 

Option 1: Follow HTTP Stream

After step 4 which is selecting the 687th packet from Wireshark main window, right click and choose “Follow HTTP Stream”, which will open a new window that allows you to see the entire HTTP conversation. In the conversation you should be able to see a GET request for the file app.php and followed by a JavaScript payload blob1 being saved as a file named Ref_Sept24-2020.zip



Option 2: Export app.php and analyse 

Another way would be, in Export HTTP objects window, select app.php 808kB and click save. Which should export and save the app.php file to your local disk, after which you can inspect with any text editor/IDE to look at the php code, where after the initial blob of text near the end will be the JavaScript code where blob1 is being saved as Ref_Sept24-2020.zip file.



6. List the countries of the bad TLS certificates being used by the attackers in alphabetical order.Israel, South Sudan 

 

To Identify bad TLS certificates there are a few indicators that we can look at, first let’s filter the suspicious.pcap file in Wireshark to list all the TLS certificates captured by applying a display filter “ssl.handshake.type==11”. Now within the presented results, lets pick a random packet and look for certificate validity. drop down as per below screenshot on TLS layer until we see not After under validity field, which indicates the date of certificate expiry. Right click on that field and apply a column.


Now sort the utcTime column by clicking on the column name, you should see the last 5 packets from 2 sources 151.236.219.181 and 62.98.109.30 has certificates that have expired. Now to confirm if it’s a bad certificate, export the certificates to see if the root certificate is untrusted. As per below screenshot right click on the certificate field and choose to “export packet bytes” option and save as .Cer file.


Once exported open the .cer file as per the underlying OS you are using, and we see that both the certificates from sources 151.236.219.181 and 62.98.109.30 are untrusted. The other Name fields lists acronyms for two countries IL for Israel and SS for South Sudan


7. Is this host infected?  Yes

 

To answer this question, you can copy the whole blob of text from the app.php code starting from UEsDBBQ……and ending at DSJAAAA. Paste it into https://gchq.github.io/CyberChef/, choose from Base64 option and save the output file as .zip format matching the JavaScript. 


Now if you upload the file into Virus total, we can see that the file is being flagged as resemblance to Dridex malware family which is known to be banking related malware. From the screenshot below you can also see the past submission of a same file has been in the name download (2).dat which is the default name CyberChef provides when saving files. So, someone gone this extra mile before me ;)


Troubleshoots

  • If you are experiencing hiccups with menu bar navigation, for troubleshooting purposes am using Wireshark latest version 4.0.2 (for this exercise Wireshark does not need to run with sudo/super user privileges.)
  • Wireshark Download link: https://www.wireshark.org/#download

Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more