Writeup – IOT100 (TMCTF)

This weekend, I participated in the Trend Micro CTF. This CTF was a nice experience, with solid hosting and a wide variety of challenges (though the binary challenges were overwhelmingly Windows). Unfortunately, a severe lack of focus (read: playing Call of Duty World at War) as well as a lack of Windows environments cost us dearly in terms of score.

At this point, I should note that this CTF also featured SCADA challenges. This was a nice change from the usual – well done Trend Micro (any chance for a live serial-over-TCP/IP target next year? :P)

During this CTF, I tackled the IOT100 challenge first, as I had just been reverse engineering a firmware CGI binary (see last post) just before this CTF started. Without further ado, I’ll present the writeup below:

IOT100

IOT100 was presented as a PCAP file, which can be found here: pcap

This pcap has a few interesting streams in it: a plaintext Telnet stream seems to be a good place to start investigating:

Screenshot_2016-07-31_16-16-05

To summarize, the session is an administrator running a series of commands.

Setting this aside, we continue our investigation of the PCAP file. Broadly speaking, we can categorise the data as follows:

  • General networking: ping, ARP, etc
  • The telnet session above
  • Netbios (around packet 370+)
  • ISAKMP traffic
  • ESP traffic

From here, the flag is likely to either be a part of the general network background noise (ping/ARP/Netbios), in which case this becomes steganography quest, or in the ESP traffic: ISAKMP is a key management protocol, but ESP is an actual encrypted stream.

Decrypting ESP requires some configuration options from an endpoint on the connection – fortunately, we have this via the Telnet session from earlier. Following this procedure, we’re able to quickly decrypt the traffic:

asdf

A quick export HTTP objects later, and we have the flag:

flag_out_ws

As always, thanks to Trend Micro for putting together this fantastic event. Better luck to team farmingsimulator2015 next year 🙂

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s