This weekend, I participated in the Trend Micro CTF. This CTF was a nice experience, with solid hosting and a wide variety of challenges (though the binary challenges were overwhelmingly Windows). Unfortunately, a severe lack of focus (read: playing Call of Duty World at War) as well as a lack of Windows environments cost us dearly in terms of score.

At this point, I should note that this CTF also featured SCADA challenges. This was a nice change from the usual – well done Trend Micro (any chance for a live serial-over-TCP/IP target next year? :P)

During this CTF, I tackled the IOT100 challenge first, as I had just been reverse engineering a firmware CGI binary (see last post) just before this CTF started. Without further ado, I’ll present the writeup below:

IOT100

IOT100 was presented as a PCAP file, which can be found here: pcap

This pcap has a few interesting streams in it: a plaintext Telnet stream seems to be a good place to start investigating:

To summarize, the session is an administrator running a series of commands.

Setting this aside, we continue our investigation of the PCAP file. Broadly speaking, we can categorise the data as follows:

• General networking: ping, ARP, etc
• The telnet session above
• Netbios (around packet 370+)
• ISAKMP traffic
• ESP traffic

From here, the flag is likely to either be a part of the general network background noise (ping/ARP/Netbios), in which case this becomes steganography quest, or in the ESP traffic: ISAKMP is a key management protocol, but ESP is an actual encrypted stream.

Decrypting ESP requires some configuration options from an endpoint on the connection – fortunately, we have this via the Telnet session from earlier. Following this procedure, we’re able to quickly decrypt the traffic:

A quick export HTTP objects later, and we have the flag:

As always, thanks to Trend Micro for putting together this fantastic event. Better luck to team farmingsimulator2015 next year 🙂