Writeup – IOT100 (TMCTF)

This weekend, I participated in the Trend Micro CTF. This CTF was a nice experience, with solid hosting and a wide variety of challenges (though the binary challenges were overwhelmingly Windows). Unfortunately, a severe lack of focus (read: playing Call of Duty World at War) as well as a lack of Windows environments cost us dearly in terms of score.

At this point, I should note that this CTF also featured SCADA challenges. This was a nice change from the usual – well done Trend Micro (any chance for a live serial-over-TCP/IP target next year? :P)

During this CTF, I tackled the IOT100 challenge first, as I had just been reverse engineering a firmware CGI binary (see last post) just before this CTF started. Without further ado, I’ll present the writeup below:


IOT100 was presented as a PCAP file, which can be found here: pcap

This pcap has a few interesting streams in it: a plaintext Telnet stream seems to be a good place to start investigating:


To summarize, the session is an administrator running a series of commands.

Setting this aside, we continue our investigation of the PCAP file. Broadly speaking, we can categorise the data as follows:

  • General networking: ping, ARP, etc
  • The telnet session above
  • Netbios (around packet 370+)
  • ISAKMP traffic
  • ESP traffic

From here, the flag is likely to either be a part of the general network background noise (ping/ARP/Netbios), in which case this becomes steganography quest, or in the ESP traffic: ISAKMP is a key management protocol, but ESP is an actual encrypted stream.

Decrypting ESP requires some configuration options from an endpoint on the connection – fortunately, we have this via the Telnet session from earlier. Following this procedure, we’re able to quickly decrypt the traffic:


A quick export HTTP objects later, and we have the flag:


As always, thanks to Trend Micro for putting together this fantastic event. Better luck to team farmingsimulator2015 next year 🙂

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.