This weekend, I participated in the Trend Micro CTF. This CTF was a nice experience, with solid hosting and a wide variety of challenges (though the binary challenges were overwhelmingly Windows). Unfortunately, a severe lack of focus (read: playing Call of Duty World at War) as well as a lack of Windows environments cost us dearly in terms of score.
At this point, I should note that this CTF also featured SCADA challenges. This was a nice change from the usual – well done Trend Micro (any chance for a live serial-over-TCP/IP target next year? :P)
During this CTF, I tackled the IOT100 challenge first, as I had just been reverse engineering a firmware CGI binary (see last post) just before this CTF started. Without further ado, I’ll present the writeup below:
IOT100 was presented as a PCAP file, which can be found here: pcap
This pcap has a few interesting streams in it: a plaintext Telnet stream seems to be a good place to start investigating:
To summarize, the session is an administrator running a series of commands.
Setting this aside, we continue our investigation of the PCAP file. Broadly speaking, we can categorise the data as follows:
- General networking: ping, ARP, etc
- The telnet session above
- Netbios (around packet 370+)
- ISAKMP traffic
- ESP traffic
From here, the flag is likely to either be a part of the general network background noise (ping/ARP/Netbios), in which case this becomes steganography quest, or in the ESP traffic: ISAKMP is a key management protocol, but ESP is an actual encrypted stream.
Decrypting ESP requires some configuration options from an endpoint on the connection – fortunately, we have this via the Telnet session from earlier. Following this procedure, we’re able to quickly decrypt the traffic:
A quick export HTTP objects later, and we have the flag:
As always, thanks to Trend Micro for putting together this fantastic event. Better luck to team farmingsimulator2015 next year 🙂