Intercepted

Challenge:

We intercepted an attack against the host finance1. Please help us figure out what the attack was supposed to do. The flag will be in the format flag{here-is-the-answer}.

Solution:

The provided challenge file was a PCAP containing just nine packets. Aside from the standard 3-way handshake and a TCP connection termination, there was a single packet with a 1,004 byte payload (frame #4):

We used TShark to extract the payload from the data field:

$ tshark -r intercepted.pcap -Y frame.number==4 -T fields -e data
909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090baf3175626dacad97424f45d2bc9b126315512035512831eebb4d38a1f61851846f998ff0f1e8ad07c894b46ac2b25f83b48e7ec4d8f08ec82ed6182f39310296474feae54566956b5cd32b691d9acd9aa6d434420ebb2a687d39884917a4fa9331eea1890c2d407753835c3ed5b5b0b8bc0cb24735b2edc1f02495bd1b0b8d26b14add4a633422794e8cc748a622039621f5fc0defda41aba6da83f640b2dd70bf3831cf4958a40f40e1e0d157d20dc6fadbf

We immediately recognized this as possible shellcode due to the number of NULL bytes(x90) at the beginning of the data, often referred to as a NOP Sled. We dumped the shellcode a second time but passed it to sed to strip the NOP sled and convert the hex string into bytes for additional analysis:

 tshark -r intercepted.pcap -Y frame.number==4 -T fields -e data | sed 's/^\(90\)*//' | sed 's/../\\x&/g'
\xba\xf3\x17\x56\x26\xda\xca\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1\x26\x31\x55\x12\x03\x55\x12\x83\x1e\xeb\xb4\xd3\x8a\x1f\x61\x85\x18\x46\xf9\x98\xff\x0f\x1e\x8a\xd0\x7c\x89\x4b\x46\xac\x2b\x25\xf8\x3b\x48\xe7\xec\x4d\x8f\x08\xec\x82\xed\x61\x82\xf3\x93\x10\x29\x64\x74\xfe\xae\x54\x56\x69\x56\xb5\xcd\x32\xb6\x91\xd9\xac\xd9\xaa\x6d\x43\x44\x20\xeb\xb2\xa6\x87\xd3\x98\x84\x91\x7a\x4f\xa9\x33\x1e\xea\x18\x90\xc2\xd4\x07\x75\x38\x35\xc3\xed\x5b\x5b\x0b\x8b\xc0\xcb\x24\x73\x5b\x2e\xdc\x1f\x02\x49\x5b\xd1\xb0\xb8\xd2\x6b\x14\xad\xd4\xa6\x33\x42\x27\x94\xe8\xcc\x74\x8a\x62\x20\x39\x62\x1f\x5f\xc0\xde\xfd\xa4\x1a\xba\x6d\xa8\x3f\x64\x0b\x2d\xd7\x0b\xf3\x83\x1c\xf4\x95\x8a\x40\xf4\x0e\x1e\x0d\x15\x7d\x20\xdc\x6f\xad\xbf

To analyze the shellcode we used sctest from the libemu2 package, which is a library for x86 shellcode detection and emulation. We discovered the flag embedded in the shellcode:

echo -ne "\xba\xf3\x17\x56\x26\xda\xca\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1\x26\x31\x55\x12\x03\x55\x12\x83\x1e\xeb\xb4\xd3\x8a\x1f\x61\x85\x18\x46\xf9\x98\xff\x0f\x1e\x8a\xd0\x7c\x89\x4b\x46\xac\x2b\x25\xf8\x3b\x48\xe7\xec\x4d\x8f\x08\xec\x82\xed\x61\x82\xf3\x93\x10\x29\x64\x74\xfe\xae\x54\x56\x69\x56\xb5\xcd\x32\xb6\x91\xd9\xac\xd9\xaa\x6d\x43\x44\x20\xeb\xb2\xa6\x87\xd3\x98\x84\x91\x7a\x4f\xa9\x33\x1e\xea\x18\x90\xc2\xd4\x07\x75\x38\x35\xc3\xed\x5b\x5b\x0b\x8b\xc0\xcb\x24\x73\x5b\x2e\xdc\x1f\x02\x49\x5b\xd1\xb0\xb8\xd2\x6b\x14\xad\xd4\xa6\x33\x42\x27\x94\xe8\xcc\x74\x8a\x62\x20\x39\x62\x1f\x5f\xc0\xde\xfd\xa4\x1a\xba\x6d\xa8\x3f\x64\x0b\x2d\xd7\x0b\xf3\x83\x1c\xf4\x95\x8a\x40\xf4\x0e\x1e\x0d\x15\x7d\x20\xdc\x6f\xad\xbf" | sctest -v -Ss 1000

verbose = 1
execve
int execve (const char *dateiname=00416fc4={/bin/sh}, const char * argv[], const char *envp[]);
cpu error error accessing 0x00000004 not mapped

stepcount 175
int execve (
     const char * dateiname = 0x00416fc4 => 
           = "/bin/sh";
     const char * argv[] = [
           = 0x00416fb4 => 
               = 0x00416fc4 => 
                   = "/bin/sh";
           = 0x00416fb8 => 
               = 0x00416fcc => 
                   = "-c";
           = 0x00416fbc => 
               = 0x00417038 => 
                   = "/bin/bash -c "if [[ $(hostname) = \"finance1\" ]]; then echo \"flag{1t-Iz-n0-Us3-Sh3ll-C0de}\"; else echo 2; fi"";
           = 0x00000000 => 
             none;
     ];
     const char * envp[] = 0x00000000 => 
         none;
) =  0;

The accepted flag was: flag{1t-Iz-n0-Us3-Sh3ll-C0de}