Post

Smartexfil

Skyv3il 2

Points: 375 points Solves: 2 Difficulty: hard

Introduction

We are given a pcap and a elf executable binary logs.pcap and nothing_to_see_here

image

Opening logs.pcap in wireshark, we see a lot of traffic: dns, http, tcp, ping

image

So, we thought that maybe the exfiltration happend using the dns requests, there are multiple tehniques:

  • using subdomains to exfiltrate small ammount of data with each dns request
  • time based, ascii could be exfiltrated by noticing the time difference between the requests
  • using checksum (it will be shown as unverified)

but none of these gave us anything useful. Finally we notice a custom protocol, made for iot devices like light bulbs:

image

we can see that the requests info contain the commands sent to the light bulb

image

we used tshark to get the message informations from the packets, here the brightness field caught my eye because it was either 0 or 100, no other value in between

image

got all these values using tshark:

1

tshark -r logs.pcap -Y "tcp.dstport == 9999"  -T fields -e tplink_smarthome.msg | awk -F " " '{print $10}' | tr -d ","

1
2
3
4
5
6
7
8
9
10

-Y <display filter> : Apply a display filter.
-T <format>         : Set the format of the output when viewing decoded packet data. Common formats include `text`, `json`, `psml`, etc.
fields              : This option allows you to specify which fields of the packet you want to display. It's often used with `-e` to extract specific fields.
-e <field>          : Specify a field to print. Used with `-T fields` to extract specific fields from the packet data.


awk -F " "    -> we specify that space char is the delimiter, it will split the output into words
'{print $10}' -> we print the 10th element of the line, it means the 10th

tr -d ","     -> get rid of commas ','

after this , we got rid of the 00, replaced them with nothing, then made it into a binary string

1

00101101001011010111010101101110011000010110110101100101001011010010110101111000100111001111001111001001110011000010101110101101010100001100100001001101001011010100100101001100110010101010111101010000001100001101001100110011110100100011001111010000001101010011011011010010010011010100111111001101010010110010110111001010010011000101011001010000001101100011011010101010001100110000001010001010100110011110100000011001111010101000011000100110100101011110011010010101100101000010101000000100111110110000011000101000000001000000010010111001101110101111101000000110100001001100010010111011010001001111101000111001111110100111101000111010001010111011100000010101011001010010101000111000100101101010011000101011000110000101101000101000000110000001101001011000100110010001100001011000000110010001101000101011100001001000011000111000001010110001100000101001010101000101100010011000110001011001101110011001101000000101000111101110011111101010000111111010001111100010000010001011101110010000000000111101100100110010001110001111001011010010110101100101011011010111000001101100011011110111100101100101011001010101111101100101011110000111000001101111011100100111010000101110011000110111001101110110001011010010110101111000100111000101010110010001110011010110111011011011001100000001000010000100111011110111100100001010110000101001011101011110100101101000001001001000111111011001000010111100110110010111010101100011101000001010110111011101000000101000100110000001000101101011110100001000001010111001100110010101100110000101000010100100010000011100100101110000111011011010001011101111010111100100101010111001010001000011011100001110000001111101100001101111011101101001011010100111101010010010100000000101001111001111011000111101110000100000000111000011011010001001110010111110100000111000111000101010111010011101011110011101111111101000001111010110100011000011101000110001000111101000011010001011000110111011101001101000010011101001011001010100111010110001101101110110110111100010011110001101111011111000000100101001010010010110010101001110110010110010110000010111101100000110001000111100001000110000011100111100010110110100110110011110010001110010000011001111111001110110000001011100111110111101101101101000011110110000001011110010011110010100111101001010001011101101001001111100000001010000111101000101110010010101100101100100011011101000001001000001111110001111111011100001010010010001101101101011011011111000000001010001001001010111111011000001011111001111101100001010101100111001111111110011011101011101101110100011101100010011001100110011111001110010100100010101001001011000110101110011001000100101001110010101000110010111100111010010101001111010101111110111001001111011001001110111100100011000101010001110111011000000001010111010110001100000110010001101000001111011001011011101000100001001010110110011001101000101101111000001010000011000111110111000001111011110111011111110110101101100000110110100110111010101100011010101110101101011100011010111100110001010111110101010001011111011011010101110111010101010000010110001111010011111010011110000111011110100000110110000010000101110011000011100101111100110000011110011001110100111100000000111000111111000001110111111001110100111100001111001010100110100100110111101000010001111100001010010010011110110011010001011101111010000111011101111000110100010100100110010010001101010010110100010101100100010110000100100101011001010010011001000110010010000111110110100111011100011001010010010101011010000100101000000001111101010000110110101001110000000000000111001111111100010010010100010111000000010100110001011011101011100100001000010101100010100110011000010101101101011001101011110110000110010111111010011110001110110100100111101001110100110100000100110100111011101110000010111110000001110011001011110010011010011011100011010010001101101001100101100111010101100100010101000010100100011010000000110100011110111010101110000010101100010100001110010110100000111100011110010110101111011100110001110001000111111011001100111000001001011001011011011100100110010110000101011010100110001111001111001010010100010101011001001001110000011110010001110010111011010010001111100011010110010111100110111111011010100000001001111001000100111000100001011100110001001101110101101011010101011011010100100011111001011111110100000001011001010100110010000100101000000100110010001010001110101111010010001010010111011001011110101001110001000110001101000111001111010101101101111010111001101001111111001100000001010110110001110110011111010111101000100101010010110001001011110111100100011111101011101101010001100001001110010

After decoding, we see that there’s some text which are uname and employee_export.csv

image

At this step we were stuck at the ctf, didn’t figure out that those are the commands, and the stuff after them the zlib flated contents. We can save the output from binary as a file, and run binwalk on it:

image

Flag:

MetaCTF{bright_blinking_bulb_breaches}

Forensics