Saturday, 24 June 2017

TrendMicroCTF 2017 - Forensics100

After a long time looking playing ctf's and here's my solution for forensics - 100 .

As i don't have access to the challenges. I'll try explaining the question as much as i can.

Question  : 
There is a pcap given and said that hackers used an old technique to communicate to the server from victim machine.

Link to file : Forensics100

Solution : 
As we look at the pcap using our trade of tool "Wireshark". It shows that its all DNS query and response.

The only strings changing is the dns query values like:  ASfsbGivEQsT2aQPHzaB.gzpgs.trendmicro.co.jp
5GBJZEAWX7WJASGCg5Br.gzpgs.trendmicro.co.jp
9TvJjPCj9kRW9fk5XU2b.gzpgs.trendmicro.co.jp
etc.,

so i used tshark to extract all the 255 values and dump it into for100.txt as below:

tshark  -r  output.pcap  -T  fields  -e  ip.src  -e  dns.qry.name  -Y  "dns.flags.response eq 0" | awk '{print $2}'  |  tr  -d  "gzpgs.trendmicro.co.jp \n"  >  for100.txt

Now interesting is that if we look at the total characters in the file using awk and sort and uniq we find that its 58 characters and not 64 to guess it as base64 encoding

I used the below command to find the total characters :

awk 'BEGIN{FS=""}  {for(i=1;i<=NF;i++)  print $(i) ; } ;'  for100.txt  |  sort |  uniq |  tr -d '\n' 
output : 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz

Now all that is left is to find the base58 decoder. On googling i found a website : 
base58-decode

And finally decoding we get the flag in the end as "TMCTF{DNSTunnelExfil}"

w00t w00t!!