csaw-ctf-2014-forensics-200-why-not-sftp.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>CSAW CTF 2014 - Forensics 200: "why not sftp?"</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="Marina von Steinkirch">

    <!-- Le styles -->
    <link rel="stylesheet" href="./theme/css/bootstrap.dark.css" type="text/css" />
    <style type="text/css">
      body {
        padding-top: 60px;
        padding-bottom: 40px;
      }
      .tag-1 {
        font-size: 13pt;
      }
      .tag-2 {
        font-size: 11pt;
      }
      .tag-2 {
        font-size: 10pt;
      }
      .tag-4 {
        font-size: 8pt;
     }
    </style>
    <link href="./theme/css/bootstrap-responsive.dark.css" rel="stylesheet">
    <link href="./theme/css/font-awesome.css" rel="stylesheet">
    <link href="./theme/css/pygments.css" rel="stylesheet">


    <!-- Le fav and touch icons -->
    <link rel="shortcut icon" href="./theme/images/favicon.ico">
    <link rel="apple-touch-icon" href="./theme/images/apple-touch-icon.png">
    <link rel="apple-touch-icon" sizes="72x72" href="./theme/images/apple-touch-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="114x114" href="./theme/images/apple-touch-icon-114x114.png">

    <link href="./feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="chmod +x singularity.sh ATOM Feed" />

  </head>

  <body>

    <div class="navbar navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="./index.html">chmod +x singularity.sh </a>
          <div class="nav-collapse">
            <ul class="nav">
                          <li class="divider-vertical"></li>

                          <ul class="nav pull-right">
                                <li><a href="./authors.html">About</a></li>
                                <li><a href="./archives.html"><b>Archives</b></a></li>
                                <li>
                                  <a href="https://github.com/bt3gl">github
                                  <!--<i class="icon-github-sign icon-large" ></i>-->
                                </a></li>
                                <li>
                                  <a href="https://twitter.com/1bt337">
                                  <!--<i class="icon-twitter-sign icon-large"></i> -->
                                  twitter
                                </a></li>
                                <li><a href="http://bt3gl.github.io/projects_page/index.html">Bygone Playful Times
                                </a></li>
                          </ul>

            </ul>
            <!--<p class="navbar-text pull-right">Logged in as <a href="#">username</a></p>-->
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="container-fluid">
      <div class="row">
        <div class="span9" id="content">
<section id="content">
        <article>
                <header>
                        <h1>
                                <a href=""
                                        rel="bookmark"
                                        title="Permalink to CSAW CTF 2014 - Forensics 200: "why not sftp?"">
                                        CSAW CTF 2014 - Forensics 200: "why not sftp?"
                                </a>
                        </h1>
                </header>
                <div class="entry-content">
                <div class="well">
<footer class="post-info">
<abbr class="published" title="2014-09-22T05:20:00">
      Mon 22 September 2014 </abbr>

<span class="label"> Category</span>
<a href="./category/forensics.html"><i class="icon-folder-open"></i>Forensics</a>


<span class="label">Tags</span>
	<a href="./tag/ctf.html"><i class="icon-tag"></i>CTF</a>
	<a href="./tag/csaw.html"><i class="icon-tag"></i>CSAW</a>
	<a href="./tag/wireshark.html"><i class="icon-tag"></i>Wireshark</a>
	<a href="./tag/ftp.html"><i class="icon-tag"></i>FTP</a>
</footer><!-- /.post-info -->                </div>
                <p>The purpose of this problem is to teach about the need of encrypting your data. The <a href="http://en.wikipedia.org/wiki/File_Transfer_Protocol">FTP</a>  protocol sends clear text over the wire, <em>i.e</em>  the  data is transmitted without any encryption.
 <a href="http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol">SSH/Secure File Transfer Protocol</a> is a network protocol providing secure file transfer. Using SFTP, instead of FTP, would avoid to find the flag in this problem in the way we did.</p>
<p>This is the second forensics problem and it starts with the following text:</p>
<blockquote>
<p>well seriously, why not?</p>
<p>Written by marc</p>
<p><a href="https://ctf.isis.poly.edu/static/uploads/7831788f2ab94feddc72ce53e80fda5f/traffic-5.pcap">traffic-5.pcap</a></p>
</blockquote>
<hr />
<h2>Analyzing the PCAP File</h2>
<p>Now let's search for the flag! We open the <a href="http://en.wikipedia.org/wiki/Pcap">pcap</a> file in <a href="https://www.wireshark.org/">Wireshark</a> (an open-source packet analyzer). There are several things that we could search for in this file, for instance we could look for FTP transactions or we could search for strings such as <em>password</em> or <em>flag</em>. We show both approaches.</p>
<h2>Solution 1: Searching for the string <em>flag</em></h2>
<h4>Going in the Wrong Way</h4>
<p>So the first thing I did was searching for the string <em>password</em>:</p>
<ol>
<li>Go to Edit</li>
<li>Go to Find Packet</li>
<li>Search for password choosing the options string and packet bytes.</li>
</ol>
<p>Clicking on <em>Follow TCP Stream</em> gives:
<img alt="" src="http://i.imgur.com/c61P5Aj.png" /></p>
<p>Nope. This is a misleading information!</p>
<hr />
<h4>But We Were Almost There!</h4>
<p>Now, if we search for <em>flag</em> we actually find something:</p>
<p><img alt="" src="http://i.imgur.com/knuwJFq.png" /></p>
<p>We find the packet with a file named flag! Awesome.</p>
<hr />
<h2>Solution 2: Looking for the FTP Protocols</h2>
<p>All right, let's use another information we have: it should be something related to the FTP protocol. In Wireshark, we can find specific protocol with filters. We want to filter for FTP with some data. We start trying the usual FTP-DATA port:</p>
<div class="highlight"><pre><span class="n">tcp</span><span class="p">.</span><span class="n">port</span><span class="o">==</span><span class="mi">21</span>
</pre></div>


<p>Nope. The results should be another port. Let's search explicitly for:</p>
<div class="highlight"><pre><span class="n">ftp</span><span class="o">-</span><span class="n">data</span>
</pre></div>


<p>Cool, we found a few packets:
<img alt="" src="http://i.imgur.com/cWhiXZD.png" /></p>
<p>We don't need to scroll down too much to find a packet with  a string flag on it! Awesome.</p>
<hr />
<h2>Extracting the File</h2>
<p>Once we find the packet with any of the methods above, we right-click it selecting <em>Follow TCP Stream</em>. This leads to:</p>
<p><img alt="" src="http://i.imgur.com/LZTse2s.png" /></p>
<p>The file <em>flag.png</em> is our flag. To extract it we  click in the <em>Save as</em> button, then in the terminal we can use the command <a href="http://en.wikipedia.org/wiki/File_(command)">file</a>:</p>
<div class="highlight"><pre><span class="nv">$ </span>file s.whatever
s.whatever: Zip archive data, at least v2.0 to extract
</pre></div>


<p>Awesome, so all we need is to <em>unzip</em> this file and we get <em>flag.png</em>:</p>
<p><img alt="" src="http://i.imgur.com/WcxyITv.png" /></p>
<h4>Extra: Finding files with <em>File Signatures</em></h4>
<p>If we don't know the name of the file we are looking for, but we know its type, we can search for its <a href="http://en.wikipedia.org/wiki/File_signature">file signature</a>, which can be found <a href="http://en.wikipedia.org/wiki/List_of_file_signatures">here</a> (a hex value).</p>
<p><strong>Hack all the Things!</strong></p>
                </div><!-- /.entry-content -->
                <div class="comments">
                <h2>Comments !</h2>
                        <div id="disqus_thread"></div>
                        <script type="text/javascript">
                           var disqus_identifier = "csaw-ctf-2014-forensics-200-why-not-sftp.html";
                           (function() {
                                var dsq = document.createElement('script');
                                dsq.type = 'text/javascript'; dsq.async = true;
                                dsq.src = 'http://bt3gl.disqus.com/embed.js';
                                (document.getElementsByTagName('head')[0] ||
                                 document.getElementsByTagName('body')[0]).appendChild(dsq);
                          })();
                        </script>
                </div>
        </article>
</section>
        </div><!--/span-->


      </div><!--/row-->



      <footer>
        <address id="about">

        </address><!-- /#about -->

      </footer>

    </div><!--/.fluid-container-->


    <script src="./theme/js/jquery-1.7.2.min.js"></script>
    <script src="./theme/js/bootstrap.min.js"></script>
  </body>
</html>