Jeppe Ernst

#NC3CTF2017[1]["writeup"]

The (Danish) National Police Cyber Crime Center (NC3) has created a four part advent CTF challenge this year. In a CTF you compete against the clock ⏱ to be the first to solve a series of challenges/riddles that involve different aspects of programming/forensics/<stuff> tasks.

This is a writeup explaining how I solved the second challenge in this years advent CTF & managed to get the best time in this round.

The challenge started with a file I had to download “2.pcapng”, the fileformat “pcap” is usually a packetcapture, opening the file in Wireshark I could see that it was a USB packet capture. Looking at the device info revealed that it was input from a keyboard. To the search engine! searching for “pcapng usb capture keyboard” I found a writeup from another CTF, with a script. Using this script (with some small modifications: changing from dvorak to qwerty) i got this:

root@kali:/mnt/hgfs/nc3-2# tshark -r 2.pcapng -T fields -e usb.capdata -Y usb.capdata 2>/dev/null | python usb_to_ascii.py 
Jeeg haarr liigge tteessteet miin toastteermallwwarre og iinnggeenn antiviiruus dettecteerrede dden! Fedt man. Den haar sha/2556 42c3d3ba5c099106fc21ab53908495d5ef2ff9fcaa890b1c7ef4386bc0893f2f???f2f

okay, so this contains a sha256 hash, and it mentions something about antivirus scanners not detecting the file… hmm… maybe I should search virustotal for the hash? SUCCESS!

In the comments someone mentions that the “virus” is trying to connect to 45.63.119.180 on port 9999 and sending the text “HELLO”. Maybe we should just try to do the same then?

root@kali:/mnt/hgfs/nc3-2# netcat -q2 45.63.119.180 9999 echo <<< "HELLO"
nc3ctffqqn5ozfjy.onion/2092c7a391323c18413e33f9840c47e6

okay so we get a new address! wonder what’s there… aaaand it’s another download link to a file named “g”? so what is this “g” file?

root@kali:/mnt/hgfs/nc3-2# file g
g: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=67f9fe06fd8f37032e969f3b49583140629810c4, not stripped

it’s a binary/executable, let’s try to run it! (This is pretty bad practice running unknown code… and as root to boot(pun intended) but whatever #YOLO)

root@kali:/mnt/hgfs/nc3-2# chmod +x g
root@kali:/mnt/hgfs/nc3-2# ./g
23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL
nc3ctffqqn5ozfjy.onion/983572806

okay so apparently this program needs to be run at a specific time in the past, let’s try it out.

root@kali:/mnt/hgfs/nc3-2# date -s "09/23/90 01:12:12 UTC" && ./g
Sun Sep 23 03:12:12 CEST 1990
23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL
nc3ctffqqn5ozfjy.onion/1228468024

and there you have it! the flag was behind the last address 😊

⏱ Total time: 19 minutes and 31 seconds

Looking forward to next sunday 🎅

Scoreboard

The first time I tried to submit a “ “ whitespace char snuck into the flag, so I had to write my “name” again, this resulted in me typing the wrong twitter handle and pressing submit ¯\_(ツ)_/¯ fortunately for me the NC3 admins were quick to change it.