CSCAMP 2014 - netcat, cryptcat Who cares? (STG100)

2 minute read

the solution is the md5 of the decrypted file

Hiromi’s Portion

Looking at the pcap file, we see quite a lot of requests to windows update 8.254.119.254.

GET /msdownload/update/software/svpk/2011/02/windows6.1-kb976933-x86-neutral_665ea0a805bd97f70045674fb4d5fd048fd81516.psf HTTP/1.1

I wasted a lot of time scrolling through all those packets…

Finally though we came across a convo between 192.168.1.20:49341 and 192.168.1.21:5050

Following the TCP Stream we see:

hey herp
hey derp
sup dude, u remember what we talked about earlier?
yeah the ctf keygen :D
hush dude, we don`t want them to log this
i`ll send u a chat that supports encryption
open port 6060 and listen for a file transfer
ok, gimme a sec
ok i sent it to u
fine i got it
switch to cryptcat with key Dagaga
and port 7070, ill connect
roger that

So based on that convo, we can limit our search to port 6060 and port 7070.

In Wireshark, set filter to “tcp.port eq 6060” to see what file was transferred.

[email protected]........!..L.!This program cannot be run in DOS mode.

Based on part of the stream we can see that its a windows cryptocat lol

From the convo, we know that they established a cryptcat connection at port 7070 with key “Dagaga”. Let’s set Wireshark’s filter to see port 7070.

Since this is Crypto, amon gets to come in!

Amon’s Portion

Now for my part of the challenge, it was pretty easy going from the pcap to extract the traffic on port 7070. Looking at the conversations, we can see there are three streams.

Stream 1 contains no data. Stream 2 contains a conversation. Stream 3 seems to be dump of a longer file.

We can extract the data by extracting from the ‘Follow Stream’:

Now, we have extracted our streams to the files part17070 and part27070. We can set up our cryptcat listener with the key Dagaga.

[email protected]$ cryptcat -k Dagaga -l -p 1337

Now we send our extracted streams to the cryptcat listener like so:

[email protected]$ cat part17070 | nc localhost 1337

The decrypted conversation:

[email protected]$ cryptcat -k Dagaga -l -p 1337
here
yeah
ok so its stable
now close and i`ll send the file we talked about
on port 7070 too
ok bye

Now we have to start cryptcat and listen for a file. That md5sum of that file will be our flag (as per the challenge description):

[email protected]$ cryptcat -k Dagaga -l -p 1337 > decryptedfile
[email protected]$ md5sum decryptedfile
32170cab0f59ce6e1fc8df51a757cc99  decryptedfile

Flag: 32170cab0f59ce6e1fc8df51a757cc99

Leave a Comment