Another problem from the 5th annual Army Cyber Skills Challenge. The problem is called slow_mover and can be found here.
Problem
Your boss just handed you this PCAP that one of your network sensors captured. He’s positive that there is something fishy going on here but has no clue what it is.
Solution
So if you go to the site above you’ll be able to download a copy of the PCAP file. Looking at the file, it’s pretty small with only a total of 196 packets. Looking at the Protocol Hierarchy Statistics, you can see that most of the traffic is TCP with a little bit of ICMP and IGMP. Just based on the number of packets for each and my knowledge of the flag format (acsc2017{<FLAG>}), I am pretty confident that the flag has to be within the TCP traffic so I will filter for that using the filter with a simple filter of “tcp”. When I dig further and look at a breakdown of conversations, I see that they are all going between two hosts (192.168.122.17 -> 192.168.122.1) and all with a destination port of 80. When I look closer though, I see something kind of odd. Looking at the number of packets for each source port, there is a lot of patterns. All of them happened in multiples of 4 which is a little bit odd.
Looking at the traffic itself, it seems to follow a pattern. Starting with the 192.168.122.17 address it starts a normal TCP handshake (SYN, SYN/ACK, ACK) and then does an immediate FIN/ACK and closes the connection. There doesn’t appear to be any data contained in any of the packets but judging from the prompt, there has to be data in there somewhere. Changing the Source column to display the source ports, another pattern emerges. The source ports kind of appear to in order, which by itself isn’t unusual, but then they go backwards several times which is unusual. I go ahead and add an additional filter to the capture to show just the SYN packets without the ACK packets (to show the start of each connection only). I get the source ports in this order:
10097 10099 10115 10099 10050 10048 10049 10055 10123 10083 10110 10101 10097 10107 10121 10083 10110 10101 10097 10107 10121 10083 10110 10101 10097 10107 10121 10125
Looking at the port numbers they range from 10048 – 10125. Just for shits and giggles, I try to subject 10,000 from each of the port numbers and get a range of 48 – 125. A quick look at an ASCII conversion table shows that lines up with charters ranging from 0 – }. Now we’re getting somewhere. Do some more converting and I get:
97 - a 99 - c 115 - s 99 - c 50 - 2 48 - 0 49 - 1 55 - 7 123 - { 83 - S 110 - n 101 - e 97 - a 107 - k 121 - y 83 - S 110 - n 101 - e 97 - a 107 - k 121 - y 83 - S 110 - n 101 - e 97 - a 107 - k 121 - y 125 - }
Which gives me acsc2017{SneakySneakySneak}
Entertaining and educational….
Haven’t had a chance to read the article yet, but if my boss hands me a Pcap, I’d shit myself…lol. ????
Nice catch!