Tuesday, October 2, 2012

CSAW CTF Quals 2012 Networking 100 and Networking 200 Writeup

As mentioned in a previous post, the CSAW CTF Quals also had Networking challenges, in which contestants were given a packet capture file in which to find the key.

There were four networking challenges which ranged from 100 to 400 points each. Here are the writeups for the only two that I finished during the CTF.

Networking 100 - telnet.pcap

For this challenge, we were given a packet capture containing a telnet session. The first thing we want to do is to open up this file in Wireshark. Once this file is open, we can see that we indeed have a Telnet session, from which we need to extract the key. This should be trivial, since Telnet does not encrypt data (including authentication credentials). This means that if we intercept Telnet traffic, we can harvest credentials with ease.

To do this, we can right-click on a packet in the session, and select 'Follow TCP Stream.' This is a feature of Wireshark that allows us to easily see all of the data that corresponds to a particular session.

Once we choose to follow the TCP steam, we immediately see the flag, which is the password used to establish the Telnet session:

Piece of cake!

Key: welcome to 1969

Networking 200 - lemieux.pcap

For this challenge, we play the role of a friend of some person who wants to gain access to a party. Our friend says that he/she knows someone who created an invitation for a party, but is really strict about who gets in. Our challenge is to find the password used to be let in to the party from the given pcap file.

We start this challenge the same way we started Networking 100 - by opening up the provided pcap in Wireshark. We can see that this looks like a typical capture file of someone browsing the web, with multiple HTTP sessions listed. We can use the 'http' filter to help clean up the listed packets to only include those using the HTTP protocol.

From here we can start looking through the packet capture, and we start seeing requests to http://taproom307.com/. By visiting this site, we can see a link to 'Book a Party,' suggesting this may be the best way to proceed looking at the capture file. We can also guess that we are looking for a POST request, since the individual likely POSTed a form to book the party.

After some digging we finally come across this request which, after analyzing the data sent, shows us the password to attend the party.

Key: brooklyn beat box

That's all there is to it for these first two Networking challenges. Here are links to blog posts that write up the solutions to the other two challenges - Networking 300 and Networking 400:

Networking 300:

Networking 400:

Leave a comment below if you have any questions!


No comments:

Post a Comment