Wargames 2023 Writeup [SeeYou]

uwu

So another writeup for another Forensics challenge for Wargames 2023! I ended the year off with a PTSD challenge as usual with any CTF I had. This time it was a challenge I was very familiar with after seeing this type of challenge in PicoCTF but I was concentrating on the wrong things. With that said, let’s get into the writeup!


challenge

So, we can see here that a file is provided to us and that the description of the challenge mentioned that data has been exfiltrated through the network internally.


wireshark-wew

Extracting the zip file gives us a pcapng file which when opened, revealed a bunch of packets. However, sticking to the description of the challenge, I started looking for IP addresses.


sus-ports

I managed to stumbled on this, connections from a machine on the same port to different ports on a different machine were being performed.


sans-whitepaper

Immediately, I started Googling for TTPs about this kind of exfiltration and I came up with this whitepaper from SANS.

By the way, I was so deep into this whitepaper that I started reading the source code of the tool.


oh-no-data

Now, starting from here, my downfall begins…

From previous packet analysis challenge, and as a habit I check for data within streams and coincidentally there was data within the packets. I started writing scripts to extract all the data from the packets that were going to their respective ports, arranging them from 30000 to 30255 and decoding them using base64, base62 and base32.

When that didn’t work, I tried arranging them based on timestamps, which didn’t make sense because Wireshark does that by default. Basically, I was in a rabbit hole.


tshark-baby

tshark -r artifact.pcapng -Y "udp.srcport == 38884" -T fields -e udp.dstport > ports.txt

After the CTF ended, I discovered I was suppose to look at the ports! So, I made a tshark query to do just that and output it to a file.


#!/bin/bash

# Check if a file name is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 filename"
    exit 1
fi

# Process each line of the file
while IFS= read -r line; do
    echo "$((line - 30000))"
done < "$1"

Furthermore, since I was concentrating on the ports, I needed to minus the front part of the ports which was an offset of 30000. So, again… I wrote a bash script to do just that.


encoded-text-wew

And the result was this blob.


decoded-text-wew

As I did this kind of challenge before on PicoCTF, I knew the values were in decimal. So throwing it into CyberChef and placing the recipes From Decimal and Render Image gives us the flag!


flag

A place to scream: AHHHHHHHHHHHHHHHHHHHHHHHHH


Anyways… here’s the flag:

wgmy{c0e22d2434fa188003be61e9fe404ea6}

jigsaw's blog

i’m zach and I build labs and create ctf challenges

Write Up for a Digital Forensics challenge for Wargames 2023

By jigsaw, 2023-12-17