SHIELDS CTF Write ups

3 minute read

You will find on this page two challenge write ups that I did during SHIELDS CTF in June 2021. The CTF was quite short (less than 5 hours) and reserved for bachelor students. The CTF was very nice, thanks to the organizers!

  • Flag format: SHIELDS{flag}
  • Team: H4ck0liques

Surveillance (200 pts)

Vous êtes l’admin sys d’une entreprise. Vous êtes certains que Bernard passe son temps à regarder des images de Star Wars sur Internet. Trouvez le personnage qu’il admire !

First, let’s look at Surveillance.pcapng: it contains a big unencrypted TCP connection. If we look inside (right click on TCP frame > Follow… > TCP), it looks like SSH and we have commands (and their output) in clear:

TCP

One command is interesting: C:\SSL>type SSLKEY.log, there is a master-secret log inside SSLKEY.log, it is very useful to decrypt HTTPS connection:

# SSL/TLS secrets log file, generated by NSS
CLIENT_HANDSHAKE_TRAFFIC_SECRET d5cfcd503fa59c17decc87d4f2a1de8844c6503afa06ff33acc21691f42a55be 50e0b3eae2ea7ae37d412ce817e23c02616e836892e92f2c1ea34aef4b05871c
SERVER_HANDSHAKE_TRAFFIC_SECRET d5cfcd503fa59c17decc87d4f2a1de8844c6503afa06ff33acc21691f42a55be 566f013475518d3fbd2e553c1bac41df88070670b9a2270bcd2bbb3353bcdecb
    ...

Let’s reformat the file and add it to Wireshark (Edit > Preferences > Protocols > TLS > (Pre)-master-secret log filename).

Now, time to look at Bernard.pcapng. There is a lot of things here! Since we have SSL key, we can look inside HTTP requests. I apply a filter (filter: http) and I look for something interesting. There is countless requests to https://www.journaldemickey.com/ but it does not help us in our quest of Bernard’s idols. But if we look at the very end of the transmission, we have two interesting HTTP requests:

16618	185.490875	172.16.28.160	188.165.251.41	HTTP	601	GET /img/actualite/ill_m/1602648347/wicketewoksfils.jpg HTTP/1.1
16886	186.176518	172.16.28.160	185.129.44.48	HTTP	600	GET /r_640_360/newsv7/19/03/22/10/08/2612282.jpg HTTP/1.1

These are requests for pictures of Ewok! ewok

So we have our flag: SHIELDS{Ewok}

Faisons l’inventaire (200 pts)

L’outil de gestion du parc informatique de la base de Hoth est en panne. Le chef de la résistance vous demande de retrouver quelques infos sur un ancien serveur, malheureusement ce serveur n’existe plus. Il ne vous reste qu’une seule sauvegarde de celui-ci, et deux autres fichiers étranges.

Vous devez trouvez les informations suivantes : Le nom de la machine, le pseudo de l’unique utilisateur présent, la version kernel, le port d’écoute du service SSH, le PID du processus qui implémente IEEE 802.11 et le nom du fichier destination de la commande exécutée à 17:34.

  • File 1: sauvegarde.mem (memory dump, ~500 Mo)
  • File 2: volatility profile
  • Flag format: SHIELDS{machineName:username:kernelVersion:sshPort:pid:filename.xxx}

This challenge was very volatility-oriented, although some information could just be found with a basic strings -a. While the memory dump is downloading, I add the config file to the program and I check that it is correctly detected:

$ cp -v LinuxDebianSHIELDS.zip /.../volatility/volatility/plugins/overlays/linux/
$ volatility --info | grep -i shields
LinuxLinuxDebianSHIELDSx64                     - A Profile for Linux LinuxDebianSHIELDS x64

All good. Even if the profile volatility already gives us a lot of information, let’s take a look at the system version of the memory dump:

$ grep -i -o -a 'Linux version .\{1,75\}' sauvegarde.mem
Linux version 4.19.0-10-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian

So we have our kernel version: 4.19.0-10-amd64. Now, let’s use volatility to find more info:

$ volatility -f sauvegarde.mem --profile=LinuxLinuxDebianSHIELDSx64 linux_bash

There are loads of useful information in the bash history! First, we have our username lebigbossdufutur:

444 bash                 2020-09-03 17:28:22 UTC+0000   su lebigbossdufutur

We also have the command we are looking for:

444 bash                 2020-09-03 17:34:34 UTC+0000   insmod lime-4.19.0-10-amd64.ko "path=/home/bigbossdufutur/memory_dump.dmp format=lime

so our file is memory_dump.dmp. To find the hostname, there is an easy trick once you have found the username:

$ strings sauvegarde.mem | grep -i bigbossdufutur@
]0;bigbossdufutur@labobsi: /root

and we have our hostname: labobsi. Time to look for the IEEE 802.11 process, a pslist gives us:

$ volatility -f sauvegarde.mem --profile=LinuxLinuxDebianSHIELDSx64 linux_pslist
    ...
0xffff91ac9f050ec0 wpa_supplicant       390
    ...

Since wpa_supplicant is the only wifi-related process, we have our PID: 390. Eventually, we can look to the network to find the SSH port:

$ volatility -f sauvegarde.mem --profile=LinuxLinuxDebianSHIELDSx64 linux_netstat
    ...
    TCP      192.168.1.19    :20122 192.168.1.151   :28300 ESTABLISHED     sshd/426
    ...

So our port is 20122. Done!

Flag: SHIELDS{labobsi:bigbossdufutur:4.19.0-10-amd64:20122:390:memory_dump.dmp}