Deadface CTF 2021 — Traffic Analysis Writeup
1- Monstrum ex Machina
Our person on the “inside” of Ghost Town was able to plant a packet sniffing device on Luciafer’s computer. Based on our initial analysis, we know that she was attempting to hack a computer in Lytton Labs, and we have some idea of what she was doing, but we need a more in-depth analysis. This is where YOU come in.
We need YOU to help us analyze the packet capture. Look for relevant data to the potential attempted hack.
To gather some information on the victim, investigate the victim’s computer activity. The “victim” was using a search engine to look up a name. Provide the name with standard capitalization:
flag{Jerry Seinfeld}.
flter for http packets and you’ll find the name in the packet number 151304
flag{Charles Geschickter}
2-The SUM of All FEARS
After hacking a victim’s computer, Luciafer downloaded several files, including two binaries with identical names, but with the extensions
.exeand.bin(a Windows binary and a Linux binary, respectively).What are the MD5 hashes of the two tool programs? Submit both hashes as the flag, separated by a
|:flag{ExeMD5|BinMD5}Use the PCAP from LYTTON LABS 01 — Monstrum ex Machina.
we have to search for identical names yet different extensions, i started by using string on the pcap and found that the binary is lytton-crypt
next we have to extract them from the pcap, the two binaries were transferred over FTP so in order to dump them we have to filter for ftp-data and then save the raw content.
note that we have to save the one with the bigger size.
after saving them calculate the hash and the flag will be flag{9cb9b11484369b95ce35904c691a5b28|4da8e81ee5b08777871e347a6b296953}
3 -Luciafer’s Fatal Error
Luciafer, consummate hacker, got cocky and careless. She made a fatal mistake, and in doing so, gave control of her computer to… someone. She ran a program on her computer that she shouldn’t have.
What is the md5sum of the program? Submit the flag as:
flag{MD5}.Use the PCAP from Monstrum ex Machina
when i was searching for the binaries for the previous challenge i saw another .bin file called secret-decoder so i extracted it(file > http > export objects) and indeed it was the correct program.
flag{42e419a6391ca79dc44d7dcef1efc83b}
4-Persistence Pays Off
Luciafer might have just bit off more than she can chew! She has encountered an adversary that is counter-attacking her system!
Luciafer’s Lytton Labs adversary executed a command to attain persistence on her computer. This command will allow the adversary to regain a connection to her computer again later, even if she reboots it.
What is the packet number where this command is executed. For example:
flag{93721}.Use the PCAP file from Monstrum ex Machina.
the mission here is to find a persistence command, i started by strings and grep and tried the most common persistence techniques but after a while i quit and started to manually search in packets until i found it at packet number 160468.
flag{160468}
5-A Warning
Luciafer is being watched! Someone on the inside of Lytton Labs can see what she is doing and is sending her a message.
One of them says: “Stay away from Lytton Labs… you have been warned.”
To find the flag, find the message. You’ll know it when you see it. Submit the flag as
flag{flag-goes-here}.Use the PCAP from LYTTON LABS 01 — Monstrum ex Machina.
the first thing i did is to grep the message with strings and see if there is a flag beside it.
so at the beginning i thought that the flag is flag{Dark Angel} but i was wrong, so i started to look in the pcap and i found a file that was retrieved over http named da-warning-message.
i immediatly thought that da was an abbreviation for Dark Angel, the next step is to dump the image, go to file > export objects > http and extract it.
