DEF CON 29 Red Team Village Capture the Flag (CTF) - Part 1

With a long weekend ahead, I decided to gather a few friends and formed a team to participate in the DEFCON 29 RTV CTF. We came in with one goal in mind, to have fun. What I've covered in this 2-part post are only challenges that I attempted.

These are the challenges recorded in this part 1 of 2 post:

  1. Ancient Crypto Corner - The name's Caesar
  2. Cracking - Easy Crack 1 to 5
  3. Network Forensics - Protected OSPF
  4. FLAGUSB - Look at what Wireshark can do!

Challenge Start

The event challenge was released at 10AM (UTC) and these were the challenges.

List of challenges

More challenges were added along the way, and my friends and I went ahead to do what was available. Because all we wanted to do was have fun, so we just did what we found interesting.

The name's Caesar (Caesar Cipher)

I first started with the Caesar Cipher(I like a salad before my entrée) challenge named The name's Caesar, under the Ancient Crypto Corner category.

Ancient Crypto Corner challenges
Caesar Cipher challenge

Caesar Cipher is a form of shift cipher where a key would be pre-determined between senders/receivers so that either would know what each letter in the coded message actually represents. Read more here.

I used a public decoder and got the flag caesar_cipher_shift_of_three. The +3 indicated the key shift was at 3.

Decoder from https://www.dcode.fr/caesar-cipher

Easy Crack 1-5 (Hash cracking)

The next challenge I picked were challenges easy crack 1 to 5.

Cracking challenges

Easy Crack 1 and 5 were MD5 hashes which could was easily cracked when I looked up crackstation.

Easy Crack 1
Easy Crack 2

Easy Crack 2,3 and 4 were luckily also found in wordlist after identifying the right type of hash.

I used hashcat to identify the hash by recognising the pattern against hashcat example hashes.

hashcat --example-hashes | grep "\$6\$*" -B 4

Mode 1800 was what I was looking for.

Knowing the mode to select, I ran hashcat on the hashes (I saved all the hashes in a file called easycracks) against rockyou.txt to crack the hashes.

hashcat -m 1800 -a 0 easycracks /usr/share/wordlists/rockyou.txt

and after approximately 40-45 minutes, the hashes were cracked.

Christopher:$6$33VlMNJ9o4Xyi343$.1edgNlimWliqoXi2ETLEM4qQk7U.sYo2gCeqs9HlZMlvJGnibSP.BCw4cdpGUqE41Bxjp.fWI2iDKClGBxoR1 (2316AY)
Sean:$6$MPCZQ37FAGshRIep$W1lDSSonF8P080J/VmsS2QVsbkCGPVxcjomFiGTHsWrgS8wBOBWgYonUciXbpY/LmIxnKNX/j4lsuRFegZhFE0 (moe512)
Jessica:$6$qUX8cPJFtK0MIJqG$pFW1bnU4qaS8O9lv1gfsG3/CCa7F2SS12m5ivkrGVO7/Sqtd2/c.RR52d5WQ2461ZbTnOMh7zzGJoXZRO5/rP/ (shikari90)

For these challenges, the cracked hashes were the flag.

Cracking OSPF passphrase (Protected OSPF)

The next one was in the network forensics category named Protected OSPF.

Protected OSPF challenge

The file for this challenge was a .pcap file, which contained a MD5 sum of the passphrase used to secure the OSPF routing protocol.

MD5 sum passphrase value shown under the Auth Crypt Data field

During this CTF, I learnt that ettercap is able to extract certain network protocol (e.g. OSPF, RIPv2) password hashes and convert the format for JohnTheRipper (JtR).

ettercap -Tqr ospf.pcap

T: Text-only
q: quiet
r: read file
Using ettercap to extract OSPF hashed passphrase

With the extracted hashes, I ran JtR with the hashes against rockyou.txt and cracked the hash.

JtR successfully cracked the hashes

Recovering USB Raw Data from packet capture (.pcap) file.

The task was to extract raw USB data from wireshark.

FLAGUSB challenge

The downloaded file was a .pcap file that captured usb transfer data. What I was interested in were packets that contained data.

(usb.data_flag == "present (0)")

Also, the Info field indicating USB_INTERRUPT in intrigued me as it was likely a keystroke or some form of I/O.

Filtered packets with data

I enabled the Leftover Capture Data field as a column, because the value contains the raw USB data. However, I had to find a way to extract the values efficiently. And I found that tshark could do this.

tshark -r file.pcap -T fields -e usb.capdata
Extracting USB captured data from file.pcap

I looked up online and came across a similar scenario where the individual was trying to extract raw USB data.

Also it confirmed my suspicions that the USB_INTERRUPT in was indeed for keystrokes.

I successfully extracted the message using the script in the blogpost (credits to the author), which converts the Usage IDs into ASCII keystrokes.

Python script to map Usage IDs to keystroke
Flag found

Read on to part 2.