DEF CON 29 Red Team Village Capture the Flag (CTF) - Part 1
With a long weekend ahead, I decided to gather a few friends and formed a team to participate in the DEFCON 29 RTV CTF. We came in with one goal in mind, to have fun. What I've covered in this 2-part post are only challenges that I attempted.
These are the challenges recorded in this part 1 of 2 post:
- Ancient Crypto Corner - The name's Caesar
- Cracking - Easy Crack 1 to 5
- Network Forensics - Protected OSPF
- FLAGUSB - Look at what Wireshark can do!
Challenge Start
The event challenge was released at 10AM (UTC) and these were the challenges.
More challenges were added along the way, and my friends and I went ahead to do what was available. Because all we wanted to do was have fun, so we just did what we found interesting.
The name's Caesar (Caesar Cipher)
I first started with the Caesar Cipher
(I like a salad before my entrée) challenge named The name's Caesar
, under the Ancient Crypto Corner
category.
Caesar Cipher
is a form of shift cipher
where a key would be pre-determined between senders/receivers so that either would know what each letter in the coded message actually represents. Read more here.
I used a public decoder and got the flag caesar_cipher_shift_of_three
. The +3
indicated the key shift was at 3
.
Easy Crack 1-5 (Hash cracking)
The next challenge I picked were challenges easy crack 1 to 5
.
Easy Crack 1 and 5
were MD5 hashes which could was easily cracked when I looked up crackstation
.
Easy Crack 2,3 and 4
were luckily also found in wordlist after identifying the right type of hash.
I used hashcat
to identify the hash by recognising the pattern against hashcat example hashes
.
hashcat --example-hashes | grep "\$6\$*" -B 4
Knowing the mode to select, I ran hashcat
on the hashes (I saved all the hashes in a file called easycracks
) against rockyou.txt
to crack the hashes.
hashcat -m 1800 -a 0 easycracks /usr/share/wordlists/rockyou.txt
and after approximately 40-45 minutes, the hashes were cracked.
Christopher:$6$33VlMNJ9o4Xyi343$.1edgNlimWliqoXi2ETLEM4qQk7U.sYo2gCeqs9HlZMlvJGnibSP.BCw4cdpGUqE41Bxjp.fWI2iDKClGBxoR1 (2316AY)
Sean:$6$MPCZQ37FAGshRIep$W1lDSSonF8P080J/VmsS2QVsbkCGPVxcjomFiGTHsWrgS8wBOBWgYonUciXbpY/LmIxnKNX/j4lsuRFegZhFE0 (moe512)
Jessica:$6$qUX8cPJFtK0MIJqG$pFW1bnU4qaS8O9lv1gfsG3/CCa7F2SS12m5ivkrGVO7/Sqtd2/c.RR52d5WQ2461ZbTnOMh7zzGJoXZRO5/rP/ (shikari90)
For these challenges, the cracked hashes were the flag.
Cracking OSPF passphrase (Protected OSPF)
The next one was in the network forensics
category named Protected OSPF
.
The file for this challenge was a .pcap
file, which contained a MD5 sum of the passphrase
used to secure the OSPF
routing protocol.
During this CTF, I learnt that ettercap is able to extract certain network protocol (e.g. OSPF, RIPv2) password hashes and convert the format for JohnTheRipper (JtR)
.
ettercap -Tqr ospf.pcap
T: Text-only
q: quiet
r: read file
With the extracted hashes, I ran JtR
with the hashes against rockyou.txt
and cracked the hash.
Recovering USB Raw Data from packet capture (.pcap) file.
The task was to extract raw USB data
from wireshark.
The downloaded file was a .pcap
file that captured usb transfer data. What I was interested in were packets that contained data.
(usb.data_flag == "present (0)")
Also, the Info
field indicating USB_INTERRUPT in
intrigued me as it was likely a keystroke
or some form of I/O
.
I enabled the Leftover Capture Data
field as a column, because the value contains the raw USB data
. However, I had to find a way to extract the values efficiently. And I found that tshark
could do this.
tshark -r file.pcap -T fields -e usb.capdata
I looked up online and came across a similar scenario where the individual was trying to extract raw USB data
.
Also it confirmed my suspicions that the USB_INTERRUPT in
was indeed for keystrokes
.
I successfully extracted the message using the script in the blogpost (credits to the author), which converts the Usage IDs
into ASCII keystrokes
.