DNS codified (50pts)

Una captura un tanto sospechosa ... translates to a suspicious capture:

Download pcap

Analyzing the file with wireshark i found this line:

63	96.986931	104.131.38.172	91.200.40.69	HTTP	163	GET /secure-atom128c-online HTTP/1.1 

something or somebody used the site http://crypo.bz.ms/secure-atom128c-online to encrypt something.

for example the subdomain name of

A5r1AJ6fDGhiAguUAGufHJX1HGkGfJ6eAqCC.exfil.identificar.me

decrypting it using the same page we get:

FLAGISHAVENODNSWHATMDOING = A5r1AJ6fDGhiAguUAGufHJX1HGkGfJ6eAqCC

This is Scada (100pts)

Operators of a water treatment plant have detected malfunctions in several PLCs and HMIs. Because of previous security incidents a monitoring equipment has been attached to a switch, which has been configured to receive all traffic inside the treatment plant in the aim to analyze it.

A pcap file is facilitated to the investigators, so is a map with PLCs variables and a screenshot from the HMI to visualize the industrial control process.

Download pcap: euskalhack_industrial_forensics_challenge.rar

  • Find the IP of the HMI
  • Find the IP of the PLC
  • Which protocol do they use to communicate with eachother?

HMI 172.16.136.134 and PLC 172.16.136.133in Network Miner:

Example Modbus/TCP Traffic in Wireshark:

Don’t stop me now (300pts)

Find the secrets of user alpacino. Download Virtualbox VM.

First look at the VM presents us with a logged in user (alpacino) executing two tasks:

Trying default password reveal nothing, neither does a scan with nmap, but there are snapshots in the VM folder. Which gives me the idea to extract the VM’s memory:

VBoxManage.exe debugvm "WinXP" dumpvmcore --filename=memory.raw

We now have a memory dump and can proceed to inspect it usingn the volatility framework. First of all we need to determine the profile:

$ volatility imageinfo -f memory.raw`

The suggested VM profile is WinXPSP2x86 which we can use to get a list of all running processes:

$ volatility --profile=WinXPSP2x86 -f memory.raw pslist

So alpacino is running TrueCrypt and the KeePass Password Manager. It comes to my mind, that using the password manager there may be some password in the clipboard. And indeed there is something…

…but trying las rosas son Rojas y el mar es Violeta 123.. as a password doesn’t get me any further. So TrueCrypt is next and fortunally volatility comes with a module called truecryptsummary:

$ volatility --profile=WinXPSP2x86 -f memory.raw truecryptsummary

Now you can go either way:

I’ll go the the fastest way which is bypassing the admin login:

Further reading:

Memory Extraction of Truecrypt keys is a known flaw and has been discussed in detail:

TrueCrypt Master Key Extraction And Volume Identification

Tags:
  • ctf
  • euskalhack