No more kid's play

150pts

You are called into school board meeting, some police cyber unit officers are present. Everybody is dead serious.

It appears it was NOT a kid hacking the school systems, but some actual hacker used school's infrastructure to plan and carry out attacks against other targets.

School IT gave you the packet capture from the computer that the attacker was using to hack the SQL server.

IT analysed the file and identified that some traffic was tunneled out of the school network. They could not identify what it was.

Can you help the authorities track the mysterious attacker?

Can you identify the tunneling protocol and decode the data?

http://shared.target05/school-noc-dump.pcapng

I opened the pcap file in wireshark and poke around. I was checking through protocols witch was used, but didn't find anything interesting from there. Then I started to follow tcp streams and found on tcp stream ID 5 interesting message. In that message was even guide how to extract the correct flag. I use that rule and found the flag.

GET /decapsulate-decode-instructions HTTP/1.1 Host: 10.100.10.2 User-Agent: curl/7.58.0 Accept: */*

HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.7.18 Date: Sat, 24 Oct 2020 13:54:57 GMT Content-type: application/octet-stream Content-Length: 469 Last-Modified: Fri, 23 Oct 2020 13:37:04 GMT

At agreed time, start the packet capture on 198.51.100.222 Capture it in some file eg. capture.pcapng

then filter out the traffic, remove unnecessary characters from the dump, create ascii from hex and base64 decode it.

We shouldn't be detected by using this method. ICMP is often allowed on firewalls and intrusion detection systems should not alert.

tshark -r capture.pcapng -Y "icmp.type == 8" -T fields -e data | sed -n 's/^.*0000000//p' | xxd -r -p | base64 -d

• Wireshark

c95412dc-1fce-4a69-c420

• Back to CTF Challenges page