heikki.juva.lu

Display case for my projects and writeups. I mostly work on InfoSec, hardware hacking and electronics.

---

Project maintained by Zokol Hosted on GitHub Pages — Theme by mattgraham

CERT-SE Challenge 2020 Writeup

Unzip and identify

root@kali:# unzip CERT-SE_challenge2020.zip
Archive:  CERT-SE_challenge2020.zip
  inflating: CERT-SE challenge2020.pcapng
  
root@kali:# ls
'CERT-SE challenge2020.pcapng'   CERT-SE_challenge2020.zip

root@kali:# file 'CERT-SE challenge2020.pcapng'
CERT-SE challenge2020.pcapng: pcapng capture file - version 1.0

Okay, this is pcap!

Before diving into Wireshark, let’s dump strings from it.

root@kali:# strings 'CERT-SE challenge2020.pcapng'

Click here for full dump

root@kali:# strings 'CERT-SE challenge2020.pcapng' Intel Core Processor (Skylake, IBRS) (with SSE4.2) Linux 5.4.0-42-generic Dumpcap (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1) enp1s0 Linux 5.4.0-42-generic T:FAU google google hHAe google google ONAJ 0dCB R,$L $)vy www.google.com http/1.1 JvZ#> R,$L $)vy dI*7*L}:$% $$c_ 8<>Z[L[#)' [v\R n3TS \p{P4 7|Ph \G_, >gB8 AH~ Qrw` jkR @`w; L+I =c!C ze\E{] d`FR_R% `2* )`.v tYMI U6Y> _5-~Ts IV3v#F?,6 @kVrX }c!0b dEWG ;DJ- g4hy @S)D O T! 4B.6 Ju9U tyn; A sPX #O%C @ [Hf =9nQX JBuX( rdZA www.google.com http/1.1 *x>J} 13~ 5 bhPJYE,C 6kYx sB Y@v Da4|9. k0RT <8ur Ytq-1 '21n 35un %I=> XO1P%\ Z#OP YU|h [z,`45 H2v I|RR s'I" {!Fq ABEc OEm3 M 25TI E/WAW ~Gg1 =a/p i2aNPC lK(ZK }83W /sT( 2v2aS ocsp goog eveaS ocsp goog pki-goog google ocsp goog ocsp goog pki-goog google POST /gts1o1core HTTP/1.1 Host: ocsp.pki.goog User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/ocsp-request Content-Length: 83 Connection: keep-alive 0Q0O0M0K0I0 YHTTP/1.1 200 OK Content-Type: application/ocsp-response Date: Thu, 20 Aug 2020 10:38:04 GMT Cache-Control: public, max-age=86400 Server: ocsp_responder Content-Length: 471 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN 20200819134230Z0s0q0I0 20200819134228Z 20200826134228Z0 &ovBWW[8 -toS %DUB oDUB <|9@ 4|:@ 9|;@ www.google.com http/1.1 /f~Q oW6[ /lkk ^xfM\ dx\B B}5|a<Wq; %w(!E: Z!'E .wwJ<< D2A@< |2f" x/ |Q+c GCZ^$ ULF]B 4|<@ O|a|qTe tG0c h[ Sdv !$`b] YIp ,k0f *cPW BK9+ ,$Pm =`!A `)[sM E#[- (7(s^B pAW:d {s;! !gzR 6Svh2 Q:l3 $TI]B 4|=@ t|>@ U+)6 4ZP=\D ey2k SN#v {cVHh B^Vj} v1!b/ 4|A@ 4|B@ S|C@ )E_e W|D@ 7!v{ fp\S n_%s* 8EwN $*6@ p`Kx 9i[H 1bB= r"dw x-b>5 8k8NW _K1/ incoming telemetry mozilla incoming telemetry mozilla klSb []7" C/J Q-uC 'N4(K gX+O K?`p !l,/ dFmm 1suP sxh\ pF%+ uX{ImU incoming telemetry mozilla telemetry-incoming r53-2 services mozilla ?$pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws 4!-B 4(t} incoming telemetry mozilla telemetry-incoming r53-2 services mozilla ?$pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws $pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws $pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws Uw`$ a`,A AzCf& wboo ivlp8>C QT$c_ |+E/ S_[IqZ Lk{PA6D 4*7@ $*8@ dvlP _*1 Z-lA y\*x _L)/ #*9@ Bh _L)/ $*:@ V=J_( ^0Li3& 'WDQ3 | 9` w"=fx _L)/ $*;@ iNJu _!@8G#c 'HqcJ\* kT7X0 _LC/ 4*<@ $*=@ $~)N>n5 _LC/ $*>@ )Sn{gM6 x b@, 7'LD _LC/ #*?@ _LC/ wE2 z@pv2 @$0- ,%Ie y0K"e Fwoi zLyl #*@@ hGX8 D+|] *\/5 4},@ _SI/ $*A@ kghd p~)9 _Sy/ {]u/ -C,l @*B@ @*C@ @*D@ {]u/ -C,l @*E@ 4*F@ $*G@ w% + HN i *1%jQ &ljR 0^q6f _T-/ $*H@ v?@Q _T-/ #*I@ (%tG sN?mf ]%2\ gO3, I ue _T-/ $6#n ]t#$ LYBy mKRA _T-/ 4}-@ o{4 :Sp3ccyF4n!user@192.168.122.177 JOIN :#RetroForum PING LAG1597869899977 U:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869899977 m;Rr_ 4Z(@ bZ)@ 63F$ l220 (vsFTPd 3.0.3) gN{0k5R ":Ac1 YFf]sd a^wl 6(u! 2Ds! f@8J YghK U_1+$v -6H3 + MT (@# |HID TCtB n]bz r{eQsZ s}Ac !O?C ?zJg x3H\R q@}= GQh9 ZT!_S jBh)T lm te/ oOa: Kkf b R<1# abQN vK`w/ FM) *an g%me Tn5q| bOOb tFnz ERVA$s %BK- :QK9b OHRr `KGf F74V r5O#u %zg% \!Lk dYr@ *`8J or9M @X6; n.?{ I.AtHU&( G;hG ;G.l gxc4 <U?5' z$*SR $k(& !&,4 I$(XY? 1K6n S 1M b (N u.H- (Z_BE/\ m!_H Zu6m =Zp/ appS s"UX KHK$e} kN|Kr X$b\] 9&aG <% as +?K/ #,[7[ Y>-+ a@_J Wlz2 h7Qg` &VTI =C7(1I {CQx IgG C{: lF :(=FR 2FJ.~ Lj^swU "zuo IRWe5 "NgbnH ]r6umSD wwtW 6~6vH 71*t K:{c JE[yP 2.,Z K72({ ?~0 1W/B Oi]p Xe_5 O@Q$ V.2W v8F] L=u= I>'i 4w H WnaHuy?r *ACHr H5lR =T}. .-?m Q>Y/i fLv{ +0p$ E@M* Tx>" 9/'u ^#ay h\^g YDX-3D =;;3 Q1qc }{sT P:!g# k5O*" E`c9 H8G ;AnVn D<n{3 ol<# W{i+ #lC! lx2otk+ eveP $pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws eveP $pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws aS7d detectportal firefox <(>@ hYB= detectportal firefox q fI hYB= 4(?@ hYBn \(@@ hYBo GET /success.txt HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive detectportal firefox detectportal prod mozaws detectportal firefox com-v2 edgesuite a1089 dscd akamai hYBo hYBoHTTP/1.1 200 OK Content-Type: text/plain Content-Length: 8 Last-Modified: Mon, 15 May 2017 18:04:40 GMT ETag: "ae780585f49b94ce1444eb7d28906123" Accept-Ranges: bytes Server: AmazonS3 X-Amz-Cf-Id: lu4jGmQuIDogaPp8CnxZ0htlybkh21oHZXShTNPtlM8vqKqS4aAASA== Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 20 Aug 2020 10:38:24 GMT Connection: keep-alive success 4(A@ mozilla mozilla <K/@ PP_@ detectportal firefox detectportal prod mozaws detectportal firefox com-v2 edgesuite a1089 dscd akamai TN=@ mozilla /}lHP_@ q os &&2hYB 4K0@ PP_@ /}lI DN>@ mozilla aK1@ PP_@ /}lI &&2GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache mozilla /}lIP_A &&NhYB /}lIP_A &&OhYB HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 8 Last-Modified: Mon, 15 May 2017 18:04:40 GMT ETag: "ae780585f49b94ce1444eb7d28906123" Accept-Ranges: bytes Server: AmazonS3 X-Amz-Cf-Id: lu4jGmQuIDogaPp8CnxZ0htlybkh21oHZXShTNPtlM8vqKqS4aAASA== Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 20 Aug 2020 10:38:24 GMT Connection: keep-alive success 4K2@ PP_A DND@ mozilla 2JX4 4}.@ VUSER sidden n331 Please specify the password. 4K3@ PP_A hYjJ 4(B@ hYjJ QPASS k3b4bt411rik <~tB U230 Login successful. BrvB |stvH XSYST 2mzvU v215 UNIX Type: L8 4}/@ 4}0@ _ipps _tcp local _ipp _ipps _tcp local _ipp 8m^$ 9Pt+d connectivity-check ubuntu connectivity-check ubuntu t)-d connectivity-check ubuntu connectivity-check ubuntu 70Uw _ipps _tcp local _ipp _ipps _tcp local _ipp 4K4@ PP_A 4(C@ 4}1@ 4(D@ 7WHO #RetroForum %chtsunfra,152 :retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname :retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname :retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list. hPING LAG1597869929978 :retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869929978 XTYPE I 200 Switching to Binary mode. PORT 192,168,122,156,146,217 g= @ 200 PORT command successful. Consider using PASV. STOR demo.tar.xz 4"#+J ,|++B J=!@ 150 Ok to send data. j-+B 7zXZ TnI( v%7? Vmcw GKFRh Q:<] ]Tw[P d9w[ .g;Ho oKv/ Z*vcF J3'Wr ~-Y yE%{N. _-+q L-nE 9ws& 7Qg3Y Al T 7W N ~F9Mc @9Z/ 8w5# J0>[t .6>c #]\BX xX8;>a v'Lz j/(( O}u> ;&|' <W=&B m?JfC> !eqV/ [9mB 3l%VM c6_9 RAUTq+ Hw&@ p4(i j:nT #4IM }x`R o<jd VmB' e_F]J *VdH D?`o 8X+$|[ ;[@5 *6bU| /"!m) ')J_ ?8C! ,:u+ G2]Hv *CD6 XCbZ _#^Q- T7f\ m?~0 !fTd z)*k 7c6qi>^F Sc9: j#N^ *H4; {C}E .n@: n7CC wVlG byYV 3Tfbu ;m`Z &:Z \SM7 G$b+ p&Jl ])NV |XiV7 feP& D&Vt 'vN9 QZaHYw A(&T Bpdr 4nW #DIc D#CX) g`;[TgAR5 7n_x2 HRG2 dEe7 f:8/ `8j| Gg' _rV{ l_>P s%KYh` $3%RQ 2WCR ]HS q5#/Z = ti 4QsP f--ojO oL34 h^s: @l;% fj#F N.A+ > Icc @s<;+ W^d? ~rUP5 5l vCr CB7UzH 9y_3b 4=C_ OC=Tc z,*K 'cda 1m)G +lE? Rvwf ObI7m (__ z r|v3 Sv8, }ju|L} +Ec{M: d[=ExQ "7z. !nF=#! ^E%3/ 5bu9M iiTqx mbrS E'U 3IZ ,b?x K[ P:'[ oT!j Rk3v .0/e9 ]X > BW# ]@,) +j85 mmr# PhvTY W^.X, lX>.b "cDY Ji^" RYq( IGy# N3h'8 cCv> d4ax tYb$m EUL^ Ip~M DQ?1` ;8 `'- Dsj) ,vucm h^+.n xiKl {#a~ qpwL UoFy Q.=" fOWH _S+B S*"2>? <\9h 3tGw D;2D po+< -;z& D#{o xs@w%- cBM:0)/Z $,UF)Pu q55* @w#[ SfhXzb (`OhR 4sG_ oL]q RO^@c7H[ %t;1 R=,Y <RTu@ -2|hx= AY,, 0C?m *=d4 OmV*b ;j&' Z!"d iiTZ g2 }g8g .@t} $CWr ~cuO 9={/kqc UY(S &R3Z me N :lz# iy+N 'P!2s `Gig_ %#UD3 Bb8v qm.vO i<W? #9Gk 1[uZ [!_C fKER #1RE 7sk*#LN ]TJF QQz< Tq/: `]I` 7~8~v.&?k uFWqU D,hZc 1>#: ahQ!_ TdzH vze4~ c LeG; n,2- ?{)O J`pe CGqDV |FbS 8WR,X ("JE Nf<_{ ~flfn ^'260 r1euwc( @.T j YM~{F tnT+> y<lc .}0wK' #c.d KRg+Z L="@ 226 Transfer complete. 5)e4 TYPE A R=#@ ..200 Switching to ASCII mode. PORT 192,168,122,156,167,221 g=$@ ./200 PORT command successful. Consider using PASV. LIST <3u@ 43v@ [=%@ .0150 Here comes the directory listing. y3w@ .1-rw------- 1 1001 1001 20284 Aug 20 10:38 demo.tar.xz 43x@ 43y@ L=&@ .2226 Directory send OK. 4K5@ PP_A QUIT B='@ ;`221 Goodbye. 4=(@ 4=)@ 4}2@ [|E@ 4|F@ 4K6@ PP_A b*K@ `7T/ 4}3@ :Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Yo! dssB cZPRIVMSG #RetroForum :Yo!/Sup? 4K7@ PP_A 4}4@ #!$dB x)PING LAG1597869959978 :retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869959978 bZ*@ Mi!' CvC1 incoming telemetry mozilla incoming telemetry mozilla H@OEX:/ .%>. C6s+ pM%" k,Te Fb3w nx?2 m?AW 2y(+ 3%X61d fC2$/ 3}Q$ lmU)o hVQT e6((SV FV9! d"i|7 i 2 KN K:l 7r}D NIH/n UxFC fpp| `?o+ e\z% mc%& {rJe Hn|0 Vs]~ o2.3 G%#> )$j@ 5-9tbV |GJt H;<Q #]dH"U %KQZ K[?$n I"Zx ys`Z XV\> 1.7p ;J d X7j52 g5gG wq7O4_ LExT y\,V% 8+It !QPN& 72E ??eJ P?@'P k2xm= hos$ o!?Ll 2)=;2 mzv5 g44! F,|F} $p+N io}0 lTP$ QKo3h flrc nc#pw W$O(d $E4>< ~4SgP %W}T M2s? r+dZ /mg0 4"W[tL '_fx EqNQ :!)] ,t$>, EV9n uI1c |>*\a DBX: {=fhbz . Y) w"zR# D8mc' vO=5 2Qrz+ 7]yC ??4 .sHZ WV{k e>Af @M`@ MgE.P %9T56 IwI1 incoming telemetry mozilla telemetry-incoming r53-2 services mozilla ?$pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws 4(t} incoming telemetry mozilla telemetry-incoming r53-2 services mozilla ?$pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws $pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws $pipeline-incoming-prod-elb-149169523 us-west-2 elb amazonaws cQTY_S s:`qNb QrXOp 4K8@ PP_A hZ2J :Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Sup? 4}5@ ed?4 2K/jB 4}6@ 4}7@ PRIVMSG #RetroForum :I was thinking about what you said earlier. I still can't accept that you perfer the Z80? 4K9@ PP_A hZZJ :Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :What now??? The Spectrum is waaaaay faster than the C64!!! 4K:@ PP_A 'ho4 ,WHO #RetroForum %chtsunfra,152 PING LAG1597869989977 :retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname :retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname :retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list. :retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869989977 ,v, B cert cert #*L@ ^7SG 16b2# j@q~ -gq%! !`B$ 3%<6Z <v< B cert cert :t:Y{] {jw\). y NX`" -ib*Ujw mYxN 3Trl 4*M@ $*N@ K3(x +2tO $*O@ 0qLP #BUx y$!b 3!$N 8t#T t 8{ 5Bq^T 4*P@ #*Q@ HE~m` +hy!h z]+$ $*R@ I3qB RIwA Lwr1 $*S@ Z!*:&j u,0V 4*T@ #*U@ <w%iXE <lP1 ZJ]c #*V@ jMCn "s1s #*W@ r5`^R rHpy$ @)c^o @-;d G,lAI %*X@ "yu8y& .a8> 4K;@ PP_A d1,l BarP W3u8 2pp: - {Zq HjCdY R`<J doo% YD2/ %ymaS zH_"8 vE~'o *?]$ /_)> Qv?`B (=Kk b W= pJ]y h!{'c 5:Jm3U C,!n a78i :\"+ ,Z6SF 2aPA ?`);- <oq2 c)sY xW?fT!J _k"s jJwr +pMhU %8`$ zb2J !yP`7X+ 2f_B whR^ e<#4 'nNd FGg1 k=xu' -v]\ #0bf sw 5 E_~, 4*\@ $*]@ 8 vqJ X<i1C aGec* gVO@ $*^@ "`\, #"D5 r[T= #*_@ `y~) :7Xd 4*`@ $*a@ O"mF EkUiGe %0>D["P*mjQ ."fL mNau +4'. $*b@ ft5l V]07 [|G@ >lt{ 4|H@ `VJB 4K<@ PP_A @Z+@ @Z,@ 4Z-@ 4Z.@ 4K=@ PP_A PING LAG1597870019977 :retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870019977 4K>@ PP_A 4K?@ PP_B PRIVMSG #RetroForum :Sure the CPU, yes. But hardware sprites, a soundship that doesn't sound like a cat beeing strangled, and the possibility for for paralax scrolling? :Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :You're just talking about superficial "flair". It's like putting makeup on a pig, it's still slow... _ipps _tcp local _ipp _ipps _tcp local _ipp !PRIVMSG #RetroForum :Dude you're soooooo wrong!!! Just have a look at the demo I uploaded to the FTP earlier, I'll PM you the password with our usual "encryption". !Z/H WHO #RetroForum %chtsunfra,152 !z/H $PING LAG1597870049977 D:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname :retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname :retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list. E:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870049977 #*c@ {fD& A6 ce&' S)5a Y )* f^1> ,4g#7H w4nn #_tN J$A0 4*d@ $*e@ &vxmO $*f@ tDV8 lV"32 njCE Q2SS+ #*g@ XBI%{} >xF' >Sjn. ZI`9 JPSl Fqgs w0\# 5%3sYg K}vw t%MA uYi#* ;N[< Mcl@f_ 31(X B)V- ]ZM_ wDuH^ #*j@ I>1le %*k@ s-bL FU KN^G LVz@ BvB{ connectivity-check ubuntu BvB{ connectivity-check ubuntu connectivity-check ubuntu connectivity-check ubuntu cr8V4 vBVZk 70Uw _ipps _tcp local _ipp \+\W _ipps _tcp local _ipp [|I@ :MY1X 2hI, L|J@ 4|K@ A!y= #*l@ `\:}C *yo^W| Plk6 =~74y {ge7 *Q$Z. *B=L $*m@ gEF1 s.}g 4*n@ $*o@ \O`M #*p@ E)w Z'JsCh 2{b9 4*q@ $*r@ ;1W%Y WZx' 2(x4 9-}UN $*s@ 1B/1 `@h %PRIVMSG Sp3ccyF4n :The code is: "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/". p{yv4 G<PING LAG1597870079977 iu:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870079977 iv:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Thanks... But I don't think it's relevant. You wont convince me! CPU-power is EVERYTHING. My Z80 is kicking your lazy 6502!!! \s&04 PRIVMSG #RetroForum :Whatever... All I have to say is SID6581, nuff said! >GET / HTTP/1.1 Host: connectivity-check.ubuntu.com Accept: */* Connection: close HTTP/1.1 204 No Content Date: Thu, 20 Aug 2020 10:41:37 GMT Server: Apache/2.4.18 (Ubuntu) X-NetworkManager-Status: online Connection: close C:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Like you said... Whatever... "8/H "8/H KICK #RetroForum Sp3ccyF4n :SID-v1si0uS!user@192.168.122.156 KICK #RetroForum Sp3ccyF4n :SID-v1si0uS "T/H "T/H WHO #RetroForum %chtsunfra,152 "t/H PING LAG1597870109978 :retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname :retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list. :retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870109978 #*t@ {Av( *e q 1,|zL 9,I}| wz>s 5W|ts {>%t PT%: 4*u@ $*v@ 8]*v2 $*w@ 'V6go+%{ 3<Ol D\88 j*vB /|*v1 #*x@ oEuR "xfQ ;8x\3) o%)N lqAU k ~f [|A8W 4*y@ $*z@ L>Lo HfH1 R`NG' $*{@ S)gnA _Ee< 8qW2 Counters provided by dumpcap

From the strings dump, I collected following interesting segments:

POST /gts1o1core HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 83
Connection: keep-alive
0Q0O0M0K0I0
YHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 20 Aug 2020 10:38:04 GMT
Cache-Control: public, max-age=86400
Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
20200819134230Z0s0q0I0
20200819134228Z
20200826134228Z0
----
:Sp3ccyF4n!user@192.168.122.177 JOIN :#RetroForum
PING LAG1597869899977
U:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869899977
----
GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
----
VUSER sidden
n331 Please specify the password.
QPASS k3b4bt411rik
----
7WHO #RetroForum %chtsunfra,152
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
hPING LAG1597869929978
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869929978
XTYPE I
200 Switching to Binary mode.
PORT 192,168,122,156,146,217
g= @
200 PORT command successful. Consider using PASV.
STOR demo.tar.xz
----
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Yo!
dssB
cZPRIVMSG #RetroForum :Yo!/Sup?
----
x)PING LAG1597869959978
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869959978
----
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Sup?
----
PRIVMSG #RetroForum :I was thinking about what you said earlier. I still can't accept that you perfer the Z80?
4K9@
PP_A
hZZJ
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :What now??? The Spectrum is waaaaay faster than the C64!!!
4K:@
PP_A
'ho4
,WHO #RetroForum %chtsunfra,152
PING LAG1597869989977
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869989977
----
PING LAG1597870019977
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870019977
----
PRIVMSG #RetroForum :Sure the CPU, yes. But hardware sprites, a soundship that doesn't sound like a cat beeing strangled, and the possibility for for paralax scrolling?
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :You're just talking about superficial "flair". It's like putting makeup on a pig, it's still slow...
_ipps
_tcp
local
_ipp
_ipps
_tcp
local
_ipp
!PRIVMSG #RetroForum :Dude you're soooooo wrong!!! Just have a look at the demo I uploaded to the FTP earlier, I'll PM you the password with our usual "encryption".
!Z/H
WHO #RetroForum %chtsunfra,152
!z/H
$PING LAG1597870049977
D:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
E:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870049977
----
%PRIVMSG Sp3ccyF4n :The code is: "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/".
p{yv4
G<PING LAG1597870079977
iu:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870079977
iv:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Thanks... But I don't think it's relevant. You wont convince me! CPU-power is EVERYTHING. My Z80 is kicking your lazy 6502!!!
\s&04
PRIVMSG #RetroForum :Whatever... All I have to say is SID6581, nuff said!
----
C:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Like you said... Whatever...
"8/H
"8/H
KICK #RetroForum Sp3ccyF4n
:SID-v1si0uS!user@192.168.122.156 KICK #RetroForum Sp3ccyF4n :SID-v1si0uS
"T/H
"T/H
WHO #RetroForum %chtsunfra,152
"t/H
PING LAG1597870109978
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870109978

Collected intel

Credentials:

sidden: k3b4bt411rik

Discussion:

Sp3ccyF4n   Yo!
SID-v1si0uS Yo!/Sup?
Sp3ccyF4n   Sup?
SID-v1si0uS I was thinking about what you said earlier. I still can't accept that you perfer the Z80?
Sp3ccyF4n   What now??? The Spectrum is waaaaay faster than the C64!!!
SID-v1si0uS Sure the CPU, yes. But hardware sprites, a soundship that doesn't sound like a cat beeing strangled, and the possibility for for paralax scrolling?
Sp3ccyF4n   You're just talking about superficial "flair". It's like putting makeup on a pig, it's still slow...
SID-v1si0uS Dude you're soooooo wrong!!! Just have a look at the demo I uploaded to the FTP earlier, I'll PM you the password with our usual "encryption".
SID-v1si0uS Sp3ccyF4n: The code is: "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/".
Sp3ccyF4n   Thanks... But I don't think it's relevant. You wont convince me! CPU-power is EVERYTHING. My Z80 is kicking your lazy 6502!!!
SID-v1si0uS Whatever... All I have to say is SID6581, nuff said!
Sp3ccyF4n   Like you said... Whatever...
Sp3ccyF4n   KICKED OUT by SID-v1si0uS

Finding Demo

Sid said that the demo has been uploaded to FTP-server. FTP-packets were also visible in the packet stream.

To find this FTP traffic, and the demo within, let’s open the pcap in Wireshark and find FTP-DATA-packets.

Now we can see all of the data sent in this datastream. It’s by default displayed in ASCII, which won’t do much good with binary file.

Select to show the stream in “Raw”-mode.

Now that we have the raw bytes, let’s verify that this is actually a valid tar.xz-file.

Easy method for file type validation is to check the magic bytes. These are the first bytes in a file and are used to identify the file type.

More about file signatures / magic bytes: https://en.wikipedia.org/wiki/List_of_file_signatures

For .xz-file the magic bytes are FD 37 7A 58 5A 00. We just need to check that the first six bytes of our .tar.xz-file matches these bytes.

Okay! It seems that we got a valid file, at least first bytes of it.

Save the raw data in a file and check that you still have a valid file:

root@kali:# file demo.tar.xz
demo.tar.xz: XZ compressed data

Unpacking Demo

root@kali:# tar -xvf demo.tar.xz
demo.zip
root@kali:# file demo.zip
demo.zip: Zip archive data, at least v2.0 to extract

So, we have a zip in the tar.zx?

root@kali:# unzip demo.zip
Archive:  demo.zip
[demo.zip] cert-se ctf2020.tap password:

Ah, and now we need the password…

Let’s check if Sid re-used his FTP login password k3b4bt411rik

password incorrect--reenter:

So it’s not that one.

We have another password from the chat; OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/

The slash in the end looks familiar, could this be Base64?

root@kali:# echo 'OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/' | base64 --decode
8-bit-C0mput3er-w0nd3r!?

Score! Let’s try that unzip again.

root@kali:# unzip -P '8-bit-C0mput3er-w0nd3r!?' demo.zip
Archive:  demo.zip
  inflating: cert-se ctf2020.tap

Reading Tape

Alright, so we have a .tap-file.

…

…

…

.tap?

What’s that??

root@kali:# file 'cert-se ctf2020.tap'
cert-se ctf2020.tap: C64 Raw Tape File (.tap), Version:1, Length:201962 cycles

… Oh! C64 … like one of those c-tape data cassette thingies? Cool!

So, how to run C64 tape files?

Emulator?

That might work.. Let’s try VICE.

sudo apt install vice

Okay, this should be easy, I just run it and …

… Failed??

WHY?

Well.. you know how some things are under a copyright?

Yeah, C64 has some licensed software and it can’t be legally distributed in the public repositories.

As it happens, these files can be found using common search engines, for example using term “vice roms”.

The files you found should be placed under /usr/lib/vice, into corresponding directory.

For this challenge we need C64 emulation:

root@kali:# ls -la /usr/lib/vice/C64
total 200
drwxr-xr-x  2 root root 4096 Oct  8 22:26 .
drwxr-xr-x 13 root root 4096 Oct  8 21:57 ..
-r--------  1 root root 8192 Oct  8 22:21 basic
-rw-r--r--  1 root root  409 Aug  9 22:54 c64hq.vpl
-rw-r--r--  1 root root 8817 Aug  9 22:54 c64mem.sym
-rw-r--r--  1 root root  409 Aug  9 22:54 c64s.vpl
-rw-r--r--  1 root root  409 Aug  9 22:54 ccs64.vpl
-rw-r--r--  1 root root 4096 Oct  8 22:26 chargen
-rw-r--r--  1 root root  462 Aug  9 22:54 cjam.vpl
-rw-r--r--  1 root root  485 Aug  9 22:54 colodore.vpl
-rw-r--r--  1 root root  350 Aug  9 22:54 community-colors.vpl
-rw-r--r--  1 root root  408 Aug  9 22:54 deekay.vpl
-rw-r--r--  1 root root  204 Aug  9 22:54 default.vrs
-rw-r--r--  1 root root  409 Aug  9 22:54 frodo.vpl
-rw-r--r--  1 root root  409 Aug  9 22:54 godot.vpl
-rw-r--r--  1 root root 6651 Aug  9 22:54 gtk3_keyrah_de.vkm
-rw-r--r--  1 root root 6647 Aug  9 22:54 gtk3_keyrah.vkm
-rw-r--r--  1 root root 8888 Aug  9 22:54 gtk3_pos_de.vkm
-rw-r--r--  1 root root 6465 Aug  9 22:54 gtk3_pos.vkm
-rw-r--r--  1 root root 6215 Aug  9 22:54 gtk3_sym_da.vkm
-rw-r--r--  1 root root 9175 Aug  9 22:54 gtk3_sym_de.vkm
-rw-r--r--  1 root root 7686 Aug  9 22:54 gtk3_sym_it.vkm
-rw-r--r--  1 root root 6585 Aug  9 22:54 gtk3_sym_nl.vkm
-rw-r--r--  1 root root 7148 Aug  9 22:54 gtk3_sym_se.vkm
-rw-r--r--  1 root root 6498 Aug  9 22:54 gtk3_sym.vkm
-rw-------  1 root root 8192 Oct  8 22:21 kernal
-rw-r--r--  1 root root  403 Aug  9 22:54 pc64.vpl
-rw-r--r--  1 root root  584 Aug  9 22:54 pepto-ntsc-sony.vpl
-rw-r--r--  1 root root  590 Aug  9 22:54 pepto-ntsc.vpl
-rw-r--r--  1 root root  526 Aug  9 22:54 pepto-palold.vpl
-rw-r--r--  1 root root  500 Aug  9 22:54 pepto-pal.vpl
-rw-r--r--  1 root root  408 Aug  9 22:54 ptoing.vpl
-rw-r--r--  1 root root  488 Aug  9 22:54 rgb.vpl
-rw-r--r--  1 root root  409 Aug  9 22:54 vice.vpl

And now, running the tape file again

root@kali:# x64 'cert-se ctf2020.tap'

Welcome to the last step in the cert-se 2020 ctf/challenge 
You will find the last clue above in yellow, What does it mean? 
Please email the flag/solution/sentence together with a description
on how it was solved to cert@cert.se (subject ctf2020)

Last Clue

HTTP 418

According to Mozilla documentation:

The HTTP 418 I'm a teapot client error response code indicates that the 
server refuses to brew coffee because it is, permanently, a teapot.
 
A combined coffee/tea pot that is temporarily out of coffee should 
instead return 503. 

This error is a reference to Hyper Text Coffee Pot Control Protocol 
defined in April Fools' jokes in 1998 and 2014.

So, I would expect the flag to be I'm a teapot

Final Word

This was nice and easy puzzle. Quite suitable to be solved in one evening and well designed to ensure that one can focus on the challenge and not get stuck with boring issues like incompatible tools or hunting for that misplaced semicolon.

I had never played with C64. So it was nice to get a glimpse on the tech, even if just in emulated format. I didn’t have experience in extracting FTP transfer from .pcap, so that’s also nice thing to learn.

Thank you CERT-SE for a good challenge and nice job with the demo!

I hope you will continue on this track for next year :)

Sources

• https://shankaraman.wordpress.com/tag/how-to-extract-ftp-files-from-wireshark-packet/
• https://en.wikipedia.org/wiki/List_of_file_signatures
• https://tukaani.org/xz/xz-file-format.txt
• https://www.addictivetips.com/ubuntu-linux-tips/play-commodore-64-games-on-linux/
• https://www.linuxquestions.org/questions/linux-software-2/c64-vice-emulator-fails-to-load-kernal-on-ubuntu-system-566043/