Exf1l7r4710n

C47360ry: F0r3n51c

P01n75: 257

D35cr1p710n: N07r3 S0C 4 dé73c7é qu'un d0cum3n7 c0nf1d3n713l 4v417 é7é 3xf1l7ré ! L4 mé7h0d3 u71l15é3 n3 53m8l3 p45 4v4ncé3 37 h3ur3u53m3n7, un3 c4p7ur3 ré534u 4 pu ê7r3 f4173 4u 80n m0m3n7... R37r0uv3z c3 d0cum3n7.

F1l35: Exfiltration.pcap

TL;DR

A d0cum3n7 h45 833n 3x7r4c73d v14 4 POST r3qu3575. A x0r 0n 7h3 r3c0v3r3d f1l3 4ll0w5 u5 70 r34d 7h3 fl46 1n 4 w0rd d0cum3n7.

M37h0d0l06y

Wh3n w3 0p3n 7h3 f1l3 w17h w1r35h4rk w3 4ppr3c1473 7h47 7h3r3 4r3 27242 p4ck4635 70 l00k 47!

Crying

S0 7h47... L37'5 60!

Wh3n fly1n6 0v3r 7h3 p4ck375 w3 n071c3 7h47 7h3r3 15 4 l07 0f TCP fl0w.

what_if_I_follow_the_TCP_stream_?

By 601n6 7hr0u6h 4ll 7h3 TCP fl0w5 w3 08741n 53v3r4l 1n73r3571n6 3xch4n635 0f 7h3 54m3 7yp3:

TCP_exfiltration

Wh47 w3 4r3 1n73r3573d 1n 15 7h15 m355463:

<h1>Welcome to my panel!</h1>
<p>If you see this page, the malware is successfully installed and
working. No further configuration is required.</p>

And 7h3 f4c7 7h47 r3qu3575 4r3 m4d3 v14 7h3 POST m37h0d w17h d474 p45535 70 7h3 f0rm'5 f4c3: d474=35287067716378686d6389c7f82d736365637363656373636563786365632c11000f004c481116&uu1d=80cx6rf7w55phwl87z3q

W17h 34ch r3qu357 7h3 d474 p4r4m373r ch4n635 8u7 n07 7h3 uu1d. Th3 uu1d mu57 83 4 un1qu3 1d3n71f13r 70 4ll0w 7h3 r3m073 53rv3r 70 r3c0n5717u73 7h3 3xf1l73r3d f1l3 v14 7h3 d474 f13ld.

A l177l3 py7h0n 5cr1p7 70 637 4ll 7h353 p4ck4635 4nd 4553m8l3 7h3m.

>_ cat extract.py

#!/usr/bin/env python3

from scapy.all import *
import binascii

packets = rdpcap('exfiltration.pcap')

data = ''
for packet in packets:
    if packet[IP].dst == '198.18.0.10' and packet[IP].src == '192.168.1.26':
        if Raw in packet:
            p = str(packet[Raw].load.decode("UTF-8"))
            p = p.split("&uuid")[0]
            p = p.split('data=')[1:]
            if p:
                p = p[0]
                data += p

print(data)

file = open("out.txt", 'wb')

file.write(binascii.unhexlify(data))

>_ ./extract.py
>_ file out.txt
out.txt: data

Unf0r7un473ly 7h3 3x7r4c73d f1l3 15 unr34d48l3.

F0r7un473ly, wh3n d3516n1n6 7h3 5cr1p7 I f0r607 70 f1l73r 0nly 0n p4ck375 7h47 c0n741n3d r4w d474 (7h3 R4w f13ld). Wh3n 73571n6 17, 17 w0uld cr45h 45 500n 45 4 p4ck37 d1d n07 c0n741n 7h3 R4w f13ld. I n071c3d 7h47 7h3 p4ck37 1n qu35710n w45 4n ICMP p4ck37 w17h 1n73r3571n6 d474: c0nf16 : 3xf1l73r3d_f1l3_51z3=41938y735

T0 kn0w m0r3 480u7 17, w3 f1l73r 1n w1r35h4rk 0n ICMP p4ck375:

wireshark_icmp_inspection

And w3 637 f0ur 1n73r3571n6 f4c75:

config : exfiltered_file_size=4193bytes

config : file_type=DOCX

config : data_len_for_each_packet=random

config : encryption=XOR

Th3 f1l3 15 4193 8y735 l0n6, 50 4ll 7h3 d474 h45 833n 3x7r4c73d fr0m 7h3 p4ck4635.

>_ ls -l out.txt
-rw-r--r-- 1 lambdhack users 4193 May 22 20:06 out.txt

N0w w3 kn0w 7h47 7h3 3xf1l73r3d f1l3 15 4 w0rd d0cum3n7 4nd 7h3 3ncryp710n u53d 15 4n x0r. T0 f1nd 7h3 k3y 4641n w3 w1ll x0r 7h3 f1r575 8175 0f 7h3 f1l3 w17h 7h3 m461c num83r 0f 7h3 d0cum3n7 w0rd5. A l177l3 70ur 0n File signature table 70 f1nd 7h3 m461c num83r 0f 4 d0cx.

docx_magic_number

Af73r h4v1n6 d0n3 4n x0r, w3 f1nd 7h3 k3y wh1ch 15 3c5c 0f c0ur53 !

N0w w3 x0r 7h15 k3y 0n 4ll 7h3 f1l3 70 f1nd 7h3 0r161n4l d0cx.

>_ cat xor.py

#!/usr/bin/env python3
import binascii

def xor(file1_b, key):

    file_size = len(file1_b)
    key_size = len(key)
    xord_byte_array = bytearray(file_size)

    key_pad = key
    for i in range(file_size):
        key_pad += key

    # XOR between the files
    for i in range(file_size):
        xord_byte_array[i] = file1_b[i] ^ key_pad[i]

    open('data.docx', 'wb').write(xord_byte_array)

if __name__ == '__main__':
    key = 'ecsc'.encode()

    data = open('out.txt', 'rb').read()
    xor(data, key)

>_ file data.docx
data.docx: Microsoft Word 2007+

Th3 f1l3 h45 833n w3ll d3c1ph3r3d.

docx_flag

FLAG_IS:

ECSC{v3ry_n015y_3xf1l7r4710n}