EXFILTRATION 1

Énoncé

Lors de l'intrusion, un hacker de l'ESNA a décidé d'exfiltrer de la data du serveur. Cette fois-ci, il a été plus ingénieux et a décidé de brouiller les pistes. A vous de jouer !

Créateur du challenge : Cabir

Analyse du trafic

En ouvrant la capture avec Wireshark, on remarque qu'il y a un fort trafic http :

En suivant le flux tcp 2, on observe la requête http suivante :

GET / HTTP/1.1
Host: 0.0.0.0:2000
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 1

EHTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.6.9
Date: Thu, 23 Apr 2020 22:59:27 GMT
Content-type: text/html; charset=utf-8
Content-Length: 559

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="Bigtits-russia">Bigtits-russia</a></li>
<li><a href="comment_perdre_son_gland_de_lait">comment_perdre_son_gland_de_lait</a></li>
<li><a href="free_pornhub_account">free_pornhub_account</a></li>
<li><a href="How_to_hack_CIA">How_to_hack_CIA</a></li>
</ul>
<hr>
</body>
</html>

En analysant plus profondément la requête GET, on remarque un transfert de data :

Plus largement, les requêtes HTTP GET sont envoyés vers 4 ports principaux, 2000,3000,4000 et 5000 sans vraiment de distinctions possibles.

Récupération des données

Je décide donc de commencer par récupérer les données qui circulent sur les échanges à destination du port 2000.

onosh@kali:/mnt/v# tshark -r exfiltration1.pcapng -Y 'http.request.method == "GET" && tcp.port eq 2000' -T fields -e http.file_data |tr -d '\n'
ESNHACK{ixzc9GadiiTDzlZvPimzd9CBQDK9GToTDTnNJGErAIJ7lg6QgkLsSrkTmVgoGlU3xzXU2JYM8HewgagbVKMbdk2gRf0qI08p0JN3fvmb2LSarum7vD78plL81GJ9IZrDMUoeB9dKsB6xAblomhDbAzr0mR4QypRkSNKldaW3lebS4dHoCt2QAneGLWg5VycgZi7BRq3PpLW4mDWX4O0SgtjYsaOEUE7oosLbheYTdLjZ6sNaT2hwJ6JqHGruQmIlPB91QvF5spDD8ubRewCfUQqeaFAJWD0grj259ZvrRhw79HhTr1uzRjl5BWI3asbIF1rV1C3jVk1Q3xUBGSKDR3QXFzc5Gx5CjXFfd6qQD64HpiukmNwBDhIi6O96y8XZZvyV65NZhILLfkk1o5HojrCkmcOTO84VVORJaxKGITOWPokOxICzjgCTwxcsVTLkPL4tgV43wwLoUODHOD0dgRUysj9wzvkbTaYhFpZMDmFMN2q8cgvoS8R1MHNH4xMnUHgD0IqSauSaCKnsc8w5fsa5RdCUAmsSDeEQQdacQKpOixC03B8Oh9f0AElq0yikBOfu5wD4X705rLDgVPhAYfjOPOb53JmQGhTTenmFrSUrc68NhrvqCDZFHdLkXiFrJL54e0fj9bsdYfNz3qrZEXysWkIAAjrLBVqb90qvE7cuwAoEy7XSbEUszLKI8EhGGVhJ7hXO9ZyuHw6c5FgRalGTANObBKoDAlYlDH18LdbfnJ51T8IghoqSWuu38vElvzMA9DE0PHFueMY3YdbdKKcbrKI1kSUWTP37ezNpJfCKZ5KySf9hpkJ0MQApyoEXMYCx0w0vigN345BlNp3f5d7cSytDlZAX5MNHDmnK3locztIQj7mILBe37QVVHyKnxoWsHiun8dtCc2rVN3igLKccajzM811yeUGCrVzfYauhs0OHeh93uIm5E07WLn3WbctWqx5comdi4JqkeTRCmhyjLrsYAQh7fyQeGj2ZGbmcupqHv2BtuFvHon2DYNwjkNNLOPdw4PdfyOO06LCZaixMsruRNjavvmsqpiz9VFbvQ1CqPU9WspwZWHm4xkWiblnqdWadkQem2Rhx9G5nqKdytwXvb9ujh8KzGxAi6GDTgeEsAX4FeX0sQrYrqL5Eh4DVYmoU4NFqudS7MeKEwvV4keQnDxEm15MeLGJlkAxLDQvJq88WDdIKMSS7Z4dY15xBQ5QpjV2avKfY4kbZ0SXXox3JaS31ymSfpwWdVOxL6K4QJJiCHPUjmoaxiO5QtvSjqnyHOOWUeorOS8zqJEmcipK2zZRTFxUj6XTbOghrgWt9JEG9lQp6esK0TUl1pvZsHyyPqea70Ajvfy3z8M30gWpr8Pb8ZQPd5HRUsRM4js0sXuAhu81j1Y79WfTn7bDRatTut2H1Y9kIPCUWU7TxX1XI2V6C5d1ALTjzqsA1o5hQATCPot4zvJU4dPPnwJMbjE5eMMK4jXdjk6WqJL3tNIdSuDR4uS6RyaOVIwV4g77SEnY44Pkbe7W36QGG6BvQhcpsI3Uy85cslrwNdTDtKSO5zn1jVKU7DJFoyEaVFRgOGH9QZpO7hdEteMviPOjzRrxIbtGACOrcGXl1QZUnzzinjaKgAUASQKoUflPedoVzEp00uferQx8iPGdckRU2d4gVF5FLAO6amN0Ls82uDpOLOxTNhCHawoYd3I2qQkoEnYvvyX1qOr2UKbSdGlpckD3FfEg9oiYPo2H4ym2HwLsm1LE8lNL28UyNEKBMuEfRIJmQLAWawu5u1Jw6qvbUqKLSgXAHbsOrMQCMnzGoIcmi1qgMUUbQaFZ0LV582zZFWdBMkAntjnHk68ud5zDgSSOoFyFubsT0AhWCHNT0pfoZPGBJK1pO514VwgQNuIbIiA9odSNWsJBrSjD1NvtwUisMNAVhyJq09fWeATz9P3yfPqW18EFl7Mr1Si4y5uxliD7th9biu8I97GaoN6EuJyMt414HkQ9l}

Et bingo, je récupère le flag !

PrécédentESN'HACK SuivantEXFILTRATION 2

Dernière mise à jour il y a 3 ans

GET / HTTP/1.1 Host: 0.0.0.0:2000 User-Agent: python-requests/2.22.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Length: 1 EHTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.6.9 Date: Thu, 23 Apr 2020 22:59:27 GMT Content-type: text/html; charset=utf-8 Content-Length: 559 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Directory listing for /</title> </head> <body> <h1>Directory listing for /</h1> <hr> <ul> <li><a href="Bigtits-russia">Bigtits-russia</a></li> <li><a href="comment_perdre_son_gland_de_lait">comment_perdre_son_gland_de_lait</a></li> <li><a href="free_pornhub_account">free_pornhub_account</a></li> <li><a href="How_to_hack_CIA">How_to_hack_CIA</a></li> </ul> <hr> </body> </html>

onosh@kali:/mnt/v# tshark -r exfiltration1.pcapng -Y 'http.request.method == "GET" && tcp.port eq 2000' -T fields -e http.file_data |tr -d '\n' ESNHACK{ixzc9GadiiTDzlZvPimzd9CBQDK9GToTDTnNJGErAIJ7lg6QgkLsSrkTmVgoGlU3xzXU2JYM8HewgagbVKMbdk2gRf0qI08p0JN3fvmb2LSarum7vD78plL81GJ9IZrDMUoeB9dKsB6xAblomhDbAzr0mR4QypRkSNKldaW3lebS4dHoCt2QAneGLWg5VycgZi7BRq3PpLW4mDWX4O0SgtjYsaOEUE7oosLbheYTdLjZ6sNaT2hwJ6JqHGruQmIlPB91QvF5spDD8ubRewCfUQqeaFAJWD0grj259ZvrRhw79HhTr1uzRjl5BWI3asbIF1rV1C3jVk1Q3xUBGSKDR3QXFzc5Gx5CjXFfd6qQD64HpiukmNwBDhIi6O96y8XZZvyV65NZhILLfkk1o5HojrCkmcOTO84VVORJaxKGITOWPokOxICzjgCTwxcsVTLkPL4tgV43wwLoUODHOD0dgRUysj9wzvkbTaYhFpZMDmFMN2q8cgvoS8R1MHNH4xMnUHgD0IqSauSaCKnsc8w5fsa5RdCUAmsSDeEQQdacQKpOixC03B8Oh9f0AElq0yikBOfu5wD4X705rLDgVPhAYfjOPOb53JmQGhTTenmFrSUrc68NhrvqCDZFHdLkXiFrJL54e0fj9bsdYfNz3qrZEXysWkIAAjrLBVqb90qvE7cuwAoEy7XSbEUszLKI8EhGGVhJ7hXO9ZyuHw6c5FgRalGTANObBKoDAlYlDH18LdbfnJ51T8IghoqSWuu38vElvzMA9DE0PHFueMY3YdbdKKcbrKI1kSUWTP37ezNpJfCKZ5KySf9hpkJ0MQApyoEXMYCx0w0vigN345BlNp3f5d7cSytDlZAX5MNHDmnK3locztIQj7mILBe37QVVHyKnxoWsHiun8dtCc2rVN3igLKccajzM811yeUGCrVzfYauhs0OHeh93uIm5E07WLn3WbctWqx5comdi4JqkeTRCmhyjLrsYAQh7fyQeGj2ZGbmcupqHv2BtuFvHon2DYNwjkNNLOPdw4PdfyOO06LCZaixMsruRNjavvmsqpiz9VFbvQ1CqPU9WspwZWHm4xkWiblnqdWadkQem2Rhx9G5nqKdytwXvb9ujh8KzGxAi6GDTgeEsAX4FeX0sQrYrqL5Eh4DVYmoU4NFqudS7MeKEwvV4keQnDxEm15MeLGJlkAxLDQvJq88WDdIKMSS7Z4dY15xBQ5QpjV2avKfY4kbZ0SXXox3JaS31ymSfpwWdVOxL6K4QJJiCHPUjmoaxiO5QtvSjqnyHOOWUeorOS8zqJEmcipK2zZRTFxUj6XTbOghrgWt9JEG9lQp6esK0TUl1pvZsHyyPqea70Ajvfy3z8M30gWpr8Pb8ZQPd5HRUsRM4js0sXuAhu81j1Y79WfTn7bDRatTut2H1Y9kIPCUWU7TxX1XI2V6C5d1ALTjzqsA1o5hQATCPot4zvJU4dPPnwJMbjE5eMMK4jXdjk6WqJL3tNIdSuDR4uS6RyaOVIwV4g77SEnY44Pkbe7W36QGG6BvQhcpsI3Uy85cslrwNdTDtKSO5zn1jVKU7DJFoyEaVFRgOGH9QZpO7hdEteMviPOjzRrxIbtGACOrcGXl1QZUnzzinjaKgAUASQKoUflPedoVzEp00uferQx8iPGdckRU2d4gVF5FLAO6amN0Ls82uDpOLOxTNhCHawoYd3I2qQkoEnYvvyX1qOr2UKbSdGlpckD3FfEg9oiYPo2H4ym2HwLsm1LE8lNL28UyNEKBMuEfRIJmQLAWawu5u1Jw6qvbUqKLSgXAHbsOrMQCMnzGoIcmi1qgMUUbQaFZ0LV582zZFWdBMkAntjnHk68ud5zDgSSOoFyFubsT0AhWCHNT0pfoZPGBJK1pO514VwgQNuIbIiA9odSNWsJBrSjD1NvtwUisMNAVhyJq09fWeATz9P3yfPqW18EFl7Mr1Si4y5uxliD7th9biu8I97GaoN6EuJyMt414HkQ9l}