CODEGATE 2012 – Network 300

The NET300 challenge was actually a fun challenge which we solved pretty fast.

Challenge description:

One day, attacker A hacked into B company¡¯s internal system and then stole backup data.
This backup data was made by attacker A himself.
Attacker A used his specifically configured network to detour B company¡¯s security system.
Now you(B’company’s an employee) detected it late.
You have to analyze the traffic by using WireShark and have to find which data was leaked from which internal system.
A stolen data by Attacker A will be an important hint to find the answer.
Answer : strupr(md5(Hint in the leaked data | Hacked internal system address)) (‘|’is just a character)

The url contained a pcap file with network traffic. Out of this file we need to filter a hint and the internal system address.

Opening the file in Wireshark we see a lot of UDP Lite traffic. Examining the data of a packet we see:

fe:80:00:00:00:00:00:00:00:00:00:00:c0:a8:88:02:fe:80:00:00:00:00:00:00:00: \

Starting with fe:80 it looks like some sort of IPv6 data. We can easily decode that with Wireshark (Click stream -> Decode As -> Network -> IPv6). Now we have network traffic which looks like a stream of data. Following this TCP stream, we see that this data starts with ‘7z’, which means it is probably a 7-zip archive. We save the stream as net-300.7z and extract it with 7-zip. The archive contains one file named ‘test2.swf’. Running that in a browser shows a movie which displays the text ‘The answer is ipv6.dst !!’. So we found the hint part.

Now we only need the Hacked internal system address. The hint learns us that we probably need the IPv6 destination address. You can discuss about format, we just picked what Wireshark showed us:

$ echo -n "ipv6.dst|fe80::c0a8:8888" | md5sum | tr 'a-f' 'A-F'
6642E5A831032D2CF852C66024D9C1F1  -

Final answer: 6642E5A831032D2CF852C66024D9C1F1

Comments are closed.