OMG, Eindbazen got hacked. Can you figure out what this evil hacker did?
This was an easy challenge, and pretty straight forward what to do. It was meant to be solved by a lot of teams, and they did, 145 teams managed to solve it. There are a lot of write-ups for this challenge, so I will explain in short what was the intended solution.
Someone have leaked very important documents. We couldn’t find any proof without one PCAP file. But this file was damaged.
¡Ø The password of disclosure document is very weakness and based on Time, can be found easily.
Cryptographic algorithm is below.
Msg = ¡°ThisIsNotARealEncryption!SeemToEncoding¡±
Key = 0x20120224 (if date format is 2012/02/24 00:01:01)
Cryto = C(M) = Msg * Key = 0xa92fd3a82cb4eb2ad323d795322c34f2d809f78
This challenge contains of a PCAP file with the following assignment:
You spied to find “Secret of Joseon which is previous dynasty of Korea”.
You got all main pages information to manage unrevealed secret of Joseon through network sniffing.
Open the file contained the secret of Joseon.
The NET300 challenge was actually a fun challenge which we solved pretty fast.
One day, attacker A hacked into B company¡¯s internal system and then stole backup data.
This backup data was made by attacker A himself.
Attacker A used his specifically configured network to detour B company¡¯s security system.
Now you(B’company’s an employee) detected it late.
You have to analyze the traffic by using WireShark and have to find which data was leaked from which internal system.
A stolen data by Attacker A will be an important hint to find the answer.
Answer : strupr(md5(Hint in the leaked data | Hacked internal system address)) (‘|’is just a character)
To whom it may concern to DoS attack.
What is the different between attack and normal traffic?
Attached PCAP file is from suspicious client PC which may be infected.
If you find TOP 4 targeting address, let me know exactly information such as below.
TOP1 184.108.40.206 __k___
TOP2 220.127.116.11 ____________i___
TOP3 18.104.22.168 _n___
TOP4 22.214.171.124 ____d____
This is part of C&C traffics without any certification.
It has been advanced using auth process.
Find the C&C server address and make a bot command to meet a condition below.
We get a PCAP file with a bunch of UDP traffic. There’s also a HTTP GET for a picture showing some disassembly. We OCR’d the image, corrected some OCR mistakes and turned it into a binary. The binary is basically iterating over the string “126.96.36.199:4444” and obfuscating it in a certain way.
We have a file and the assignment to “get the password”. Ok, let’s see what kind of file it is:
$ file 7139a4ea239dcac655f7c38ca6a77b61.bin 7139a4ea239dcac655f7c38ca6a77b61.bin: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
Looks like a packet forensics challenge!