Phreaky Writeup - Cyber Apocalypse 2024

Last update: March 17, 2024

1 Introduction
2 Key Techniques
3 Artifacts Summary
4 Packet analysis
- 4.1 HTTP traffic identified as benign
- 4.2 SMTP traffic identified as suspicious
5 Extracting the suspicious SMTP streams
6 Extracting the zip files from each TCP stream
7 Reassembling the PDF file
8 Obtaining the flag from the PDF
9 Conclusion

→ 1 Introduction

This writeup covers the Phreaky Forensics challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘medium’ difficulty. The challenge involved the forensic analysis of a PDF emailed in multiple, password protected parts.

The description of the challenge is shown below.

→ 2 Key Techniques

The key techniques employed in this writeup are:

Extracting SMTP emails from a packet capture
Writing a shell script to automate decoding of the emailed attachments
Reassembling the attachments into a single file

→ 3 Artifacts Summary

The downloaded artifact had the following hash:

$ shasum  -a256 forensics_phreaky.zip
973180a558e14a6ff779765bb34b0e8fb59019d80836a9f548b583237bc3c3a2  forensics_phreaky.zip

The zip file contained a single packet capture file:

$ unzip forensics_phreaky.zip
Archive:  forensics_phreaky.zip
  inflating: phreaky.pcap

$ shasum  -a256 phreaky.pcap
f29f0ad6482a1920c72314044b40fb916d2e5db6f1428cc835c12c36457c7c50  phreaky.pcap

→ 4 Packet analysis

phreaky.pcap was opened in Wireshark. The Statistics->Protocol Hierarchy menu indicated there were two main protocols in use:

HTTP
SMTP

The packet capture was summarized via the Wireshark protocol hierarchy tool, identifying HTTP and SMTP traffic

→ 4.1 HTTP traffic identified as benign

The HTTP traffic was identified as benign Ubuntu update requests and therefore irrelevant to the challenge:

HTTP traffic is legitimate Ubuntu update requests

→ 4.2 SMTP traffic identified as suspicious

The SMTP traffic involving 192.168.68.108 was identified as suspicious, with multiple emails being sent with a zip attachment and what appears to be a password for the attachment. The Wireshark “Follow TCP Stream” feature was used to easily view the communication for a given TCP stream.

Followed TCP stream 1 containing SMTP traffic with a suspicious attachment and password

→ 5 Extracting the suspicious SMTP streams

Each suspicious, plaintext SMTP TCP stream was followed in Wireshark as above¹ and saved to a file named with the stream number, resulting in the following files:

smtp-tcp-stream-01.txt
smtp-tcp-stream-03.txt
smtp-tcp-stream-05.txt
smtp-tcp-stream-07.txt
smtp-tcp-stream-09.txt
smtp-tcp-stream-11.txt
smtp-tcp-stream-13.txt
smtp-tcp-stream-15.txt
smtp-tcp-stream-17.txt
smtp-tcp-stream-19.txt
smtp-tcp-stream-21.txt
smtp-tcp-stream-23.txt
smtp-tcp-stream-25.txt
smtp-tcp-stream-27.txt
smtp-tcp-stream-30.txt

→ 6 Extracting the zip files from each TCP stream

An extract-all.sh bash script was written to unzip the files contained by the TCP streams.

#!/bin/bash

for stream in smtp-tcp-stream*.txt ; do
    password=$(sed -Ene '/^Content-ID/,/^--=/p' "$stream"|grep -Po 'Password: (.*)'|sed -Ee 's/Password: //')
    zip_filename=$(grep -Po 'filename.*\.zip' "$stream"|sed -Ee 's/.*"//')
    base64_file_data=$(sed -Ene '/^Content-ID/,/^--=/p' "$stream"|grep -Pv -e 'Content|--|Attached'|grep -P '\w+')

    echo "processing $stream"
    echo "password:$password"
    echo "zip_filename:$zip_filename"
    echo -n "$base64_file_data" | base64 -d > "$zip_filename"
    unzip -P "$password" "$zip_filename"
done

The noteworthy features of the script are:

Line 3 is a for loop that loops through every stream file
Line 4 extracts the password from the stream using sed and grep in multiple steps:
- Printing all lines between the regex ^Content-ID/ and ^--=
```
sed -Ene '/^Content-ID/,/^--=/p' "$stream"
```
- Grepping for the regex Password: (.*)' and only outputting the matched text (-o)
```
grep -Po 'Password: (.*)'
```
- Stripping ‘Password:’ from the result using sed
```
sed -Ee 's/Password: //
```
Line 5 extracts the zip file name from the stream using sed and grep in multiple steps
- Grepping the stream for the regex filename.*\.zip and only outputting the matched text (-o)
```
grep -Po 'filename.*\.zip' "$stream"
```
- Stripping everything up until the last double quote character using sed
```
sed -Ee 's/.*"//'
```
Line 6 extracts the base64 encoded zip file from the stream using sed and grep in multiple steps:
- Same as Line 4, printing all lines between the regex ^Content-ID/ and ^--=
```
sed -Ene '/^Content-ID/,/^--=/p' "$stream"
```
- Stripping out any lines matching the regex Content|--|Attached using an inverse grep match
```
grep -Pv -e 'Content|--|Attached'
```
- Grepping for one or more word characters
```
grep -P '\w+'
```
Line 11 base64 decodes the zip file
Line 12 unzips the zip file using the password obtained from line 4

The script was run, resulting in phreaks_plan.pdf.part* files being extracted.

$ ./extract-all.sh
processing smtp-tcp-stream-01.txt
password:S3W8yzixNoL8
zip_filename:efcfd.zip
Archive:  efcfd.zip
  inflating: phreaks_plan.pdf.part1
processing smtp-tcp-stream-03.txt
password:r5Q6YQEcGWEF
zip_filename:17dbf.zip
Archive:  17dbf.zip
 extracting: phreaks_plan.pdf.part2

<snip/>

In total, the resulting files were:

$ ls -1 phreaks_plan.pdf*
phreaks_plan.pdf
phreaks_plan.pdf.part1
phreaks_plan.pdf.part10
phreaks_plan.pdf.part11
phreaks_plan.pdf.part12
phreaks_plan.pdf.part13
phreaks_plan.pdf.part14
phreaks_plan.pdf.part15
phreaks_plan.pdf.part2
phreaks_plan.pdf.part3
phreaks_plan.pdf.part4
phreaks_plan.pdf.part5
phreaks_plan.pdf.part6
phreaks_plan.pdf.part7
phreaks_plan.pdf.part8
phreaks_plan.pdf.part9

→ 7 Reassembling the PDF file

The PDF file was reassembled using cat:

$ cat $(ls -1 phreaks_plan.pdf.part?) $(ls -1 phreaks_plan.pdf.part1?) > phreaks_plan.pdf

A minor trick was used to ensure the files were assembled in the correct order. The following command substitution used a single ? wildcard at the end of the file name to match only parts 1 to 9:

$(ls -1 phreaks_plan.pdf.part?)

The following command substitution used a 1? at the end of the file name to match only parts 10 to 15.

$(ls -1 phreaks_plan.pdf.part1?)

→ 8 Obtaining the flag from the PDF

phreaks_plan.pdf was opened and the plaintext flag found within:

phreaks_plan.pdf contained the flag in plaintext — `phreaks_plan.pdf` contained the flag in plaintext

→ 9 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned

Footnotes

tshark has some ability to automate the extraction of TCP streams but it produces inferior results to Wireshark. For example, the below command uses tshark to follow TCP stream 1 for all communications with IP address 192.168.68.108. However, note the broken base64 body of the email, with ‘75’ breaking the base64 encoding part way through. It would still be possible to process this output with a script but it is more complicated than the Wireshark output. Still, if there were many more streams to extract, automating the process via tshark would likely be the preferred option.

$ tshark -r phreaky.pcap -Y 'smtp and ip.addr == 192.168.68.108' -z follow,tcp,ascii,1 |tail -30
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename*0="caf33472c6e0b2de339c1de893f78e67088cd6b1586a581c6f8e87b5596";
 filename*1="efcfd.zip"
Content-ID: <20240306145912.Emuab%caleb@thephreaks.com>

UEsDBBQACQAIAGZ3ZlhwRyBT2gAAAN0AAAAWABwAcGhyZWFrc19wbGFuLnBkZi5wYXJ0MVVUCQAD
wIToZcCE6GV1eAsAAQToAwAABOgDAAA9mPwEVmy1t/sLJ62NzXeCBFSSSZppyIzvPXL++cJbuCeL
nP4XXiAK9/HZL9xRw4LjlDf5eDd6BgBOKZqSn6qpM6g1WKXriS7k3lx5VkNnqlqQIfYnUdOCnkD/
1vzCyhuGdHPia5lmy0HoG+qdXABlLyNDgxvB9FTOcXK7oDHBOf3kmLSQFdxXsjfooLtBtC+y4gdB
xB4V3bImQ8TB5sPY55dvEKWCJ34CzRJbgIIirkD2GDIoQEHznvJA7zNnOvce1hXGA2+P/XmHe+4K
tL/fmrWMVpQEd+/GQlBLBwhwRyBT2gAAAN0AAABQSwECHgMUAAkACABmd2ZYcEcgU9oAAADdAAAA
FgAYAAAAAAAAAAAAtIEAAAAAcGhyZWFrc19wbGFuLnBkZi5wYXJ0MVVUBQADwIToZXV4CwABBOgD
AAAE6AMAAFBLBQYAAAAA
75
AQABAFwAAAA6AQAAAAA=

--=-=DBZhoU35m_YtHyGmIsZszrXoWQVlI-1y1rd3=-=--
.

        35
250 2.0.0 Ok: queued as 9CB872113

6
QUIT

        15
221 2.0.0 Bye

↩︎