Oldest trick in the book Writeup
Cyber Apocalypse 2021
Solved by : thewhiteh4t
- We are given a pcap which consists of mostly TLS and ICMP traffic
- ICMP looks promising as we can see the header of ZIP file
PK
- Another thing was that the the traffic from both IP address was similar I focused on only one of them
- To extract data of all these packets I used tshark
$ tshark -r older_trick.pcap -T fields -e data.data -Y "ip.src == 192.168.1.7" > 192.168.1.7.txt
- After this I looked for duplicate packets in the text file
- So we have 10127 unique icmp data packets
- To decode hex and compile all the data I created a small python script
- But I was not getting proper file format of resultant file so I inspected the data
- There were duplicates in the data as well!
b7ae04 0000000000 504b0304140000000000729e8d52659b 504b0304140000000000729e8d52659b 504b030414000000
ead104 0000000000 4c6b1800000018000000100000006669 4c6b1800000018000000100000006669 4c6b180000001800
99e804 0000000000 6e692f6164646f6e732e6a736f6e7b22 6e692f6164646f6e732e6a736f6e7b22 6e692f6164646f6e
cafb04 0000000000 736368656d61223a362c226164646f6e 736368656d61223a362c226164646f6e 736368656d61223a
- This is the data from first 4 packets for an example
- After first 6 characters we have 10 zeroes
- After that a unique string
- The string is repeated after that
- Then a partial repetition can be seen at the end
- I tried various combinations and in the end only the unique string was needed from each packet i.e
504b0304140000000000729e8d52659b
for first line as an example
#!/usr/bin/env python3
import binascii
msg = []
with open('unique.txt', 'r') as raw:
raw_arr = raw.readlines()
for line in raw_arr:
if len(line) == 97:
line = line.strip()
line = line[16:48]
plain = binascii.unhexlify(line)
msg.append(plain)
with open('result.zip', 'wb') as res:
for line in msg:
res.write(line)
- The script iterates over each line in the file and skips empty lines if it finds any
- Then it slices of extra characters as stated above
- Then it decodes the hex into binary data and appends it in a file
- And we get a proper zip file!
- Here are the extracted contents of the zip
- After some enumeration of all files they point towards Mozilla Firefox
- After some googling I found that this is a firefox profile dump
- In linux the default path for profiles is
/home/user/.mozilla/firefox
- I copied the folder into profiles folder and then edited the
profiles.ini
file present inside it to add the following entry
[Profile2]
Name=fini
Path=fini
IsRelative=1
- After this I launched firefox from CLI using
$ firefox -P
- It provides an option to choose a specific profile and launch the browser with it
- After the browser launched with the new profile and checked the saved logins and here we have the flag!