russian nesting doll
Our monitoring systems noticed some funny-looking DNS traffic on one of our computers. We have the network logs from around the time of the incident. Want to take a look?
- File: tamu2020-netlogs.pcap
Recon
In the netlogs.pcap file we find a lot of DNS requests and a connection to a FTP-server. From the FTP traffic we can get the following information:
- A GPG public key
- A GPG private key
- The password
howdyto login
We can import both keys for later use:
$ gpg --import pub.key
gpg: key 18ABAFED3849EB2E: public key "Ol' Rock <olrock@aggie.network>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --import priv.key # Use howdy as passphrase
gpg: key 18ABAFED3849EB2E: "Ol' Rock <olrock@aggie.network>" not changed
gpg: key 18ABAFED3849EB2E: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
In the DNS requests we see a lot of base64 data, we grab it from the file, combine it and decrypt it to a file. We also use uniq, because we saw some duplicate requests.
$ strings -a netlogs.pcap | grep tamu | tr -d '>' |cut -f 1 -d- | uniq | base64 -d > file.enc
$ file file.enc
file.enc: PGP message Public-Key Encrypted Session Key (old)
Look at that, seems we can use the downloaded GPG keys to decrypt this file.
$ gpg --decrypt file.enc | tar xvf -
gpg: encrypted with 2048-bit RSA key, ID C5372B2EB5E56F58, created 2019-11-27
"Ol' Rock <olrock@aggie.network>"
x ./
x ./..........encoded
x ./...encoded
x ./....encoded
x ./.....encoded
x ./.......encoded
x ./......encoded
x ./...........encoded
x ./........encoded
x ./............encoded
x ./.........encoded
The encoded files also contains base64 encoded data, there is probably some more intelligence than this, but we just combined them, decoded it and run binwalk over it.
$ cat .*encoded | base64 -d > decoded
$ binwalk --dd=".*" decoded
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
466944 0x72000 JPEG image data, JFIF standard 1.02
525728 0x805A0 PNG image, 3760 x 492, 8-bit/color RGB, non-interlaced
525819 0x805FB Zlib compressed data, compressed
$ display _decoded.extracted/805A0
This give us an image with the flag.
Flag
gigem{dont_you_just_love_a_good_pcap?}