Russian Nesting Doll [Misc]

russian nesting doll

Our monitoring systems noticed some funny-looking DNS traffic on one of our computers. We have the network logs from around the time of the incident. Want to take a look?


In the netlogs.pcap file we find a lot of DNS requests and a connection to a FTP-server. From the FTP traffic we can get the following information:

  • A GPG public key
  • A GPG private key
  • The password howdy to login

We can import both keys for later use:

$ gpg --import pub.key
gpg: key 18ABAFED3849EB2E: public key "Ol' Rock <>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --import priv.key     # Use howdy as passphrase
gpg: key 18ABAFED3849EB2E: "Ol' Rock <>" not changed
gpg: key 18ABAFED3849EB2E: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

In the DNS requests we see a lot of base64 data, we grab it from the file, combine it and decrypt it to a file. We also use uniq, because we saw some duplicate requests.

$ strings -a netlogs.pcap | grep tamu | tr -d '>' |cut -f 1 -d- | uniq | base64 -d > file.enc
$ file file.enc
file.enc: PGP message Public-Key Encrypted Session Key (old)

Look at that, seems we can use the downloaded GPG keys to decrypt this file.

$ gpg --decrypt file.enc | tar xvf -
gpg: encrypted with 2048-bit RSA key, ID C5372B2EB5E56F58, created 2019-11-27
      "Ol' Rock <>"
x ./
x ./..........encoded
x ./...encoded
x ./....encoded
x ./.....encoded
x ./.......encoded
x ./......encoded
x ./...........encoded
x ./........encoded
x ./............encoded
x ./.........encoded

The encoded files also contains base64 encoded data, there is probably some more intelligence than this, but we just combined them, decoded it and run binwalk over it.

$ cat .*encoded | base64 -d > decoded
$ binwalk --dd=".*" decoded 

466944        0x72000         JPEG image data, JFIF standard 1.02
525728        0x805A0         PNG image, 3760 x 492, 8-bit/color RGB, non-interlaced
525819        0x805FB         Zlib compressed data, compressed

$ display _decoded.extracted/805A0

This give us an image with the flag.