SANS Holiday Hack Challenge – Part I

I figured that I would try and attempt to do the annual SANS Holiday Hack Challenge this year while things were slow at work (knock on wood). So after working on this for 2-3 days, I have managed to knock out the first of the questions:

1) Which commands are sent across the Gnome’s command-and-control channel?
2) What image appears in the photo the Gnome sent across the channel from the Dosis home?

The way I got the answers for this first set of problems was not “creative” by any stretch of the imagination. If anything it was just manually plugging away at things and using the magic 8-ball called Google. Below is a summary of how I went about solving this set of problems.

I obtained the PCAP from Josh and also the non-working script as well. Never having played with Scapy or Python, I figured that I would first sink my teeth into the PCAP and see if there was anything that I could figure out from it (since I feel more comfortable with a PCAP). Looking at it via Wireshark and the Protocol Hierarchy option, I could see that most of the traffic was split between 802.11 wireless management frames, and DNS. Filtering on just DNS, I could see all sorts of info in the TXT record of the response.

I remembered that Tim mentioned that BURP could figure out different decoding schemes, and someone else in the town mentioned something about base64 (I think), so I took one line from the TXT response and decoded it. Seeing that it was all in base64, I needed a quick way of getting only the DNS TXT responses. Since I don’t know how to script or work with Python/Scapy, I used ‘tshark’ instead. The filter that I used was ‘tshark -r Downloads/giyh.pcap -T fields -e dns.txt > sans.log’. ***NOTE: When using Wireshark, if you click on something, take a look at the bottom left hand corner. That may give you an idea of what you can use as a filter in the PCAP as you can see below:

Filter for this in Wireshark

Filter for this in Wireshark


That gave me the responses in a text file that I could then decode via Notepad++.
The following is the decoded part of the communication:

  
 	NONE:
	NONE: NONE: NONE: NONE: NONE: NONE: EXEC:iwconfig
	EXEC:START_STATE  EXEC:wlan0     IEEE 802.11abgn  ESSID:"DosisHome-Guest"  
	EXEC:          Mode:Managed  Frequency:2.412 GHz  Cell: 7A:B3:B6:5E:A4:3F   
	EXEC:          Tx-Power=20 dBm   
	EXEC:          Retry short limit:7   RTS thr:off   Fragment thr:off
	EXEC:          Encryption key:off
	EXEC:          Power Management:off
	EXEC:          
	EXEC:lo        no wireless extensions.
	EXEC:
	EXEC:eth0      no wireless extensions.
	EXEC:STOP_STATENONE: NONE: NONE: EXEC:cat /tmp/iwlistscan.txt
	EXEC:START_STATE  EXEC:wlan0     Scan completed :
	EXEC:          Cell 01 - Address: 00:7F:28:35:9A:C7
	EXEC:                    Channel:1
	EXEC:                    Frequency:2.412 GHz (Channel 1)
	EXEC:                    Quality=29/70  Signal level=-81 dBm  
	EXEC:                    Encryption key:on
	EXEC:                    ESSID:"CHC"
	EXEC:                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
	EXEC:                              9 Mb/s; 12 Mb/s; 18 Mb/s
	EXEC:                    Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
	EXEC:                    Mode:Master
	EXEC:                    Extra:tsf=000000412e67cddf
	EXEC:                    Extra: Last beacon: 5408ms ago
	EXEC:                    IE: Unknown: 00055837335A36
	EXEC:                    IE: Unknown: 010882848B960C121824
	EXEC:                    IE: Unknown: 030101
	EXEC:                    IE: Unknown: 200100
	EXEC:                    IE: IEEE 802.11i/WPA2 Version 1
	EXEC:                        Group Cipher : CCMP
	EXEC:                        Pairwise Ciphers (1) : CCMP
	EXEC:                        Authentication Suites (1) : PSK
	EXEC:                    IE: Unknown: 2A0100
	EXEC:                    IE: Unknown: 32043048606C
	EXEC:                    IE: Unknown: DD180050F2020101040003A4000027A4000042435E0062322F00
	EXEC:                    IE: Unknown: 2D1A8C131BFFFF000000000000000000000000000000000000000000
	EXEC:                    IE: Unknown: 3D1601080800000000000000000000000000000000000000
	EXEC:                    IE: Unknown: DD0900037F01010000FF7F
	EXEC:                    IE: Unknown: DD0A00037F04010000000000
	EXEC:                    IE: Unknown: 0706555320010B1B
	EXEC:          Cell 02 - Address: 48:5D:36:08:68:DC
	EXEC:                    Channel:6
	EXEC:                    Frequency:2.412 GHz (Channel 1)
	EXEC:                    Quality=59/70  Signal level=-51 dBm  
	EXEC:                    Encryption key:on
	EXEC:                    ESSID:"DosisHome"
	EXEC:                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
	EXEC:                              24 Mb/s; 36 Mb/s; 54 Mb/s
	EXEC:                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
	EXEC:                    Mode:Master
	EXEC:                    Extra:tsf=00000021701d828b
	EXEC:                    Extra: Last beacon: 4532ms ago
	EXEC:                    IE: Unknown: 000F736F6D657468696E67636C65766572
	EXEC:                    IE: Unknown: 010882848B962430486C
	EXEC:                    IE: Unknown: 030106
	EXEC:                    IE: Unknown: 0706555320010B1E
	EXEC:                    IE: Unknown: 2A0100
	EXEC:                    IE: Unknown: 2F0100
	EXEC:                    IE: IEEE 802.11i/WPA2 Version 1
	EXEC:                        Group Cipher : CCMP
	EXEC:                        Pairwise Ciphers (1) : CCMP
	EXEC:                        Authentication Suites (1) : PSK
	EXEC:          Cell 03 - Address: 48:5D:36:08:68:DD
	EXEC:                    Channel:6
	EXEC:                    Frequency:2.412 GHz (Channel 1)
	EXEC:                    Quality=62/70  Signal level=-49 dBm  
	EXEC:                    Encryption key:off
	EXEC:                    ESSID:"DosisHome-Guest"
	EXEC:                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
	EXEC:                              24 Mb/s; 36 Mb/s; 54 Mb/s
	EXEC:                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
	EXEC:                    Mode:Master
	EXEC:                    Extra:tsf=00000021701d8913
	EXEC:                    Extra: Last beacon: 5936ms ago
	EXEC:                    IE: Unknown: 000F736F6D657468696E67636C65766572
	EXEC:                    IE: Unknown: 010882848B962430486C
	EXEC:                    IE: Unknown: 030106
	EXEC:                    IE: Unknown: 0706555320010B1E
	EXEC:                    IE: Unknown: 2A0100
	EXEC:                    IE: Unknown: 2F0100
	EXEC:STOP_STATENONE: NONE: NONE: NONE:
	FILE:/root/Pictures/snapshot_CURRENT.jpg
	FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg
	FILE:STOP_STATE
	NONE: 
	NONE: 
	NONE:
 	

In the middle of the this log file that I created was a large chunk of base64 encoded text. I took this and created a new file just with it and none of the other data that was decoded above. I tried to decode this but most of it was not decodable, with the exception of the first line which showed “JFIF,” and the occasional “FILE: ” found throughout the file. So not knowing what a normal JPEG would look like in a hex editor I downloaded a regular JPEG from Google and opened it. I then took the new file and opened it in a hex editor as well and compared the two against each other. Josh had made the comment about how the magic-bytes for a JPEG was “0xFFd8.” I looked for that in the new file, and deleted everything before it. I also did a search for the hex string of “46 49 4C 45 3A” (FILE:) and deleted all occurrences of it from the file. Once that was done, I saved the file and gave it the extension of JPG. Once that was done, I was able to see the image that the Gnome had taken (seen below).

Gnome in the room

Gnome in the room

Leave a Reply

Your email address will not be published.