San Institute regularly creates a Christmas holiday hack challenge.
These challenges are a good way to try out new techniques or grow your knowledge in some new area.
As I get time to tackle the challenges I will write up my solution, frustrations and share any techniques that may come in handy for future challenges.
Find Josh Dosis in one of the buildings and he’ll give you a pcap from the home wifi network.
A clue is to look for some text in an image.
When you open the pcap in Wireshark you’ll notice there’s no raw image file but there is a bunch of dns queries.
You will notice that one dns response id is stamped on many packets. You can tell Wireshark to filter on these dns packets by using “Follow UDP stream” on one of the dns packets. The request/response type is TXT and appears to have base64 encoded data.
I tried using ‘tshark’ command line tool to extract the data I needed. This is what I used:
$ tshark -r giyh-capture.pcap -Y 'dns.id==0x1337' -T fields -e dns.txt
RVhFQzpTVEFSVF9TVEFURQ== RVhFQzp3bGFuMCAgICAgSUVFRSA4MDIuMTFhYmduICBFU1NJRDoiRG9zaXNIb21lLUd1ZXN0IiAgCg== RVhFQzogICAgICAgICAgTW9kZTpNYW5hZ2VkICBGcmVxdWVuY3k6Mi40MTIgR0h6ICBDZWxsOiA3QTpCMzpCNjo1RTpBNDozRiAgIAo= ...
-Y is a display filter and I specified that I only want packets with a dns transaction if id matches 0x1337
-T specifies and -e specifies that I only want the dns.txt portion of the dns packet.
$ tshark -r giyh-capture.pcap -Y 'dns.id==0x1337' -T fields -e dns.txt|base64 --decode|less
After base64 decoding the data I could see that the decoded dns packets had preembles like FILE, EXEC, START_STATE etc. These are the commands for the command-and-control channel.
I searched for any clues for a jpg file in the decoded data using ‘hexeditor’ or you could use ‘ghex’ gui. The string ‘JFIF’ showed up.
It was at this point that I decided to use pyshark to create a helper script to run through all the packets with FILE preemable and extract the data in binary mode to a file for later viewing.
The script can be found here
$ python extract-base64-lines.py -p giyh-capture.pcap -o sans-gnome.jpg
And the decoded image of the gnome is