Description

We captured this traffic from P13's computer so can you help him?

Tools

1- Wireshark
2- OSINT Tools
3- Reverse engineering
4- Python scripting

Writeup

Q1

in this challenge I got a network traffic.

so let’s openit and investigate that traffics.

As we can see there are 25,262 packets so let’s filter the streams to TCP protocols and check if there is anything suspicious.

Okay got 7780 stream so let’s check the whole stream and find something interesting.

You can press -> CTRL + ALT + SHIFT + T
Or
Press Right click on any TCP stream -> Follow -> TCP Stream

we got 219 stream so let’s go through it quickly.

Okay on the 8th stream I got the chat between P13 and Cu713 and its about Cu713’s script and he hided it some where. but first question askes about the IP of sender and IP of the reciever. So

Q1 Answer: 192.168.235.137,192.168.235.131

Q2

now Let’s head to the next question which asks about the file name that had sent through the network so let’s keep looking in the TCP streams.

Okay on the 22th stream I found interesting file and got the filename

Q2 Answer: file

Q3

Now let’s head to the third question which is asking about where is the place that Cu713’s script hide.

Hint: Try To use OSINT on Cu713?

So I used Cu713 as username and used instant username checker.

And yes found some interesting stuffs and I noticed that there is a github account so I opened it.

and yes now we got the answer for the question 3 which is

Q3 Answer : Github

Q4

Now let’s head to the 4th question which asks for the full url of that script. after going the repo on that account on github first you won’t find anything suspicious.

but if you foucsed you will find that Cu713 Deletes hidden!! so let’s go to commits.

and yes we got the scipt now so answer for the 4th question is

Q4 Answer: https://github.com/Cu713/Secr3t/commit/d3c2ff53863d0fcc6f55c79d0d6799d40ca92820

Q5

Let’s head to the 5th question which talk about reverse the file and reterive it.

Hint: You have the script maybe you need to use some reverse engineeing.

First I extracted the data from the wireshark in these steps:-

1- I converted the stream of the file into raw and filtered it on cyberchef and extracted it so I can work on it.

first I understood that script does 2 things. First he xor the bytes of the files with the first 4 bytes of the files which are Magic Signatures so I got the list of file signatures of the files for google. then it swaps every 2 bytes. so let’s first check the swap if it will work then do the decrypt.

Hint: it's an image file

the hint says its image file. so we have some types like (“PNG”, “JPG”,“GIF”,“BMP”) that made it more easier so after trying I noticed it’s a jpg. using this script

import binascii  
with open('download.dat','rb') as f:  
    data = f.read()  
  
  
def decrypt(message):  
    key = binascii.unhexlify("FFD8FFE0")  
    enc = bytearray()  
    for i in range(4, len(message)):  
        enc.append(message[i] ^ key[(i - 4) % len(key)])  
    return enc  
  
def unswap_bytes(bytearray_):  
    if len(bytearray_) < 2:  
        return bytearray_  
  
    result = []  
    for i in range(0, len(bytearray_)-1, 2):  
        result.extend([bytearray_[i + 1], bytearray_[i]])  
    if len(bytearray_) % 2 == 1:  
        result.append(bytearray_[-1])  
    return bytearray(result)  
  
  
dec = unswap_bytes(bytearray(data))  
decrypted_message = decrypt(dec)  
print(decrypted_message.decode('latin-1'))

there are IF like in the JPG. So the answer for the 5th question is

Q5 Answer: JPG/JPEG

Q6

Let’s head to the 6th question which asks about where is Cu713’s location now after he left the country.

after fixing the footer and header of course no we got the image of his location.

so the key of this image is ”the Temple Bar” on the right and ”Power’s Whiskey” on the center. so let’s google these two keywords.

okay this interesting I found the same place. so let’s check where is this place exactly.

the answer for 6th question is

Q6 Answer: Dublin