DEF CON: Red Team Village Mayhem: We Love – Stego [150pt]

Event Overview

Put on by DEF CON Red Team Village, Virtual, this CTF was relatively beginner but had a fair number of interesting challenges. Aside from the RE sections, the stego work was in my opinion, the most interesting. I played this with a private group I’m fairly active in (Hackers n’ Hops), and we placed reasonably well.

CTFtime: not listed, Official Site:

Challenge Summary

A total of only 2 solves, likely due to familiarity. 150point problem, which is in the quarter-ish upper percentile for this CTF.

Level Author: @pwneip on Twitter

This was designed to teach that data can be passed in obscure ways. Specifically, when I started it we had the hints “follow the white rabbit,” and once we had the system totally extracted we had a note in the file that said, This challenge emulates the arbitrary exfiltration of information through things like DNS or FTP requests. As in not the typical data locations but rather things like requests and commands. In this case data was appended to the RETR FTP command. One of the major hints to this challenge was that all of the appendages were two chars long “(one byte).png,” and further if you ran a filter in wireshark to see ftp-data packets, there were none, indicating a different focus. For DNS, its common to hide the data in encoded+encrytped subdomains off request packets. This used to be an easy way to avoid IDS.

Associated Files

File: rabbithole (SHA1:F25DCF37764ACB9E5357D6A026445B36C51D1D32)

Steps to Solve

1. Open the pcap in wireshark and run a display filter for packets that are responsible for RETR commands:

ftp.request.command == "RETR"

2. Export these packets as a CSV file for parsing them down: File->Export Packet Disection->As CSV… 3. Use a mash of cut commands to parse the bytes out from the CSV output, save in file:

cat packets.csv | cut -d',' -f7 | cut -d' ' -f 3 | cut -d '.' -f 1 > bytes

4. (CyberChef) Take those bytes and decode them from hex to ASCII (using From Hex)

5. Profit: ‘This is a really strange way to hide a TS{HTB_ROCKS}, but probably pretty obvious?’